Part 2 - PortSwigger - XSS Attack | Shahul Hameed



Lab 7: Reflected DOM XSS

    Description: Reflected DOM vulnerabilities occur when the server-side application processes data from a request and echoes the data in the response.

    Tool required: Burp Suite

Step 1: UI View


Step 2: In burp suite tool find a JSON file 


Step 3: We have a JSON file restricted with eval() function.


Step 4: To bypass eval() function using payload 

    \"-alert(1)}//

Step 5: Result


Lab 8: Stored DOM XSS

    Description: In an attempt to prevent XSS, the website uses the JavaScript replace() function to encode angle brackets. However, when the first argument is a string, the function only replaces the first occurrence. We exploit this vulnerability by simply including an extra set of angle brackets at the beginning of the comment. These angle brackets will be encoded, but any subsequent angle brackets will be unaffected, enabling us to effectively bypass the filter and inject HTML.

Step 1: Inject payload

    <><img src=1 onerror=alert(1)>

Step 2: Result


Lab 9: Reflected XSS with event handlers and href attributes blocked

    Description: This lab contains a reflected XSS vulnerability with some whitelisted tags, but all events and anchor href attributes are blocked.

    Note that you need to label your vector with the word "Click" in order to induce the simulated lab user to click your vector. For example: <a href="">Click me</a>

Step 1: 
    
    Inject payload  

         https://your-lab-id.web-security-academy.net/?search=%3Csvg%3E%3Ca%3E%3Canimate+attributeName%3Dhref+values%3Djavascript%3Aalert(1)+%2F%3E%3Ctext+x%3D20+y%3D20%3EClick%20me%3C%2Ftext%3E%3C%2Fa%3E



Step 2: Decode the payload



Step 3: Result


Lab 10: Reflected XSS with some SVG markup allowed

    Description: This lab has a simple reflected XSS vulnerability. The site is blocking common tags but misses some SVG tags and events.

Step 1: UI View
 

Step 2: Capture in burp suite tool 


Step 3:Send into intruder and clear it dollar symbol in all keywords.

    Clear $ 


Step 4: Add <$$>


Step 5: Now we go to brute force attack with payloads

    Note: Copy the clipboard from the cheat sheet and paste it into the burp suite payload set input box and start attack






Step 6: To the next brute force attack for onevent option in the payload.



Step 7: Finally we generate a payload from a brute force attack in the cheat sheet.

    Payload: %22%3E%3Csvg%3E%3Canimatetransform%20onbegin=alert(1)%3E

Decode as


Step 8: Result


Lab 11: DOM XSS in jQuery selector sink using a hash change event

    Description: This lab contains a DOM-based cross-site scripting vulnerability on the home page. It uses jQuery's $() selector function to auto-scroll to a given post, whose title is passed via the location.hash property.

    To solve the lab, deliver an exploit to the victim that calls the print() function in their browser.

    Solution:

  1. Notice the vulnerable code on the home page using Burp or your browser's DevTools.
  2. From the lab banner, open the exploit server.
  3. In the Body section, add the following malicious iframe:
    <iframe src="https://YOUR-LAB-ID.web-security-academy.net/#" onload="this.src+='<img src=x onerror=print()>'"></iframe>
  4. Store the exploit, then click View exploit to confirm that the print() function is called.
  5. Go back to the exploit server and click Deliver to victim to solve the lab.

Step 1: UI View



Step 2: Click to Go to exploit the server and paste your lab id into the body URL. 



Step 3: Finally, Click the Deliver exploit to victim complete the lab.






Comments

Post a Comment

Popular posts from this blog

Using Burp Suite - Brute Force payloads using XSS Validator(Extension) | Shahul Hameed

Image
XSS Brute Force Payloads using Burp Suite  Step 1: Get the parameter variable from the scope URL. Step 2: Intercept the parameter value using the burp suite application as shown in the below screenshot. Step 3: Clear and add the variable position which goes to perform an attack on the brute force of XSS payloads. Step 4: Install xssValidator extension in the burp suite and we can also add custom payloads in the below payloads box. Step 5: Set the following options in the Payloads option. Step 6: In Intruder clear, the Grep-Match and Grep-Payloads checked option search responses for payload strings. Step 7: Copy the grep phase from xssValidator and paste it into the intruder grep-match. Step 8: Unchecked the option from the payload encoding. Step 9: Start the attack and check the results with the grep value is 1 manually in the web browser which exploited the XSS attack payload.
Read more

Janus Vulnerability Exploitation

Image
  Janus Vulnerability(Exploitation) In brief, Applications that are signed only with v1 when installed on devices having an android version(5.0–8.0) are vulnerable to Janus Vulnerability. Step 1: Use the  apksigner tool and verify the signature v1 is only true , Hence it's highly possible to exploit the Janus vulnerability in the android application. CMD: apksigner verify -verbose h5.apk(Victim app) Before that we need to make sure that this application can be made to run on vulnerable Android versions  5.x, 6.x, 7.x & 8.0 (i.e., api level 21–26). Step 2:  Now let's check with min android version running on the application use apktool . CMD: apktool -s d H5.apk && cat H5/apktool.yml | grep minSdk The below application can be run on API Level 15(Android 4.0.4 Ice Cream Sandwich), so we can choose any device from  5.x, 6.x, 7.x & 8.0  to exploit it. A serious vulnerability in Android allows attackers to inject a DEX file into an APK file without affecting the sig
Read more

SQL Basics | Shahul Hameed

Image
  SQL _Queries   Resource: https://balanced-quince-db1.notion.site/SQL-7347f5956fe347f887b4132c716cd236#17bc403a1add453db519621da47c1de3 Database queries CREATE DATABASE LOGICFIRST; -- creates a new database -- TO DELETE A DATABASE DROP DATABASE LOGICFIRST; DROP SCHEMA LOGICFIRST; -- same as above. u can use DATABASE Or SCHEMA DROP SCHEMA IF EXISTS LOGICFIRST; -- prevents error if db not found   SHOW DATABASES; -- shows all the databases SHOW SCHEMAS; -- same as above. shows schemas/db   USE SYS; -- uses this database for all further commands SHOW TABLES;-- shows all tables in the database being used Table - Create,Delete,Alter primary key - uniquely identifies a row in a table //creating a table CREATE TABLE student(                id INT PRIMARY KEY,     name VARCHAR(30),     gpa DECIMAL(3,2) ); -- ----or----- CREATE TABLE student(                id INT,     name VARCHAR(30),     gpa DECIMAL(3,2),     PRIMARY KEY(id) );  
Read more