Bypassing Web Application Firewalls 1.3 Challenge Exercise - Need help

Career Paths IT and Cybersecurity Foundations
1

ive been stuck on this darn challenge for hours, going over the part 3/4 of the guided walkthrough multiple times and i just feel like nothing is working. i have figured out that event handlers are blocked by the waf and it seems like the keyword “javascript” is also blocked by the waf. It seems to accept img src=x fine.. but anything after that its rejecting. i tried which seems to work but i have no idea how to get it to show the document.cookie. i just feel upset and frustrated that the lead up to this felt smooth and made sense but this just seems too damn hard . ive never been that great with xss .. but everywhere i look like portswigger for example all shows testing of onalert or script or javascript. but again.. i cant get any of these to work .. i havent saved a list of what ive tried but its basically:

asdf>"'<img src=x onerror=console.log(document.cookie);>
asdf>"'<img src=x onerror=document.write(document.cookie);>
asdf>"'<img src=x onerror=prompt(document.cookie);>
asdf>"'<a href="">CLICK</a>  # works but i cant weaponize it
asdf>"'<a href="javascript:aaa">CLICK</a> # all javascript keywords inside a href is being blocked it seems .. but i tried anyways
asdf>"'<a href="javascript:prompt(document.cookie)">CLICK</a>
asdf>"'<a href="javascript:console.log(document.cookie)">CLICK</a>
asdf>"'<a href="javascript:()">CLICK</a>

i really really need help. im not strong in this area, and when i have so many possibilities, i just feel confused and overwhelmed.. need help being pointed in the right direction. i tried checking this forum post (Bypassing Web Application Firewalls 1.3 Challenge Exercise) .. i read it over and over but i still cant piece it together.. i know i need document.cookie , i know script tags work like img src and a href, but i have NO IDEA how to piece it all together into something that actually reads the document.cookie file without alert or javascript keywords. I only understand what was shown from the guided walkthrough so far and even that was hard to understand because im not great in javascript.. i need more guidance . this is not easy for me at all. i dont want to be stuck on this for days over something that should be like a 30 min challenge . its depressing

2

I would note that the Challenge Exercises are all optional. If you find you’re getting hung up on one, I would recommend moving past it and revisiting it later if you like.

To elaborate on the instructors notes that Joseph shared in the other post:

Using basic testing of the above sections, we can discover that many methods still work the same as usual. We can do this with the following process:

  • See which meta characters and special characters work

  • See which basic HTML elements work

    • Many do work, works, when it previously did not.

  • See if any attributes work (i.e. src= , data=)

    • Most should work

  • See if event handlers work

    • None should work

  • See if various actions work from before

    • prompt() is now blocked as well, alert() and some others like console.log() shouldn’t work. maybe try confirm()
3

i appreciate the further detail. yea i noticed no handlers worked and i noticed alert() didnt work either. I have never seen confirm() used so i dont know how to try testing that. I was thinking to try data= something. but not sure how to use it either. i really feel like there should be more examples of things to try in the guided walkthough because i never saw them use confirm() and you would need to have outside understanding to make use of combining these functions which i dont understand well unfortunately

also unfortunately… still cant get back to lab :frowning: stuck here for last 15 minutes yet again.. going to try and restart yet again.. very frustrating

image
image1913×918 46.4 KB

4

Yeah there’s a pretty significant AWS outage right now, so we’re having some issues with labs loading.

1 Like
5

AHHH so thats what it is

6

But yes - while it is solvable, I agree that the instructor for this particular lab assumed more prior knowledge of HTML and JavaScript than what’s actually covered in the lab itself. This is one that we plan to rework accordingly when the Penetration Tester Career Path comes up for revision next year.

1 Like
7

sounds awesome. i really liked what i was learning so far. just this challenge got a bit too hard for me sadly. i learned alot from the defender defense evasion guided steps practical part

1 Like
8

This is worth a peek, just to see how deep the XSS rabbit hole goes…