Bypassing XSS filters using Double Encoding

Hello Hackers,

Recently I started my bug hunting journey and got an XSS by Bypassing Cloudflare WAF (you can read about it here). Now I am back with another XSS by Double Encoding.

This attack technique consists of encoding user request parameters twice in hexadecimal format to bypass security controls or cause unexpected behavior from the application. It’s possible because the webserver accepts and processes client requests in many encoded forms.

Going directly into it…

If there is a will, there is a way. Like that if there is an input field, there is a chance of cross-site scripting. Currently, I am using very basic methods while trying to find bugs and improve myself by learning more methods and bugs. While going through some of the targets and testing input fields (like search boxes), I got an interesting input field, I just entered the usual input

and checked the source code.

Then I added a single quote but it filtered the input and replaced it with hello1& in some places and with ‘&’ in our target fields.

I tried URL encoding there, Then also got the same output which means it decodes the input.

So I used Double Encoding.
By using double encoding it’s possible to bypass security filters that only decode user input once. The second decoding process is executed by the backend platform or modules that properly handle encoded data, but don’t have the corresponding security checks in place.

It works.

Then our basic payload ‘><script>alert(1)</script> with double encoding tried.

%2527%253E%253Cscript%253Ealert%25281%2529%253C%252Fscript%253E

But it created an error

I searched for attributes of input tag to exploit using it.
onfocus : The onfocus event occurs when an element gets focus.

‘ onfocus=’alert(1)’

%2527%2520onfocus%253D%2527alert%25281%2529%2527%2520

I clicked on the search bar, and the popup alert appeared.

But I thought of modifying it a little bit with autofocus which makes the text field automatically get focused upon page load and creates the popup alert while visiting the page itself.

‘ onfocus=’alert(1)’ autofocus=’

%2527%2520onfocus%253D%2527alert%25281%2529%2527%2520autofocus%253D%2527

Yeah. It worked …

You can also use payloads like

‘ onmouseover=’alert(1)’

%2527%2520onmouseover%253D%2527alert%25281%2529%2527%2520

Thank You For Reading ….

Twitter: https://twitter.com/ag3n7apk

Linkedin: https://www.linkedin.com/in/abhijith-pk-ag3n7/