{"id":151,"date":"2023-04-15T13:44:00","date_gmt":"2023-04-15T06:44:00","guid":{"rendered":"https:\/\/n45ht.or.id\/blog\/?p=151"},"modified":"2024-12-14T22:54:09","modified_gmt":"2024-12-14T15:54:09","slug":"exploiting-httpstatusio-an-xss-via-protocol-handling","status":"publish","type":"post","link":"https:\/\/n45ht.or.id\/blog\/exploiting-httpstatusio-an-xss-via-protocol-handling\/","title":{"rendered":"Exploiting HTTPStatus.io: An XSS via Protocol Handling"},"content":{"rendered":"\n

httpstatus.io<\/strong> is a tool that allows you to check HTTP status codes, headers, and redirects. For example, when you submit a URL or domain, httpstatus.io<\/strong> will check the HTTP status code and where the domain will be redirected, such as when the HTTP status code is 301, 302, etc.<\/p>\n\n\n\n

Let me walk you through an interesting scenario I explored with httpstatus.io<\/strong>.<\/p>\n\n\n\n

Step-by-Step Exploit:<\/strong><\/p>\n\n\n\n

I started by submitting a normal URL, for example:<\/p>\n\n\n\n

https:\/\/google.com<\/code><\/pre>\n\n\n\n
The response was normal, as expected.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Next, I decided to submit a domain without a protocol<\/strong>:<\/p>\n\n\n\n
google.com<\/code><\/pre>\n\n\n\n
The server automatically added the protocol (either HTTP or HTTPS) to the domain and turned it into:<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
protocol:\/\/google.com<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
At this point, everything seemed normal, and the server treated the domain like a regular URL. However, I noticed something interesting when I sent a specific payload<\/strong> instead of a typical URL.<\/p>\n\n\n\n
I used JavaScript<\/strong> as the protocol and crafted an XSS payload as the domain. The resulting payload looked like this:<\/p>\n\n\n\n
javascript:\/\/%0aalert(document.domain);\/\/<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
When clicking the resulting link, a window dialog<\/strong> popped up with an alert, executing my JavaScript payload.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
By exploiting how httpstatus.io<\/strong> handles the protocol and domain input, I was able to trigger an XSS<\/strong> vulnerability. This technique relies on the server treating JavaScript as a protocol and the payload as the domain, ultimately executing a script when the URL is clicked.<\/p>\n","protected":false},"excerpt":{"rendered":"
httpstatus.io is a tool that allows you to check HTTP status codes, headers, and redirects. For example, when you submit a URL or domain, httpstatus.io will check the HTTP status code and where the domain will be redirected, such as when the HTTP status code is 301, 302, etc. Let me walk you through an […]<\/p>\n","protected":false},"author":3,"featured_media":152,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[9],"class_list":["post-151","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-research","tag-cross-site-scripting"],"_links":{"self":[{"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/posts\/151","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/comments?post=151"}],"version-history":[{"count":1,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/posts\/151\/revisions"}],"predecessor-version":[{"id":158,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/posts\/151\/revisions\/158"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/media\/152"}],"wp:attachment":[{"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/media?parent=151"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/categories?post=151"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/tags?post=151"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}