From Frustration to Exploitation: How a Link Shortener Helped Me Bypass WAF
بسم الله، ربّ يَسّر وأعن وامنن بالإخلاص والتوفيق والقبول.
While Hunting, Have you ever been in a situation where you’re trying your best to execute a well-crafted payload, only to be met with a stern 403 Forbidden? I’ve been there, and it’s both infuriating and humbling. Let me take you through my journey of frustration, discovery, and ultimately triumph .
The Set-Up: The Perils of the Search Box
It all started with a site I was testing. The search functionality seemed like a promising candidate for an XSS vulnerability. Here’s the setup:
example.com/search?sw={my-payload}I gleefully inserted my payload, ready to trigger some magic. But instead of seeing the fruits of my labor, I was greeted with a cold, heartless 403 Forbidden. The Web Application Firewall (WAF) was clearly not in the mood for my shenanigans. I tried tweaking my payload, obfuscating it, encoding it in every format imaginable, but the WAF was relentless. It felt like being trapped in an escape room where the only way out was a door marked “No Entry.”
The Twist: A Wild Link Shortener Appears!
Feeling defeated, I decided to take a break from the search functionality and explore other parts of the site. and shifted my focus to other potential vulnerabilities, like CSRF, LFI,.., but i came up empty-handed.
Wait!!, I stumbled upon a rather handy feature: a built-in link shortener. This allowed users to generate short links for any URL under the site’s domain, which may help improve the user experience in shortening long links and making them simpler, as the site uses long names for paths., For example:
- If my path was:
example.com/products/cake/daily-fresh/2024/cake-rasbperry-250gm-chocolate-nu-157689 - The short link would look like this:
exomexo.io/123 - Visiting
exomexo.io/123would redirect me back to:
example.com/profile/carts.
At first glance, it seemed harmless. Just another convenience feature, right? But my hacker instincts were tingling. Could this be the key to bypassing the WAF?
The Eureka Moment: Redirecting Around the WAF
An idea struck me: what if I used the link shortener to disguise my payload? Instead of hitting the WAF head-on, I could redirect through the short link service, which might not scrutinize the request as thoroughly. Here’s what I did:
- I generated a short link for my original XSS payload:
example.com/search?sw={xss-payload} - The short link came out as:
exomexo.io/710Tofan - When visiting
exomexo.io/710Tofan, the link shortener redirected me to:
example.com/search?sw={xss-payload}.
And Boooom!🎇 my XSS script fired off like rockets on the nights of October 7th🎉
Lessons Learned: Creativity Is Your Best Tool
- Think laterally. Sometimes the solution isn’t about brute-forcing your way through a WAF but finding a creative workaround.
- Understand the application’s functionality. Features like link shorteners might seem innocuous but can have unintended security implications.