I have been reading several Proof of Concepts for XSS and found some interesting blog posts. Among them, I saw an interesting method to trigger XSS in 403 Forbidden page.
403 is a HTTP status code. In general, status codes are used for understanding the problem in case the request page doesn’t load properly.
Ex : 500 : Internal Server Error shows that there is an error in the internal server.
In the same way, the HTTP error 403 indicates that the user who is currently viewing this error doesn’t have sufficient permissions to access this page.
Either the page may be only visible to administrators or editors of that site. Even this kind of pages may be vulnerable to Cross Site Scripting (XSS).
Among here, I will share 2 POC’s which I found interesting.
To know more about XSS (cross site scripting) :
This Method was discovered from the POC shared by Nur A Alam Dipu during his testing in a private website.
It’s worth to mention here that XSS payloads can also be executed in the cookie parameters.
When a value in the cookie parameter is reflected in the response, then there occurs a possibility of Reflected Cross Site scripting attack.
Even 403 forbidden page’s have some cookies which are reflected and they can be leveraged for atatck. For example, look at the below request and response.
HTTP request :
GET /error403 HTTP/1.1
User-Agent: Mozilla/5.0 Firefox/52.0
Cookie: RT=wrfsarkj; GA_countryCode=AKRdddd”;
HTTP Response :
‘session_status’ : “session_undefined”,
‘page_name’ : Error 403,
‘page_category’ : ‘HTTP Error’,
‘country_code’ : “AKRdddd”,
‘current_domain’ : window.location.host,
‘channel_id’ : “9631”,
As you can see above, the country code is reflected. So here, an attacker test his XSS payloads.
Sometime, the website may sanitize the input. While using an XSS payload, the website may remove some values and reflect them.
In this we can use encoded payloads or some other ultra short XSS payloads that has very minimum characters.
For example, “-prompt`1`-”// is enough to alert an XSS prompt. This is how we can trigger XSS in 403 forbidden pages.
I have read another XSS POC which was found on Google’s main domain Google.com.
The URL http://www.google.com/url?q= is used to redirect users to other websites.
If an incorrect url is loaded, Google would show an error 404 not found page or error 403 page.
But at past, both the pages lached Charset encoding headers in the HTTP requests. Due to the lack of charset encoding, an XSS attack was held by the application of UTF-7 encoded payloads.
Although, this Payload does’t affect most of the browser, it affected Internet explorer in a large scale. Google however patched this after receiving the report.