🐧
Hassan Saad
  • WHO AM I ?
  • Red Teaming
    • C2 Infrastructure
    • External Reconnaissance
    • Initial Compromise
      • Executable File (EXE)
      • HTML Application (HTA)
      • Visual Basic (VBA Macros)
      • Password Spraying
      • MITM Attack
      • Email Spoofing
    • Host Reconnaissance
      • Seatbelt
      • Screenshots & Keylogging
    • Host Persistence
      • Task Scheduler
      • Startup Folder
      • Registry AutoRun
      • COM Hijacking
    • Host Privilege Escalation
      • Automated Tools
      • Unquoted Service Path
      • Weak Service Permission
      • Weak Service Binary
      • Always Install Elevated
      • UAC Bypass
    • Domain Reconnaissance
      • PowerView
      • BloodHound
      • Linux Host
      • Internal Applications
    • Lateral Movement
      • PowerShell Remoting
      • PsExec
      • WMI
      • DCOM
    • Credentials Access
      • LogonPasswords
      • Security Account Manager (SAM)
      • Domain Cached Creds
      • Kerberos Tickets
      • DPAPI
      • User Impersonation
      • Pass The Hash
      • Over Pass The Hash
      • Internal Password Spraying
      • Sniffing
      • NTLM Relay
    • Pivoting & Forwarding
      • SOCKS Proxy
      • Reverse Port Forwards
      • Local Port Forwards
      • Session Passing
      • P2P Listeners
      • NTLM Relay
    • Kerberos
      • Authentication
      • Kerberoasting
      • ASREP-Roasting
      • Unconstrained Delegation
      • Constrained Delegation
      • Linux Credential Cache
    • Group Policy
      • Enumeration
      • RSAT (GPMC)
      • Sharp GPO Abuse
    • Access Control Lists (DACL)
      • GenericAll
      • WriteDacl
      • WriteOwner
    • MS SQL Servers
      • Enumeration
      • NetNTLM Capture
      • Command Execution
      • Lateral Movement
      • Privilege Escalation
    • Domain Dominance
      • DCSync Backdoor
      • AdminSDHolder
      • Remote Registry Backdoor
      • Skeleton Key
      • Silver Ticket
      • Golden Ticket
    • Forest & Domain Trusts
      • Parent/Child
      • One Way (Inbound)
      • One Way (Outbound)
    • Evasion Techniques
      • Obfuscation
      • Process Injection
      • LAPS
      • AppLocker
      • PowerShell Constrained Mode
      • AMSI
      • Antivirus Exclusion
  • Penetration Testing
    • Information Gathering
    • Scanning
    • Exploitation
    • Post Exploitation
    • Password Attacks
    • Web Attacks
    • Exploit Development
  • Technology Essentials
    • Linux
      • Basics
      • Tasks
    • Windows
      • Basics
      • Tasks
    • Network
      • Basics
      • Tasks
    • Programming
      • Basics
      • Tasks
  • Bug Hunting
    • XSS on Nokia
    • XSS on Wuzzuf
    • Business Logic Flaw on Souq (Amazon Company)
    • Rate Limit Bypass on LinkedIn
    • Sensitive Data Exposure on Google
  • Tools
    • Recon Hunter
    • Mail Hunter
    • Mobile Hunter
    • Chimera (Threat Hunter)
  • Extras
    • SQL Injection
    • Web Basics
    • Mobile Testing
      • Mobile Testing 1
      • Mobile Testing 2
      • Mobile Testing 3
Powered by GitBook
On this page
  • Description
  • Final Words
  1. Bug Hunting

XSS on Nokia

PreviousBug HuntingNextXSS on Wuzzuf

Last updated 2 years ago

Affected Endpoint: https://qa-online.networks.nokia.com/entry/open/DoUp?action=login&TARGET= Payload: "accesskey="X"onclick="alert(1)"UserTarget= Full URL: https://qa-online.networks.nokia.com/entry/open/DoUp?action=login&TARGET="accesskey="X"onclick="alert(1)"UserTarget=

Description

As we are testing the attack surface we come across the following URL, where it has two parameters the action and UserTarget, after that the page redirect us to another URL.

The new page takes the values of the previously mentioned parameters action and UserTarget and combines them into another variable called TARGET, and these values are reflected in the response of the page.

Now if we try to inject any payload inside the TARGET parameter, the payload is stored inside the User Target parameter in the response but are filtered very well, so by default, any value inserted in the TARGET parameter are stored inside the UserTarget and filtered very well, but what if we inject the payload inside the action parameter inside the TARGET parameter!

Now comes the fun part, the TARGET parameter takes inside it two other parameters which are the action parameter and the UserTarget parameter that came from the previous URL, and here is the problem, there are two parameters passed to the TARGET parameter one of them are filtered which is the UserTarget and the other one is not filtered which is the action parameter.

Or to be specific the action parameter filters the > character but not filters the double-quote character, so we have to limit ourselves with the double-quote because the > character is filtered so we can't close the tag and write another tag, we are limited inside the input tag only.

Now we can inject any payload we want inside the action parameter inside the TARGET parameter, but there is one problem to exploit this XSS, XSS in hidden inputs is frequently very difficult to exploit because typical JavaScript events like onmouseover, onclick, and onfocus can't be triggered due to the element being invisible.

Now we have the ability to run any malicious payload in the user context.

Now we can clean the payload a little bit and remove any unnecessary parameters or characters so the final payload becomes like the following.

And here we go, the payload will trigger on Firefox with this shortcut ALT+SHIFT+X.

Final Words

  • Take note of any parameters inside parameters (array of parameters) like the following: TARGET=http://bla.com?action=bla&UserTarget=bla and test everything.

  • Take note of which parameters are filtered and which characters inside these parameters are also filtered.

  • Take note that the hidden input field can be exploited inside the same tag.

After searching for some time we found a way to exploit this vulnerability at the following link.

https://portswigger.net/research/xss-in-hidden-input-fields