Reflected XSS on demo.microweber.org/demo/module/ in microweber/microweber
Apr 21st 2022
Reflected XSS with filter bypass on /demo/module/ using module= & style= parameters.
Proof of Concept
Press tab for the alert() to show up.
Okay 3 things to unpack here:
- " and ' at various places allow breaking out of the html (root cause of the XSS)
- ont<x>ransitionend gets sanitized to ontransitionend and bypasses the xss filter
- style="transition:outline 1s" tabindex=1 is the setup you need to trigger a transition without a <style> tag
Took me some time to finally find a XSS payload that runs here :)
I'd suggest you do not allow breaking out of the html here, so filter ' & ". ont<x>ansitionend should be examined, this trick doesn't work in every parameter. Additionally, some js eventhandlers are allowed e.g. onunhandledrejection, you could think about a on.*= regex.
It's the only payload I found working, you might need to press "tab" but there is probably a paylaod that runs without user interaction.