3

I am pentesting a super strange website and was trying to get Stored XSS on their main website. After some hours of testing i found that it is possible to inject sucesfully without any encoding:

<img src="any" alt="any">

Cool right? the thing is i have tried +50 event handlers (some of them not even working for images) and 80% of them were blocked by the waf and the rest that were accepted (code 200 instead of 500) but were stripped from the response, even invalid ones. So

<img src="any" asdasd=asdasd alt="any"> Turns into --> <img src="any" alt="any">

So i was wondering, is there any possible way to exploit this without event handlers?

i know that isn't allowed for most browsers and will not trigger anything (correct me if I'm wrong here).

Mr. ToxicMan
  • 115
  • 1
  • 8
  • My answer here may be helpful, but you are probably hosed. Sounds like they are properly parsing and processing HTML. Skip to the part about a robust parser: https://security.stackexchange.com/questions/220447/security-risks-of-user-generated-html/220462#220462 – Conor Mancone Nov 13 '19 at 01:30
  • forgot to say but because jkksjdbf=ksjdfsd gets filtered they probably use a whitelist instead of a blacklist to filter handlers. – Mr. ToxicMan Nov 13 '19 at 01:42

1 Answers1

1

Did you try other payloads for XSS?

Here's the cheat-sheet: https://portswigger.net/web-security/cross-site-scripting/cheat-sheet

You can check the Event, Compatibility, tag as well as code there.

If 80% percent were blocked by WAF, you need to bypass it, some bug bounty hunters already bypass some WAF and here's the link:

https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/xss.md

For the browser, just test in all browsers.

Al Francis
  • 299
  • 1
  • 13