Professional Documents
Culture Documents
Save
One day I was working on Swisscom’s bug bounty program and I found a subdomain
let’s call now redacted.swisscom.ch
I looked at the parameters they were safe from XSS and removed most of the malicious
characters. I thought this is impossible but I kept in mind since the website is using a
technology I like.
One day I saw Goat Sniff’s video about one of the Intigriti’s XSS challange
(https://www.youtube.com/watch?v=aUsAHb0E7Cg) where he could get an exploit
via unicode characters. This was interesting approach for me and I looked back
redacted.swisscom.ch to try out.
The site was not vulnerable for this type of XSS but I tried some emojis and the
interesting thing was that I’ve got back “ and ‘ characters from the � emoji. Actually
the whole string was: d”Y’”
I did a search what this means and suddenly found this github page in one of my
searches: https://github.com/iorch/jakaton_feminicidios/blob/master
/data/emojis.csv
It turned out based on this github page I can also inject < > and as I said previously “
and ‘ characters was also possible.
1 of 3 17-08-2022, 14:17
How I found an XSS vulnerability via using emojis | by Patrik Fabian | ... https://medium.com/@fpatrik/how-i-found-an-xss-vulnerability-via-usi...
I was also interested in what happend on the backend side of this site so I tried to make
a simple web page with the same vulnerability. It turned out that the server after
removing the malicious characters converted the UTF-8 string from Windows-1252 to
UTF-8 (basically the input encoding and the convert from encoding mismatched). Then
this does not give a proper < just a weird unicode one: ‹
So they took this output and converted again now from UTF-8 ot ASCII. This
normalized the ‹ to < this is how the exploit could work on that system.
<?php
320 4
2 of 3 17-08-2022, 14:17
How I found an XSS vulnerability via using emojis | by Patrik Fabian | ... https://medium.com/@fpatrik/how-i-found-an-xss-vulnerability-via-usi...
3 of 3 17-08-2022, 14:17