bug bounty - escalating HTMLi without XSS?
Hi all,
Not sure if this is the right place to ask but im trying a bunch of tech servers.
I've currently got a HTML Injection in a bug bounty target however their WAF+CSP is preventing me from escalating it to XSS.. regular HTMLi is out of scope so I need to demonstrate impact in some way. I can't use iframes because x-frame-options is set to 'DENY' and I'm starting to think XSS is out of the question entirely, all known event handlers are blacklisted as are a bunch of HTML tags and attributes like src= or href=, even < and > chars were blacklisted but I managed to get a WAF bypass and inject HTML chars without getting blacklisted via double-urlencoding HTML char escape sequences.. I've tried similar techniques with event handlers etc to attempt to get XSS, but no use.. plus even if I were to bypass the WAF to get XSS, they've got a solid CSP in place..
So I've given up on the idea of XSS and now im wondering if I can escalate the HTMLi some other way, so far I've attempted:
- HTMLi --> CSSi --> Leaked PII
- HTMLi --> Dangling Markup Injection --> Leaked PII
- HTMLi --> DOM Clobbering --> DOM XSS
However im not having any luck with any of my attempts.. is anyone able to come up with any other ideas as to how I could escalate a HTML Injection without XSS? Spear Phishing pages are out of the question, they're not accepting that as a valid impact. Do I have any chance at all here?
3 Replies
I've also tried injecting a meta tag already to spoof the page's charset from UTF-8 to UTF-7 or UTF-16 and then injecting my payload using UTF-7 chars or whatever, no luck.. should I just give up? Or can anyone think of anything I can try?
Wasn't expecting that last one to actually work but just mentioning that I already tried in case someone suggests it.
I'm willing to split the payout 50/50 plus am willing to prove its a real bounty target so that u know its nothing sketchy..
Willing to split 50/50 if someone can help find a bypass I mean
Or not a "Bypass" per-se, but just some method of escalating the HTMLi without XSS
Nevermind. I finally managed to get it working.
Turns out this technique actually did work.. I just needed to tweak my payload slightly.
I did a write-up covering how I got a working PoC if anyone is interested in checking it out:
https://0x80dotblog.wordpress.com/2023/08/07/bbp-writeup-series-1-turning-useless-htmli-on-redacted-into-a-p1/
Very cool read
I never personally got into hacking, so I'm having a bit of trouble fully grasping what's going on. Let me know if this sounds right;
There is an input field that gets very well cleaned, then later shown back on the site. You put the double encoded meta tag changing to utf-7 in order to put the css import lacking an end ;. Is the @import statement sending the source code of the webpage in its raw html from the point that the payload gets rendered on the screen to you mlt.lol site where you listen and injest the leaked source?
That's correct, everything between the @import and the next instance of ; char in the page source gets leaked