Blog

This is an up-to-date blog that focuses on cybersecurity. I regularly publish write-ups for Portswigger Web Security Academy labs. In addition, I plan to publish more blog posts about bug bounty and various security topics in the near future.

Reflected XSS with AngularJS expression escape and CSP

The first step of the payload is to set the location property which is a built-in JavaScript object that represents the URL of the current page, and setting it to a new URL is constructed using a template string that includes the following components...

İbrahim Taha İstikbal
İbrahim Taha İstikbal

Reflected XSS with AngularJS Sandbox Escape without Strings

View the page source and observe that your canary is between the angularJS script. Remember that you are dealing with angularJS sandbox, that means regular attack vectors are not going to work. For being able to deliver a successfull XSS attack you have to bypass the angularJS sandbox.

İbrahim Taha İstikbal
İbrahim Taha İstikbal

How To Install Windows 10 On An External Hard Drive

I am not completely against to use dual-boot as a solution but if you are just low on disk space , using dual-boot as a solution can be annoying. So if you are looking for another solution, you are at the right place.

İbrahim Taha İstikbal
İbrahim Taha İstikbal

Stored XSS into Onclick Event with angle brackets and double quotes HTML-encoded and single quotes and backslash escaped

Try to inject another input to the Website input field. But this time make sure you use single quotes in your input, then observe single quotes has been escaped by backslash.

İbrahim Taha İstikbal
İbrahim Taha İstikbal

Stored XSS into HTML Context with Nothing Encoded

After landing the home page of the lab instance go to one of the blogposts. Enter a common XSS payload in the comment-box. Fill out the other boxes as you wish.

İbrahim Taha İstikbal
İbrahim Taha İstikbal

Stored XSS into Anchor href Attribute with Double Quotes HTML-encoded

From the above picture, you can observe that the input you have given in the website labeled field, is directly used in the href value without proper input sanitization. Thanks to that you can inject a paylaoad like the following

İbrahim Taha İstikbal
İbrahim Taha İstikbal

Stored DOM XSS

The replace() method searches a string for a value or a regular expression. The replace() method returns a new string with the value(s) replaced. Critical point is, replace() method only replaces the given string(s) first occurence.

İbrahim Taha İstikbal
İbrahim Taha İstikbal

Reflected XSS with Some SVG Markup Allowed

As the lab dictates you can observe this payload gets blocked. You need to find a valid tag in order to deliver a successfull attack. One way to do this is testing the tags manually one by one or you can choose a better way which is fuzzing the tag names with Burp Intruder.

İbrahim Taha İstikbal
İbrahim Taha İstikbal

Reflected XSS with Event Handlers and href Attributes Blocked

First we need to search for a valid HTML tag.I assume you know how to do that process(you should have been solved previous labs before than that) but if you are not comfortable about how to do it, you can visit this link.

İbrahim Taha İstikbal
İbrahim Taha İstikbal

Reflected XSS into HTML context with nothing encoded

Write a basic alert script in the box, like the following and click the search button.

İbrahim Taha İstikbal
İbrahim Taha İstikbal

Reflected XSS into HTML Context with most tags and attributes blocked

Try to inject a usual alert() script such as but it is not going to work. Because website has WAF(Web Application Firewall), so you need to figure out how to bypass it.

İbrahim Taha İstikbal
İbrahim Taha İstikbal

Reflected XSS into HTML context with all tags blocked except custom ones

From the lab description you can understand all tags are blocked. However, it might be possible to craft custom tags and use it to create a successfull payload.

İbrahim Taha İstikbal
İbrahim Taha İstikbal

Reflected XSS into Attribute with Angle Brackets HTML-Encoded

Submit a random alphanumeric string in the search box. Go to the Burp's HTTP History and send that request to Burp Repeater.Observe that the random string has been reflected inside a quoted attribute.

İbrahim Taha İstikbal
İbrahim Taha İstikbal

Reflected XSS into a Template Literal with angle brackets, single, double quotes, backslash and backticks Unicode-escaped

Here is the real deal, your input is inside the template literals and that means it is possible to inject embedded expressions via using ${} syntax. Also remember that single quotes are just normal characters inside of literals(`), due to that your input is going to work like a charm.

