Part 1- Portswigger - Xss Attacks | Shahul Hameed

 

Lab 1: Reflected XSS into HTML context with nothing encoded    

    Description: This lab contains a simple reflected cross-site scripting vulnerability in the search function it reflected on the client-side.

Step 1: UI view


Step 2: Query pass in URL


Step 3: Inject payload to get attack

  Payload :  <script>alert(1)</script>

Step 4: Result

Lab 2: Stored XSS into HTML context with nothing encoded

    Description: This lab contains a stored cross-site scripting vulnerability in the comment functionality it is reflected on the server-side.

Step 1: UI view


Step 2: Inject payload in the Comment section and to get attack 


Step 3: Go back to comment section 


Lab 3: DOM XSS in document.write sink using source location.search

    Description: This lab contains a DOM-based cross-site scripting vulnerability in the search query tracking functionality. It uses the JavaScript document.write function, which writes data out to the page. The document.write function is called with data from location.search, which you can control using the website URL.

Solutions:

    1. 1. Enter a random alphanumeric string into the search box.
    2. 2. Right-click and inspect the element, and observe that your random string has been placed inside an img src attribute.
    2. 3. Break out of the img attribute by searching for: "><svg onload=alert(1)>

Step 1: UI view


Step 2: Inspect that "Google" word and find the image which has the same keyword in src image tag.


Step 3: Inject payload using svg format

    "><svg onload=alert(1)>



    Note: Note: To escape from the attribute and from the tag (then you will be in the raw HTML) and create new HTML tag to abuse: "><img [...]



Step 4 : Payload attacked



Lab 4: DOM XSS in document.write sink using source location.search inside a select element

    Description: This lab contains a DOM-based cross-site scripting vulnerability in the stock checker functionality. It uses the JavaScript document.write function, which writes data out to the page. The document.write function is called with data from location.search which you can control using the website URL. The data is enclosed within a select element.

Step 1: UI view


Step 2: Inspect that stock availability units




Step 3: Inject payload

    product?productId=1&storeId="></select><img%20src=1%20onerror=alert(1)>

  Decode as:

    "></select><img src=1 onerror=alert(1)>"></select><img src=1 onerror=alert(1)>

Step 4: Result


Lab 5: DOM XSS in innerHTML sink using source location.search

    Description: This lab contains a DOM-based cross-site scripting vulnerability in the search blog functionality. It uses an innerHTML assignment, which changes the HTML contents of a div element, using data from location.search.

Step 1: UI view



Step 2: Inject payload : 
    
    <img src=1 onerror=alert(1)>



Step 3: Result 



Lab 6: DOM XSS in jQuery anchor href attribute sink using location.search source

    Description: This lab contains a DOM-based cross-site scripting vulnerability in the submit feedback page. It uses the jQuery library's $ selector function to find an anchor element, and changes its href attribute using data from location.search.

To solve this lab, make the "back" link alert document.cookie.


Step 1: UI view






Step 2: Write some random word after URL => / and Inspect that back button in UI



Step 3: Inject payload

    javascript:alert(document.cookie)


Step 4: Result payload injected successfully









Comments

Post a Comment

Popular posts from this blog

Using Burp Suite - Brute Force payloads using XSS Validator(Extension) | Shahul Hameed

Image
XSS Brute Force Payloads using Burp Suite  Step 1: Get the parameter variable from the scope URL. Step 2: Intercept the parameter value using the burp suite application as shown in the below screenshot. Step 3: Clear and add the variable position which goes to perform an attack on the brute force of XSS payloads. Step 4: Install xssValidator extension in the burp suite and we can also add custom payloads in the below payloads box. Step 5: Set the following options in the Payloads option. Step 6: In Intruder clear, the Grep-Match and Grep-Payloads checked option search responses for payload strings. Step 7: Copy the grep phase from xssValidator and paste it into the intruder grep-match. Step 8: Unchecked the option from the payload encoding. Step 9: Start the attack and check the results with the grep value is 1 manually in the web browser which exploited the XSS attack payload.
Read more

Janus Vulnerability Exploitation

Image
  Janus Vulnerability(Exploitation) In brief, Applications that are signed only with v1 when installed on devices having an android version(5.0–8.0) are vulnerable to Janus Vulnerability. Step 1: Use the  apksigner tool and verify the signature v1 is only true , Hence it's highly possible to exploit the Janus vulnerability in the android application. CMD: apksigner verify -verbose h5.apk(Victim app) Before that we need to make sure that this application can be made to run on vulnerable Android versions  5.x, 6.x, 7.x & 8.0 (i.e., api level 21–26). Step 2:  Now let's check with min android version running on the application use apktool . CMD: apktool -s d H5.apk && cat H5/apktool.yml | grep minSdk The below application can be run on API Level 15(Android 4.0.4 Ice Cream Sandwich), so we can choose any device from  5.x, 6.x, 7.x & 8.0  to exploit it. A serious vulnerability in Android allows attackers to inject a DEX file into an APK file without affecting the sig
Read more

SQL Basics | Shahul Hameed

Image
  SQL _Queries   Resource: https://balanced-quince-db1.notion.site/SQL-7347f5956fe347f887b4132c716cd236#17bc403a1add453db519621da47c1de3 Database queries CREATE DATABASE LOGICFIRST; -- creates a new database -- TO DELETE A DATABASE DROP DATABASE LOGICFIRST; DROP SCHEMA LOGICFIRST; -- same as above. u can use DATABASE Or SCHEMA DROP SCHEMA IF EXISTS LOGICFIRST; -- prevents error if db not found   SHOW DATABASES; -- shows all the databases SHOW SCHEMAS; -- same as above. shows schemas/db   USE SYS; -- uses this database for all further commands SHOW TABLES;-- shows all tables in the database being used Table - Create,Delete,Alter primary key - uniquely identifies a row in a table //creating a table CREATE TABLE student(                id INT PRIMARY KEY,     name VARCHAR(30),     gpa DECIMAL(3,2) ); -- ----or----- CREATE TABLE student(                id INT,     name VARCHAR(30),     gpa DECIMAL(3,2),     PRIMARY KEY(id) );  
Read more