{"id":69,"date":"2021-05-03T01:27:00","date_gmt":"2021-05-02T18:27:00","guid":{"rendered":"https:\/\/n45ht.or.id\/blog\/?p=69"},"modified":"2025-10-14T20:41:01","modified_gmt":"2025-10-14T13:41:01","slug":"winrar-xss","status":"publish","type":"post","link":"https:\/\/n45ht.or.id\/blog\/winrar-xss\/","title":{"rendered":"WinRAR XSS"},"content":{"rendered":"\n

A few days ago, I discovered a Cross-site Scripting (XSS)<\/strong> vulnerability in WinRAR<\/strong>. In this article, I\u2019ll walk you through the steps I took to find this vulnerability and how it works.<\/p>\n\n\n\n

What is WinRAR?<\/h3>\n\n\n\n

WinRAR is a trialware file archiver utility for Windows<\/strong>, developed by Eugene Roshal<\/strong> of win.rar GmbH<\/strong>. It allows users to create and view archives in RAR<\/strong> or ZIP<\/strong> file formats and unpack a variety of other archive formats as well.<\/p>\n\n\n\n

For more detailed information, you can check the source on Wikipedia<\/a>.<\/p>\n\n\n\n

Step 1: Observing the WinRAR Behavior<\/h3>\n\n\n\n

When I first opened WinRAR<\/strong>, I noticed that there was a window that seemed to make an HTTP request to an external web page. This caught my attention, as it could potentially be a vector for injecting malicious code.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Step 2: Capturing the HTTP Request<\/h3>\n\n\n\n

Immediately, I opened BurpSuite<\/strong>, a popular tool for intercepting and modifying HTTP requests. I used it to capture the requests made by WinRAR<\/strong> when this window was opened.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Step 3: Investigating the Request URL<\/h3>\n\n\n\n

The HTTP request was being sent to the following URL:<\/p>\n\n\n\n

https://notifier.win-rar.com\/?language=English&source=wrr&landingpage=first&version=600&architecture=64<\/code><\/pre>\n\n\n\n
This URL appeared to be related to WinRAR\u2019s notification system, likely sending version and language information to the server.<\/p>\n\n\n\n
Step 4: Testing for XSS Vulnerability<\/h3>\n\n\n\n
Curious if the URL was vulnerable to XSS, I decided to run a test using my private XSS Scanner<\/strong>. This tool automatically scans URLs for potential Cross-site Scripting vulnerabilities by inserting common payloads into URL parameters.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Step 5: Exploiting the XSS Vulnerability via BurpSuite<\/h3>\n\n\n\n
Next, I manually injected several XSS payloads<\/strong> into the URL using BurpSuite<\/strong> to see if the server would reflect the input without proper sanitization.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Step 6: XSS Triggered in WinRAR Window<\/h3>\n\n\n\n
To my surprise, the XSS vulnerability<\/strong> successfully triggered when the payloads were executed. The WinRAR window<\/strong> displayed the injected JavaScript, confirming that WinRAR<\/strong> was vulnerable to Reflected XSS<\/strong>.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Step 7: Demonstrating the Vulnerability (Video PoC)<\/h3>\n\n\n\n
To provide a clearer demonstration of how the XSS vulnerability works in WinRAR<\/strong>, I created a video proof of concept (PoC). In the video, you can see the XSS payload being triggered and executed within the WinRAR window.<\/p>\n\n\n\n