Part 2 - PortSwigger - XSS Attack | Shahul Hameed



Lab 7: Reflected DOM XSS

    Description: Reflected DOM vulnerabilities occur when the server-side application processes data from a request and echoes the data in the response.

    Tool required: Burp Suite

Step 1: UI View


Step 2: In burp suite tool find a JSON file 


Step 3: We have a JSON file restricted with eval() function.


Step 4: To bypass eval() function using payload 

    \"-alert(1)}//

Step 5: Result


Lab 8: Stored DOM XSS

    Description: In an attempt to prevent XSS, the website uses the JavaScript replace() function to encode angle brackets. However, when the first argument is a string, the function only replaces the first occurrence. We exploit this vulnerability by simply including an extra set of angle brackets at the beginning of the comment. These angle brackets will be encoded, but any subsequent angle brackets will be unaffected, enabling us to effectively bypass the filter and inject HTML.

Step 1: Inject payload

    <><img src=1 onerror=alert(1)>

Step 2: Result


Lab 9: Reflected XSS with event handlers and href attributes blocked

    Description: This lab contains a reflected XSS vulnerability with some whitelisted tags, but all events and anchor href attributes are blocked.

    Note that you need to label your vector with the word "Click" in order to induce the simulated lab user to click your vector. For example: <a href="">Click me</a>

Step 1: 
    
    Inject payload  

         https://your-lab-id.web-security-academy.net/?search=%3Csvg%3E%3Ca%3E%3Canimate+attributeName%3Dhref+values%3Djavascript%3Aalert(1)+%2F%3E%3Ctext+x%3D20+y%3D20%3EClick%20me%3C%2Ftext%3E%3C%2Fa%3E



Step 2: Decode the payload



Step 3: Result


Lab 10: Reflected XSS with some SVG markup allowed

    Description: This lab has a simple reflected XSS vulnerability. The site is blocking common tags but misses some SVG tags and events.

Step 1: UI View
 

Step 2: Capture in burp suite tool 


Step 3:Send into intruder and clear it dollar symbol in all keywords.

    Clear $ 


Step 4: Add <$$>


Step 5: Now we go to brute force attack with payloads

    Note: Copy the clipboard from the cheat sheet and paste it into the burp suite payload set input box and start attack






Step 6: To the next brute force attack for onevent option in the payload.



Step 7: Finally we generate a payload from a brute force attack in the cheat sheet.

    Payload: %22%3E%3Csvg%3E%3Canimatetransform%20onbegin=alert(1)%3E

Decode as


Step 8: Result


Lab 11: DOM XSS in jQuery selector sink using a hash change event

    Description: This lab contains a DOM-based cross-site scripting vulnerability on the home page. It uses jQuery's $() selector function to auto-scroll to a given post, whose title is passed via the location.hash property.

    To solve the lab, deliver an exploit to the victim that calls the print() function in their browser.

    Solution:

  1. Notice the vulnerable code on the home page using Burp or your browser's DevTools.
  2. From the lab banner, open the exploit server.
  3. In the Body section, add the following malicious iframe:
    <iframe src="https://YOUR-LAB-ID.web-security-academy.net/#" onload="this.src+='<img src=x onerror=print()>'"></iframe>
  4. Store the exploit, then click View exploit to confirm that the print() function is called.
  5. Go back to the exploit server and click Deliver to victim to solve the lab.

Step 1: UI View



Step 2: Click to Go to exploit the server and paste your lab id into the body URL. 



Step 3: Finally, Click the Deliver exploit to victim complete the lab.






Comments

Post a Comment

Popular posts from this blog

Burp Suite – Automated Vulnerabilities Findings

Image
  Burp Suite – Automated Vulnerabilities Findings Step 1:  Intercept with burp suite, which contains parameter values. Step 2: Forward the request to the Intruder option in Burp Suite. Step 3:  Set up the automated scan by right-clicking, selecting "Scan Defined Insertion Points" and opening the "Scan launcher". Step 4:  Wait until the scan is finished, and then check for the results with vulnerabilities. Step 5: Manual Validation
Read more

SQL Injection Attacks | Shahul Hameed

Image
Lab 1:   SQL injection UNION attack, determining the number of columns returned by the query Introduction      This lab contains an SQL injection vulnerability in the product category filter. The results from the query are returned in the application's response, so you can use a UNION attack to retrieve data from other tables. The first step of such an attack is to determine the number of columns that are being returned by the query. You will then use this technique in subsequent labs to construct the full attack.      To solve the lab, determine the number of columns returned by the query by performing an  SQL injection UNION  attack that returns an additional row containing null values. Solutions: Use Burp Suite to intercept and modify the request that sets the product category filter. Modify the  category  parameter, giving it the value  '+UNION+SELECT+NULL-- . Observe that an error occurs. Modify the  ...
Read more

To use emulator(Using NOX emulator): Open Appie Application | Shahul Hameed

Image
To use emulator(Using NOX emulator): Open Appie Application Tools Requirements 1. Appie tool 2. Burp certificate 3. Frida Server Step 1: $ cd C:\Appie\bin\adt\sdk\platform-tools Step 4 – 6 One time steps we have to do for new devices or emulator. Step 2: $ .\adb.exe connect 127.0.0.1:62001 Step 3: $ adb devices Step 4: $ adb push fridasslandroot.js / data/local/tmp Step 5: $ adb shell chmod 777 / data /local/tmp/frida-server Step 6: $ adb push cacert.der /data/local/tmp/cert-der.crt Step 7: Run frida server $ adb shell /data/local/tmp/frida-server & Step 8: Open new tab in APPIE and execute below command: Finally you are unpinned and execute application in rooted mobile. $ frida -U -f <Your-Package-Name> -l C:\Appie\bin\adt\sdk\platform-tools\fridasslandroot.js --no-paus $ frida -U -f com.test.demo -l C:\Appie\bin\adt\sdk\platform-tools\fridasslandroot.js --no-paus
Read more