XSS Exploitation

Exe 1: DOM XSS in document.write sink using source location.search

  1. Enter a random alphanumeric string into the search box.
  2. Right-click and inspect the element, and observe that your random string has been placed inside an img src attribute.

  3. Break out of the img attribute by searching for:

    "><svg onload=alert(1)>

Payload: "><svg onload=alert(1)>






Exe 2: DOM XSS in innerHTML sink using source location.search

  1. Enter the following into the into the search box:

    <img src=1 onerror=alert(1)>
  2. Click "Search".

The value of the src attribute is invalid and throws an error. This triggers the onerror event handler, which then calls the alert() function. As a result, the payload is executed whenever the user's browser attempts to load the page containing your malicious post.                 

Payload: <img src=1 onerror=alert(1)>

Vulnerable Code:

<span id="searchMessage">test</span>
<script>
function doSearchQuery(query) {
  document.getElementById('searchMessage').innerHTML = query;
}
var query = (new URLSearchParams(window.location.search)).get('search');
if (query) {
  doSearchQuery(query);
}
</script>

Mitigation Code:

document.getElementById('searchMessage').textContent = query;



Exe 3: DOM XSS in jQuery anchor href attribute sink using location.search source
  1. On the Submit feedback page, change the query parameter returnPath to / followed by a random alphanumeric string.
  2. Right-click and inspect the element, and observe that your random string has been placed inside an a href attribute.

  3. Change returnPath to:

    javascript:alert(document.cookie)

    Hit enter and click "back".         

Payload: https://vulnerable-site.com/feedback?returnPath=javascript:alert(document.cookie)             


Exe 4: DOM XSS in jQuery selector sink using a hashchange event
  1. Hashchange does NOT require a page refresh.

  2. ✔️ It fires only when the hash changes, not when it’s initially loaded.

  3. ✔️ The lab exploit works by causing a hash change, not a reload.

In this lab the vulnerable source (location.hash) which should be reload initial payload will not be executed because it's not triggered in the sink (hash change jquery); hence use the iframe code to inital load iframe not executed after reload it execute the onload script. 

<iframe src="https://0ac800ea03ca226380220300009f001b.web-security-academy.net//#" onload="this.src+='<img src=x onerror=print()>'"></iframe>












Comments

Post a Comment

Popular posts from this blog

SQL Injection Attacks | Shahul Hameed

Image
Lab 1:   SQL injection UNION attack, determining the number of columns returned by the query Introduction      This lab contains an SQL injection vulnerability in the product category filter. The results from the query are returned in the application's response, so you can use a UNION attack to retrieve data from other tables. The first step of such an attack is to determine the number of columns that are being returned by the query. You will then use this technique in subsequent labs to construct the full attack.      To solve the lab, determine the number of columns returned by the query by performing an  SQL injection UNION  attack that returns an additional row containing null values. Solutions: Use Burp Suite to intercept and modify the request that sets the product category filter. Modify the  category  parameter, giving it the value  '+UNION+SELECT+NULL-- . Observe that an error occurs. Modify the  ...
Read more

To use emulator(Using NOX emulator): Open Appie Application | Shahul Hameed

Image
To use emulator(Using NOX emulator): Open Appie Application Tools Requirements 1. Appie tool 2. Burp certificate 3. Frida Server Step 1: $ cd C:\Appie\bin\adt\sdk\platform-tools Step 4 – 6 One time steps we have to do for new devices or emulator. Step 2: $ .\adb.exe connect 127.0.0.1:62001 Step 3: $ adb devices Step 4: $ adb push fridasslandroot.js / data/local/tmp Step 5: $ adb shell chmod 777 / data /local/tmp/frida-server Step 6: $ adb push cacert.der /data/local/tmp/cert-der.crt Step 7: Run frida server $ adb shell /data/local/tmp/frida-server & Step 8: Open new tab in APPIE and execute below command: Finally you are unpinned and execute application in rooted mobile. $ frida -U -f <Your-Package-Name> -l C:\Appie\bin\adt\sdk\platform-tools\fridasslandroot.js --no-paus $ frida -U -f com.test.demo -l C:\Appie\bin\adt\sdk\platform-tools\fridasslandroot.js --no-paus
Read more

Pentest - Web Application Vulnerability Scanner | Shahul Hameed

Image
 W eb Application Vulnerability Scanner  Tool Name:  NUCLEI   Description      Nuclei are used to send requests across targets based on a template, leading to zero false positives and providing fast scanning on a large number of hosts. Nuclei offer to scan for a variety of protocols, including TCP, DNS, HTTP, SSL, File, Whois, Websocket, Headless, etc. With powerful and flexible templating, Nuclei can be used to model all kinds of security checks.           Nuclei are a fast, template-based vulnerability scanner focusing on extensive configurability , massive extensibility, and ease of use. Installation & Demonstration Usage:      CMD : nuclei -h Step 1:      Download and install before use nuclei Go lang in kali linux      CMD : sudo apt-get update & sudo apt-get upgrade      CMD: sudo apt-get install -y golang Step 2:      Download and in...
Read more