[Part 1] What is XSS and Example of Filters & Bypasses

-

Hi again XD and another topic in this one we will talk about Cross Site-Scripting (XSS).

What is XSS?


 it's a type of injection bugs which enables the attackers to inject Client-Side scripts into the web page, there are two common types of XSS:
Reflected XSSworks where the malicious string originates from the victim's request, the second one 

 Stored XSS: works where the malicious string originates from the website's database.

 DOM-based XSS: works where the vulnerability is in the client-side code rather than the server-side code.

How to exploit XSS?


 let's start with basic XSS and go over to some XSS filters and bypasses, now if we have a link like that

http://example.com/path/urname.php?name=flex

 the response on the web page will be Welcome flex if we try to inject a JS script on the parameter name like

 <script>alert('XSS')</script>

 if I add it to the parameter name the website will take and print it on the web page and the JS script will be executed on the page and alert XSS and this the basic XSS, this is a basic vulnerable PHP code

 <?php

 echo "Welcome ".$_GET['name'];

 ?>

 About filters and bypasses let's talk about the first one is the block list when you try to execute XSS payload like

 <svg onload=alert(1337)>

 some websites add a blocklist to block alert what can I use in this case? you can replace it with 

 prompt
confirm
write

 these three can do the same but write will delete the page content and add the value, now there is another thing if this ( ) blocked what I can use? you can replace it with ` ` and it will work but it will not get the documents information like domain and cookies, what if all of them deleted? you can easily get an external file using

 <script src="link_to_js_file"></script>

the JS file should include the code that you want to execute on the victim and the website will use it when you add the above script.

 what if the script tag is blocked? you can use other tags and these tags use a specific event for example:

 <svg onload=js_code_here>
<img src=x onerror=js_code_here>
<marquee onstart=js_code_here>anything_here

 these tags aren't the only tags you can use there is a lot and you can create your own payload to exploit XSS not all XSS like each other.

 there is an XSS on links like a tag or iframe tag how is that? by using the javascript protocol, how is that? look with me, if I used this tag

 <a href="javascript:alert(1337)">click here</a>

 the URL of this word click here is javascript:alert(1337) what is that? try to write it on your browser it will pop-up with 1337 this is a protocol for javascript so anyone will clock on this word click here the JS code will be executed on him, there is another tag it's iframe which includes a file or website content on the web page, what if I added the javascript protocol? right it will execute the JS code and the payload is

 <iframe src=javascript:alert(1337)>

 it will pop-up with 1337.

 in the end, this is not all of the filters and bypasses it just the beginning and I will say it again you can create your own payload and soon I will write Part 2 of this topic with more filters and bypasses and real XSS bugs I found.

 see you soon, Goodbye.

Comments

Post a Comment

Popular posts from this blog

Exploit & Debug Looney Tunables CVE-2023-4911 Local Privilege Escalation in the glibc's ld.so

-
Image
Hoi, let's try to debug and explain CVE-2023-4911 which is a buffer overflow in the glibc loader my debugging and exploit tested on Ubuntu 22.04.2 (Jammy Jellyfish), you can read the analysis and more information from the Qualys Security writeup . POC to check if you are vulnerable or not env -i "GLIBC_TUNABLES=glibc.malloc.mxfast=glibc.malloc.mxfast=A" "Z=`printf '%08192x' 1`" /usr/bin/su --help My exploit POC video takes 5m but I speeded up the video Preparing let's disable ASLR and debug our exploit echo 0 | sudo tee /proc/sys/kernel/randomize_va_space you have to know (from qualys security): On Linux, the stack is randomized in a 16GB region, and our environment strings can occupy up to 6MB (_STK_LIM / 4 * 3, in the kernel's bprm_stack_limits()): after 16GB / 6MB = 2730 tries we have a good chance of guessing the address of our environment strings. using the buffer overflow vulnerability in the tunables we will overflow the link_map struct wh
Read more

Lets Analysis STM32F103 Chip Firmware from Attify

-
Image
( بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ ) Let's start our blog. As we know any IoT device should have a firmware to run it and there is a thought that it is secure by default because it is in a board, but we know that we can dump this firmware, our firmware know is already shared with us something like training to learn basics of reversing firmware. you can download the firmware from here . if we run the file command on the firmware we will find this "STM32F103C-firmware.bin: data" and if we try to get the architecture using binwalk it will return empty result "binwalk -A STM32F103C-firmware.bin" but we don't need this because it is a famous chip and we can know what we want from google. After searching for the chip name STM32F103C we will open its default page you will know that it run using "ARM Cortex M3" we will need that later, it is time to analysis using Ghidra. Analysis Dropping the firmware file to Ghidra but it will not detect anything
Read more

Using CSRF I Got Weird Account Takeover

-
Image
Hi guys, I'm back again this bug was interesting and weird let's start. let's refer to the target's name as (target.com) I start to test the domain like what I do in my testing, I used sublist3r to enumerate the subdomains, in one of these subdomains I start to test the password reset function I sent a request to my email to change the password, i opened the link and sent the request to change the password but i used my Burp to see the request and it looks like that there is a token for CSRF I tested this token and deleted it but the change happens, that means there is no filtring for this token there is a CSRF bug here and there is another thing the token of reset password not in the request not in the cookies or in the body so i think it's in the sessions and how i knew that? I test the function of reset password I sent another link to my account and i sent the same request but it returns 403, I opened the new reset link bug didn't use it and I go b
Read more