Using HTML Attribute Separators for Bypassing WAF XSS Filters

- 3 mins

Abstract

This is an experiment I have done to identify and utilize attribute separators in constructing XSS vectors. The crafted vectors can be used to bypass XSS filters on modern browsers. These characters can be used in bypassing WAF XSS filters.

Background

An example of a common XSS vector is:

<img src=x onerror=alert(1)>

We will be using this vector as a baseline for the demonstration in this experiment.

An image is requested at ./x. If the image is invalid, the JavaScript event handler executes the JavaScript code as instructed. The space ` ` value is what separates the attributes.

A typical XSS regular expression that blocks this example vector checks for whitespaces. This can be bypassed via the exact vector by using the slash “/” character as an attribute separator (a well-known payload):

<img/src="x"/onerror=alert(1)>

Fuzzing for Valid Attributes Separators in Modern Browsers

HTML is a very flexible language. Browser engines render content in numerous structures. I have written a simple fuzzing script in JavaScript that generates all Unicode values as attribute separators in a browser.

Results

  1. Carriage-Return (0x0D)

  2. Line-Feed (0x0A)

  3. Horizontal Tab (0x09)

  4. Form-Feed (0x0C)

In addition to the previously known characters: Space (0x20) and Slash (0x2F) characters.

Notes on Bypassing WAFs Using Identified Attributes Separators

In general, WAF rule sets are strict on blocking specific inputs. It’s possible to bypass weakly written WAF rules by utilizing odd attribute separators. This is an aid to constructing a valid XSS vector; I do not expect a vanilla <img(attribute-separator)src=x(attribute-separator)onerror=alert(1)> would be a straight payload that bypasses a WAF rule set directly. Instead, tweaking the payload can increase the potential of writing a valid vector that bypasses the WAF XSS filters.

Furthermore, I have demonstrated several payloads that utilize attribute separators implicitly to bypass XSS filters of popular WAFs. You can read my previous research at Link.

The techniques were tested against Mod-Security CRS. The default installation blocks almost all variants; raising the Paranoia Level to 2 protects from the remaining payloads. I want to thank Dr. Christian Folini for testing it against ModSecurity CRS.

What to Do?

Penetration Testers

These characters can be used to craft better payloads to fuzz WAF XSS filters. Feel free to use them on your following WAF assessment.

Defenders

Consider different HTML attribute separators when constructing filters. It can be used to bypass rulesets.

Mazin Ahmed

Mazin Ahmed

Thoughts of a hacker

rss facebook twitter github gitlab youtube mail spotify lastfm instagram linkedin google google-plus pinterest medium vimeo stackoverflow reddit quora quora