Blog
This is an up-to-date blog that focuses on cybersecurity. I regularly publish write-ups for Portswigger Web Security Academy labs. In addition, I plan to publish more blog posts about bug bounty and various security topics in the near future.
Reflected XSS with AngularJS expression escape and CSP
The first step of the payload is to set the location property which is a built-in JavaScript object that represents the URL of the current page, and setting it to a new URL is constructed using a template string that includes the following components...
Reflected XSS with AngularJS Sandbox Escape without Strings
View the page source and observe that your canary is between the angularJS script. Remember that you are dealing with angularJS sandbox, that means regular attack vectors are not going to work. For being able to deliver a successfull XSS attack you have to bypass the angularJS sandbox.
How To Install Windows 10 On An External Hard Drive
I am not completely against to use dual-boot as a solution but if you are just low on disk space , using dual-boot as a solution can be annoying. So if you are looking for another solution, you are at the right place.
Stored XSS into Onclick Event with angle brackets and double quotes HTML-encoded and single quotes and backslash escaped
Try to inject another input to the Website input field. But this time make sure you use single quotes in your input, then observe single quotes has been escaped by backslash.
Stored XSS into HTML Context with Nothing Encoded
After landing the home page of the lab instance go to one of the blogposts. Enter a common XSS payload in the comment-box. Fill out the other boxes as you wish.
Stored XSS into Anchor href Attribute with Double Quotes HTML-encoded
From the above picture, you can observe that the input you have given in the website labeled field, is directly used in the href value without proper input sanitization. Thanks to that you can inject a paylaoad like the following
Stored DOM XSS
The replace() method searches a string for a value or a regular expression. The replace() method returns a new string with the value(s) replaced. Critical point is, replace() method only replaces the given string(s) first occurence.
Reflected XSS with Some SVG Markup Allowed
As the lab dictates you can observe this payload gets blocked. You need to find a valid tag in order to deliver a successfull attack. One way to do this is testing the tags manually one by one or you can choose a better way which is fuzzing the tag names with Burp Intruder.
Reflected XSS with Event Handlers and href Attributes Blocked
First we need to search for a valid HTML tag.I assume you know how to do that process(you should have been solved previous labs before than that) but if you are not comfortable about how to do it, you can visit this link.
Reflected XSS into HTML context with nothing encoded
Write a basic alert script in the box, like the following and click the search button.
Reflected XSS into HTML Context with most tags and attributes blocked
Try to inject a usual alert() script such as but it is not going to work. Because website has WAF(Web Application Firewall), so you need to figure out how to bypass it.
Reflected XSS into HTML context with all tags blocked except custom ones
From the lab description you can understand all tags are blocked. However, it might be possible to craft custom tags and use it to create a successfull payload.
Reflected XSS into Attribute with Angle Brackets HTML-Encoded
Submit a random alphanumeric string in the search box. Go to the Burp's HTTP History and send that request to Burp Repeater.Observe that the random string has been reflected inside a quoted attribute.
Reflected XSS into a Template Literal with angle brackets, single, double quotes, backslash and backticks Unicode-escaped
Here is the real deal, your input is inside the template literals and that means it is possible to inject embedded expressions via using ${} syntax. Also remember that single quotes are just normal characters inside of literals(`), due to that your input is going to work like a charm.
Reflected XSS into a JavaScript String with Single Quote and Backslash Escaped
This time, try sending the previous payload by adding single quote to beginning of it. Also know that, this technique is used for breaking out of the string, however your single quote is going to get backslashed-escaped.
Reflected XSS into a JavaScript String with Angle Brackets HTML Encoded
After the landing page is loaded, go to searchbox in the website. Submit a random alphanumeric string in the search box. Go to the Burp's HTTP history and send the relevant request to the Burp Repeater.
Reflected XSS into a Javascript String with Angle Brackets and Double Quotes Html-Encoded and Single Quotes Escaped
However, developer who implemented the logic made a huge mistake and forgot to escape the backslash(\) characters itself, so that means you can escape backslash by using another backslash. After that single quote will be used as string terminator and it will caused alert() function to be called.
Reflected XSS in Canonical Link Tag
A canonical URL is the URL of the best representative page from a group of duplicate pages, according to Google. For example, if you have two URLs for the same page (such as example.com? dress=1234 and example.com/dresses/1234 ), Google chooses one as canonical.
Reflected XSS in a JavaScript URL with some characters blocked
However, you cannot use these alternative payloads in this situation because you are not allowed to use white spaces and some characters are literally banned. That s why, in order to filling the white spaces you need to use multi-line comment feature(/***/). It is possible use /***/ statement for both opening and closing a comment line on the same line.
Reflected DOM XSS
Either open the searchResults.js file from the Sitemap, or after you landed on the home page view the page source and click to searchResults.js link. Examine the javascript code and observe that this.response(response text) passed into the eval() function call.
Exploiting Cross-Site Scripting to Steal Cookies
So it is time to taking the next step which is exploiting the vulnerability. Basically, you can use the fetch API to cause DNS resolving and sending a HTTP request to your exploit server(in this case burp collaborator) for the users who visits the blogpage.
Exploiting Cross-site Scripting to Capture Passwords
You can also examine the username and password field by going back to blogpost. Now, only thing you need to do is waiting for the user interaction.
Dom XSS In Jquery Selector Sink Using A Hashchange Event
In order to deliver a successfull XSS attack, you need to manipulate the scroll action into a field that you control. It is possible to that via creating iframe tags with the onload event handler.
Dom XSS In Jquery Anchor Href Attribute Sink Using Location.Search Source
Observe that in the searchbar there is a parameter that called returnPath, keep that in my mind. View the page source and realize jquerys $ selector and attr() function is used in order to receive returnPath parameter.
DOM XSS in innerHTML Sink Using Source location.search
Remember the information about the inner.HTML sink, according to that modern browsers are not allowing to use script tags and svg tags inside inner.HTML sink. However, it might be possible to use img tag in order to deliver a successfull XSS attack.
DOM XSS in document.write Sink Using Source location.search
Examine the above picture and observe that the query parameter is used in the document.write sink which causes a vulnerability.In this case, it is easy to spot this vulnerability but for some cases manual detection for DOM-Based XSS can be very hard to spot.
DOM XSS in document.write sink Using Source location.search Inside a Select Element
Observe that your canary is between the option tags, for that reason you need to escape from the options tags in order to deliver a successfull XSS attack.
DOM XSS in AngularJS Expression with angle brackets and double quotes HTML-encoded
Ng-app directive has been used so it is possible to use angular expressions. First of all, you need to determine the version of angularJS inorder to use right payload.