İbrahim Taha İstikbal
İbrahim Taha İstikbal

Reflected XSS into a JavaScript String with Single Quote and Backslash Escaped

This time, try sending the previous payload by adding single quote to beginning of it. Also know that, this technique is used for breaking out of the string, however your single quote is going to get backslashed-escaped.

İbrahim Taha İstikbal
İbrahim Taha İstikbal

Reflected XSS into a JavaScript String with Angle Brackets HTML Encoded

After the landing page is loaded, go to searchbox in the website. Submit a random alphanumeric string in the search box. Go to the Burp's HTTP history and send the relevant request to the Burp Repeater.

İbrahim Taha İstikbal
İbrahim Taha İstikbal

Reflected XSS into a Javascript String with Angle Brackets and Double Quotes Html-Encoded and Single Quotes Escaped

However, developer who implemented the logic made a huge mistake and forgot to escape the backslash(\) characters itself, so that means you can escape backslash by using another backslash. After that single quote will be used as string terminator and it will caused alert() function to be called.

İbrahim Taha İstikbal
İbrahim Taha İstikbal

Reflected XSS in Canonical Link Tag

A canonical URL is the URL of the best representative page from a group of duplicate pages, according to Google. For example, if you have two URLs for the same page (such as example.com? dress=1234 and example.com/dresses/1234 ), Google chooses one as canonical.

İbrahim Taha İstikbal
İbrahim Taha İstikbal

Reflected XSS in a JavaScript URL with some characters blocked

However, you cannot use these alternative payloads in this situation because you are not allowed to use white spaces and some characters are literally banned. That s why, in order to filling the white spaces you need to use multi-line comment feature(/***/). It is possible use /***/ statement for both opening and closing a comment line on the same line.

İbrahim Taha İstikbal
İbrahim Taha İstikbal

Reflected DOM XSS

Either open the searchResults.js file from the Sitemap, or after you landed on the home page view the page source and click to searchResults.js link. Examine the javascript code and observe that this.response(response text) passed into the eval() function call.

İbrahim Taha İstikbal
İbrahim Taha İstikbal

Exploiting Cross-Site Scripting to Steal Cookies

So it is time to taking the next step which is exploiting the vulnerability. Basically, you can use the fetch API to cause DNS resolving and sending a HTTP request to your exploit server(in this case burp collaborator) for the users who visits the blogpage.

İbrahim Taha İstikbal
İbrahim Taha İstikbal

Exploiting Cross-site Scripting to Capture Passwords

You can also examine the username and password field by going back to blogpost. Now, only thing you need to do is waiting for the user interaction.

İbrahim Taha İstikbal
İbrahim Taha İstikbal

Dom XSS In Jquery Selector Sink Using A Hashchange Event

In order to deliver a successfull XSS attack, you need to manipulate the scroll action into a field that you control. It is possible to that via creating iframe tags with the onload event handler.

İbrahim Taha İstikbal
İbrahim Taha İstikbal

Dom XSS In Jquery Anchor Href Attribute Sink Using Location.Search Source

Observe that in the searchbar there is a parameter that called returnPath, keep that in my mind. View the page source and realize jquerys $ selector and attr() function is used in order to receive returnPath parameter.

İbrahim Taha İstikbal
İbrahim Taha İstikbal

DOM XSS in innerHTML Sink Using Source location.search

Remember the information about the inner.HTML sink, according to that modern browsers are not allowing to use script tags and svg tags inside inner.HTML sink. However, it might be possible to use img tag in order to deliver a successfull XSS attack.

İbrahim Taha İstikbal
İbrahim Taha İstikbal

DOM XSS in document.write Sink Using Source location.search

Examine the above picture and observe that the query parameter is used in the document.write sink which causes a vulnerability.In this case, it is easy to spot this vulnerability but for some cases manual detection for DOM-Based XSS can be very hard to spot.

İbrahim Taha İstikbal
İbrahim Taha İstikbal

DOM XSS in document.write sink Using Source location.search Inside a Select Element

Observe that your canary is between the option tags, for that reason you need to escape from the options tags in order to deliver a successfull XSS attack.

İbrahim Taha İstikbal
İbrahim Taha İstikbal

DOM XSS in AngularJS Expression with angle brackets and double quotes HTML-encoded

Ng-app directive has been used so it is possible to use angular expressions. First of all, you need to determine the version of angularJS inorder to use right payload.

İbrahim Taha İstikbal
İbrahim Taha İstikbal