Shulou(Shulou.com)05/31 Report--

This article is about how to bypass the XSS detection mechanism of WAF. The editor thinks it is very practical, so I share it with you to learn. I hope you can get something after reading this article.

Overview

This paper presents a new method to bypass the security mechanism of XSS, which consists of three stages: determining the structure of Payload, detection and obfuscation. First of all, we need to determine a variety of different Payload structures for a given context to achieve the best test results. The next step is detection, which involves conducting various string tests according to the security mechanism implemented by the target, and analyzing the response data of the target in order to make security assumptions based on the analysis results. Finally, according to the analysis results to judge whether to confuse or adjust the structure of Payload.

Introduction

XSS is one of the common vulnerabilities in Web applications. Webmasters can circumvent XSS vulnerabilities by filtering user input, converting output data according to context, correctly using DOM, enforcing cross-source resource sharing (CORS) policies, and other security policies. Although there are many technologies to prevent XSS attacks, Web Application Firewall (WAF) or custom data filters are widely used security technologies, and many manufacturers will use these technologies to resist new XSS attack vectors. Although WAF manufacturers are still trying to introduce machine learning technology, string detection based on regular expressions is still the most widely used technology.

Here is a new method of constructing XSS Payload, which can bypass the security mechanism based on regular expression matching.

HTML context

When the user's input data is mapped in the HTML code of the Web page, this scenario is what we call the HTML context. The HTML context can be further divided according to where the user input is mapped in the code:

1. Inside the label:

2. Outside the tag: Youentered $input

Outside the label

In this context, the main character "click"

Bypass technique: non-blank padding

WAF name: Wordfence

Payload:click

Bypass technology: digital character coding

WAF name: Barracuda

Payload:click

Bypass technology: digital character coding

WAF name: Akamai

Payload:click

Bypass techniques: lack of event handlers in the blacklist and confusion of function calls

WAF name: Comodo

Payload:click

Bypass techniques: lack of event handlers in the blacklist and confusion of function calls

WAF name: F5

Payload:click

Bypass techniques: lack of event handlers in the blacklist and confusion of function calls

WAF name: ModSecurity

Payload:

Bypass techniques: missing tags or event handlers in the blacklist

WAF name: dotdefender

Payload:

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.