Tags » XSS

PentesterLab.com Web for Pentester I Course XSS Example 9

This example is a DOM-based XSS.  This page could actually be completely static and still be vulnerable.

In this example, you will need to read the code of the page to understand what is happening.  219 more words

CTF

PentesterLab.com Web for Pentester I Course XSS Example 8

Here, the value echoed back in the page is correctly encoded.  However, there is still a XSS vulnerability in this page.  To build the form the developer used and trusted PHP_SELF which is the path provided by the user.  363 more words

CTF

LinkedIn patches serious leak in its AutoFill plugin

LinkedIn has plugged a flaw in its AutoFill button that would have allowed a malicious website to harvest basic account data from your LinkedIn profile. 480 more words

Privacy

PentesterLab.com Web for Pentester I Course XSS Example 7

This example is similar to the one before.  This time, you will not be able to use special characters since they will be HTML-encoded.  As you will see, you don’t really need any of these characters. 242 more words

CTF

PentesterLab.com Web for Pentester I Course XSS Example 6

Here, the source code of the HTML page is a bit different.  If you read it you will see that the value you are sending is echoed back inside JavaScript code.  276 more words

CTF

PentesterLab.com Web for Pentester I Course XSS Example 5

In this example, the script tag is accepted and gets echoed back, but as soon as you try to inject a call to alert, the PHP script stops it’s execution.  340 more words

CTF

PentesterLab.com Web for Pentester I Course XSS Example 4

In this example, the developer decided to completely blacklist the word script:  if the request matches script, the execution stops.

Fortunately (or unfortunately depending on what side you are on), there are a lot of ways to get JavaScript to be run (non-exhaustive list): 426 more words

CTF