Lecture 45 - Bypassing Single-Quotes Filtering
From now onwards we're gonna be talking about lots of methods to bypass filtering and encoding all these measurements that web developers might implement to prevent XSS vulnerabilities.
So let's go to the next lab again, you should test everything.
We're going straight to the search because I know that this is what's vulnerable and I don't want to waste your time.
So again, let's just do a test.
We're gonna search, I'm gonna right click it and inspect the element.
We can see it in here and we can see it in here and you should try to escape this and this or inject within the constraints that you have in these two examples and try to get javascript code to run.
But I've tested both of these and we've seen examples of both of these before.
Everything you test in here is not gonna work.
Therefore, again, we're gonna do Ctrl F, we're gonna look for a test and that's the first one we would have tested and the next one is inside a script tag.
Again, so similar to the previous example, the code is actually very similar to what we've seen in the previous example.
Therefore it makes sense that we should actually try the payload that we tried in the previous example.
So we're simply just going to paste the exact same payload.
We're gonna search and this time it didn't work because in this example there is even more filtering implemented.
So let's analyze what happens and see if we
can actually break out of whatever constraints we have.
So we're going to scroll down to the second instance and here where we were able to inject javascript.
And we can see that this time, this part right here is what we injected because you can see it in here, but this time we actually have a backward slash and we have another quote which we didn't add and then we have our injection.
So when you see something like this, if you've done any programming, this will be very simple.
If you haven't, then you're going to see it now and then this is pretty much universal against programming languages.
Backwards slashes are used to escape a single quote.
And what I mean by that is, you know, we can use two single quotes to define a string.
Now, if you want to use a single quote as part of the string.
So if you don't want to close the string yet, you can use a back slash.
And that's where you're telling the programming language.
Whatever programming language it is, that this single quote is still part of the string.
So the programmer of this page have added code to check if your input contains a single quote.
The code is automatically gonna add a backward slash before that single quote.
Therefore this will prevent you from escaping that quote or escaping that string and therefore you want to be able to run javascript code.
So let me show you this.
So let's say we have a variable called a 'x' and 'x' is equal to some string.
So this is how you usually define strings in most programming languages, you have the variable here, you have the equal sign and the string is a set of characters that is enclosed between two quotes.
Now let's assume that I want to define a string that contains a single quote as part of the string.
So let's say we want to say someone's name and close it.
Now, the programming language is gonna get confused because as I mentioned earlier, the definition of a strength is a set of characters enclosed between quotes.
So we have a single quote here and the single quote here.
So what is x equal to?
Is it equal to just someone or is it equal to the name here on its own or if it's just equal to this, then what is this part?
This part is not defined.
So the programming language is gonna get confused because you're trying to use a single quote inside a string.
So right now we have three single quotes instead of two or four because you know, every time you open a quote, you need to close it and you're closing your quote in here and then you're adding text that is actually not part of the code or it's not even anything.
That's why it doesn't make sense this way.
So most programming languages like that's why I said it's universal allow you to actually use single quotes inside the string, similar to what we did in here.
But you're gonna have to put a backward slash before the single quote, this way you're escaping it.
So you're telling the programming language that this single quote is not part of the string definition, it's actually part of the string itself.
Therefore the string is from here all the way down to here.
So basically it's telling the programming language to ignore this single quote every time you have a backward slash, it tells the programming language to ignore the next single quote.
So that's the problem here.
The programmer was smart enough to know that okay, hackers can actually use a single quote to break out of the string and therefore they'll be able to run javascript code on my page.
So what I'm gonna do is I'm going to check the input and if it contains a single quote, I'm going to add a backward slash to tell my programming language to ignore the single quote and therefore the hacker is not gonna be able to escape this string and therefore they won't be able to run javascript code.
So we're gonna use the exact same payload that we used in the previous example.
So we we already covered how we constructed this and we know that the programming language is already adding backward slash like we said, and we already said that the backward slash tells the programming language to ignore the next quote.
But what happens if we actually add a backward slash ourselves before the injection itself?
That way we're gonna have double backward slashes in here.
So this backward slash is gonna cancel the next one.
So javascript basically is not going to ignore our single quote and therefore whatever code we put in here will actually be evaluated as code not as part of the string, and therefore it will get executed on the page.
So let me just go back to this example to make it clear. So we have it like this.
And right now when you have a single quote like this, we're telling the interpreter to ignore this quote.
But if we do this in here that way we're basically saying do not ignore it because we're using double quotes so only a single quote can ignore the next character.
And therefore when we do this again, now we're back to breaking out of the string.
This quote is gonna break you out of the string and this part is actually going to be evaluated as code.
So all we're doing is basically we're just adding an extra backward slash to cancel the existing backward slash that the code is automatically adding.
And if we click on search now, as you can see our javascript gets executed and let me just go back in here because you can see the code.
You can see that we have double backward slashes and then we have the single quote and therefore now we're able to break out of it.
And you can even see from the coloring scheme that the alert now
is actually part of the code and it's not part of the string.
So the string started here and ended there and now the string is basically a double backward slash.
And then we have our code being injected in here and then the double forward slash in here are simply serving as a comment to ignore everything that comes after it, so to ignore the single quote and the semicolon at the end of the line.