Hello everyone, in this article I will share “How I Bypassed WAF” to chaining a Relfected XSS.
Some time ago, my friend Mamet Nugraha built a website for Instagram, Facebook Video’s and Photo’s downloader, you can check in this website saveas.w3llsquad.or.id. Then I was idle to pentest the website. After a while, I found an interesting endpoint in burp history like this:
https://saveas.w3llsquad.or.id/download.php?url=http://linktoavideo.website/test.mp4&type=xxx&format=mp4&title=xxx
Then I sent the request to repeater and I edited a value of parameter`?url=` then I saw in the response that the Content-Type is text/html.
So I tried to put an XSS payload, but I got redirected to 403 Forbidden page :(
Then I tried to find a bypass, I was tried some bypass like urlencoding, double urlencoding but it doesn’t work :( then I looking to google for the reference and found this repository https://github.com/s0md3v/AwesomeXSS. After a while tried the payload from that repository, I have successfully bypassed a WAF using onmouseleave event. The payload look like this :
“><a href=”#” onmouseleave=alert(99)>Click
Then I show the response in browser and payload was triggered
Then I reported to my friend and bug has been fixed.
Thanks for reading my write up, hopefully can help. Apologize if there are errors in writing.
Keep learning and stay safe!