Bypass WAF 500 Unauthorized Access! to Reflected XSS (Cross Site Scripting)- Developer BCA

Waf! Waf! Waf!

Hello, here I just want to share my experience regarding finding the XSS (Cross site scripting) bug at one of the banks in Indonesia, namely BCA (Bank Central Asia).

Little Story

I previously got this URL from 17 May 2019 and it comes from an email from Bank BCA, namely “Developer BCA”

Email from Developer BCA

And this is where I get the parameters that are vulnerable to this XSS attack.
Parameter = /registration/confirmemail.php?confirm=0

Steps to Reproduce

1. Opening the website page https://developer.bca.co.id/registration/confirmemail.php?confirm=XSS

2. Then I try to add Single Quote (‘) and HTML Tags like (<and>) I get it not encoded at all.

3.When I want to try to pop up a simple alert like test Function`alert () ``` and the website will immediately experience an error that may be from the WAF and have the message “Unauthorized Access!”

Here I feel quite proud because a few days earlier I read Write Up from my Facebook, which in my opinion is the same case I am experiencing today!!!

4. Next I will show you related to the Write Up that I meant earlier

https://www.facebook.com/Alone.Injector (Fareed Baloch)

Full Payload : test ‘-Function`self[‘a’\x2b’l’\x2b’e’\x2b’r’\x2b’t’]\x281\x29```-’

This payload uses Unicode Hex :
test ‘-Function`self[‘a’\x2b’l’\x2b’e’\x2b’r’\x2b’t’]\x281\x29```-’
test ‘-Function`self[‘a’+’l’+’e’+’r’+’t’](1)```-’

Aaannnddddddd …. It worked !!!

I love it❤

Bad Ending~

There was no response from Team BCA but the bug has now been fixed :(

Reference

Kawali Crew

Cross Site Scripting (XSS)

I hope you enjoyed this writeup!!! SSSSKKKKKRRRRTTTT!!!!

Follow Me

Caesar Evan Santoso - IT Security Analyst - PT. SysTech Global Informasi (SGI Asia) | LinkedIn