0xmlt
TTCTheo's Typesafe Cult
•Created by 0xmlt on 7/30/2023 in #questions
bug bounty - escalating HTMLi without XSS?
Hi all,
Not sure if this is the right place to ask but im trying a bunch of tech servers.
I've currently got a HTML Injection in a bug bounty target however their WAF+CSP is preventing me from escalating it to XSS.. regular HTMLi is out of scope so I need to demonstrate impact in some way. I can't use iframes because x-frame-options is set to 'DENY' and I'm starting to think XSS is out of the question entirely, all known event handlers are blacklisted as are a bunch of HTML tags and attributes like src= or href=, even < and > chars were blacklisted but I managed to get a WAF bypass and inject HTML chars without getting blacklisted via double-urlencoding HTML char escape sequences.. I've tried similar techniques with event handlers etc to attempt to get XSS, but no use.. plus even if I were to bypass the WAF to get XSS, they've got a solid CSP in place..
So I've given up on the idea of XSS and now im wondering if I can escalate the HTMLi some other way, so far I've attempted:
- HTMLi --> CSSi --> Leaked PII
- HTMLi --> Dangling Markup Injection --> Leaked PII
- HTMLi --> DOM Clobbering --> DOM XSS
However im not having any luck with any of my attempts.. is anyone able to come up with any other ideas as to how I could escalate a HTML Injection without XSS? Spear Phishing pages are out of the question, they're not accepting that as a valid impact. Do I have any chance at all here?
12 replies