Hi guys! Today I will share my experience of how I exploited an XSS in a pretty particular scenario.
During analysis, there was a feature on the application that allows the customer to add external reference links for specific options.
So, there were input filters not allowing double quotes, <,>, and other chars. The injection would happen only in the href parameter.
Basically:
<a href="<xss_here>" target="_blank">ClickMe</a>
At this point, I thought, piece of cake, I will inject a standard payload like javascript:alert(1), and that's it, exploited!
<a href="javascript:alert(1)" target="_blank">ClickMe</a> Right?
WRONG!
As you know, the "target" parameter controls the window link behavior.
In this case, it forces the link to open in a new tab due to the _blank value. When you left-click (the usual behavior), on the link, even with the javascript:alert(1) payload, the browsers handle it differently:
Firefox: Opens a new blank tab with the payload on the URL address bar
So, based on this behavior, it's clear it cannot be exploited just by left-clicking on the link.
I tried to change the target parameter value using javascript, but the instruction to open a new tab executes first, so there is no way to rewrite the value on the fly.
After some research, I found these links https://bugzilla.mozilla.org/show_bug.cgi?id=55696 and https://support.mozilla.org/en-US/questions/1289787 related to new tab/window and javascript execution. Then the idea to use the mouse middle button popped up, and BANG!
By default, the browsers(Firefox, Chrome, and Edge) have the middle button configured to force open links in a new tab. So, by using this button, the browsers executed the Javascript! Also, this time, the behavior was slightly different, and it can interfere during the exploitation. To test these conditions, I changed the payload to javascript:alert(document.cookie)
Firefox: The browser executed the javascript in a new blank tab. However, the javascript could not read the cookie, as expected, due to run in a blank tab out of the application context.
Chrome and Edge: The browsers weirdly did not open a new tab, even forced by the middle button. So, the javascript is executed in the application context. That is, it can read the application cookies.
That's all, folks! Cya!