server – XSS on marketing websites like craigslist. How does this work on a technical level?

I was wondering how this works.
We have a marketing site in Holland where people can sell second hand goods.
Rumor goes that there is a lot of phishing going on there and XSS code is used in the images that are uploaded to the site for malicious intent.

Can someone explain to me how this works and how people can stay out of trouble?
I have some theoretical understanding of protocols and scripting.
Examples or 3rd party source for clarification are most appreciated.

javascript – XSS with Template Literals

I suspect I have a potential XSS vulnerability at a client-side level, however, I’m not able to exploit it successfully.

The URL I’m using consists of three parameters that reflect back to the user and it is as follows:

https://host/email_url?key=(ENTRYPOINT1)&code=(ENTRYPOINT2)&mode=(ENTRYPOINT3)

The HTTP headers of the (potential) vulnerable page are:

HTTP/1.1 200 OK
Connection: close
Content-Length: 6573
Cache-Control: max-age=3600
Content-Type: text/html; charset=utf-8
Etag: (REDACTED)
Last-Modified: (REDACTED)
Referrer-Policy: no-referrer
Strict-Transport-Security: max-age=31556926
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-Xss-Protection: 1; mode=block
Accept-Ranges: bytes
Date: (REDACTED)
X-Served-By: (REDACTED)
X-Cache: MISS
X-Cache-Hits: 0
X-Timer: (REDACTED)
Vary: x-fh-requested-host, accept-encoding

The (potential) affected HTML code is:

<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
    <meta name="description" content="">
    (...)
         <div class= "col-md-8 offset-md-2">
            <p class="lead mb-4">To complete the email verification process, tap on the button below.</p>
            <a id="completeVerification" class="btn btn-primary" href="">Complete the verification</a>
          </div>
    (...)
   <script>
    window.onload = function() {
      // Choose environment
      const host = window.location.host
      const environment =
        host === 'redacted-dev.firebaseapp.com' ? 'development' :
        host === 'redacted-stg.firebaseapp.com' ? 'staging' :
        'production';
      // Build deep link with received params
      const urlParams = new URLSearchParams(window.location.search);
      const key = urlParams.get('key');
      const code = urlParams.get('code');
      const mode = urlParams.get('mode');
      const a = document.getElementById('completeVerification');
      a.href = `com.application.${environment}://auth?key=${key}&code=${code}&mode=${mode}`;
    };
    </script>

After a few tests I can see that it is allowing many characters such as ‘,$,{,},<,>,/,*. The only character that is being HTML encoded is “.

I’ve tried, without success, sending the following XSS Template Literal payloads through the reflecting parameters:

alert(1)
${alert(1)}
alert(1);
${alert(1)};
`alert(1)`
`${alert(1)}`
`${alert(1)}`;
alert(1);
${alert(1)}/*

Any insights on why this is not executing are appreciated. Thanks for reading.

XSS went trough WAF in a stored way

Is it possible that the stored javascript went through a WAF but that the WAF is blocking the “outgoing” by that I mean the execution or the presence, and thereby not showing the XSS when requesting the affected page?

For example, I have <XSS> and placed this successfully on my target. On a blog discussion. Resulting in stored XSS.

Is it possible then that the WAF behind that site is blocking the execution of it?

Do WAFs have such functionality or do they only block the “incoming”/ability to insertion?

How to evade Angular HTML sanitizer for XSS

I’m trying to evade the HTML sanitizer in a field I found more vulnerable in my application to test some XSS injection.

The field that I’m trying to exploit is a dropdown with the following code. The vulnerable field is this classNameId, which consists of a ” – ” from the database.

                <input ((ngModel))="selectedClassName" (typeahead)="classList" typeaheadOptionField="classNameId"
                class="form-control" (typeaheadMinLength)="0"
                (typeaheadOnSelect)="selectedClass=$event.item.classId;loadApplicationList($event)"
                (focus)="auxName=selectedClassName;selectedClassName=''"
                (blur)="selectedClassName=selectedClassName || auxName">

Some tags like b, img and a works in this field, but it filters out attributes like “onerror” and many others.

I was able to insert the script tag in there with a XSS I made, but it doesn’t run as Angular treats this as a text. Is there any way I can escape this?

The XSS that I made:

<<script></script>/span><<script></script>script>alert(1)<<script></script>/script>

And this is the result that I got:

XSS applied to the field

Here’s another example of how it looks if I add a b tag in the beginning of the XSS

XSS applied with b tag

Cómo puedo evitar los ataques XSS en mi aplicación ASP.Net Core 3.1 con Entity Framework?

¡Gracias por contribuir en StackOverflow en español con una respuesta!

  • Por favor, asegúrate de responder a la pregunta. ¡Proporciona información y comparte tu investigación!

Pero evita

  • Pedir ayuda o aclaraciones, o responder a otras respuestas.
  • Hacer declaraciones basadas en opiniones; asegúrate de respaldarlas con referencias o con tu propia experiencia personal.

Para obtener más información, consulta nuestros consejos sobre cómo escribir grandes respuestas.

xss – CVE-2020-7656 needed help for a working POC

So I came across a site that was running on Jquery@1.7.1 and also found that it was vulnerable to multiple issues and one was XSS – Cross Site Scripting.

I reported this issue and the organization would like to have a working POC but I don’t have a idea how to work on it, can anyone help me in this.

More Information:

https://snyk.io/vuln/SNYK-JS-JQUERY-569619 – This site contains the POC here

index.html:

<head>
    <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.3/jquery.js"></script>
</head>
<body>
    <div id="mydiv"></div>
    <script>
        $("#mydiv").load('inject.html #himom');
    </script>
</body>
</html>```


**inject.html:**

<div id="himom"><script>alert('Arbitrary Code Execution');</script ></div>

8 – Search API XSS issue

Using the search API documentation, built a form in the header that passes the search text to the search page.

https://www.drupal.org/docs/8/modules/search-api/getting-started/common-pitfalls

When doing a simple search with this text

<script>alert('Test');</script>

shows a popup test on the page. Any suggestions on how to fix it?

xss – Is splitting a REST API server from a Web server considered a security threat?

I am participating in a project that involves a JavaScript SPA that provides a service and is intended to interact via REST APIs with one of our servers. Initially, I proposed to work on the two entities as two separate projects; specifically I put forth the following

  • The user accesses the Web app through a www.myservice.org address
  • The Web app contacts an api.myservice.org service for REST interactions

but I was immediately faced with rejection. I was told that the Web app, residing at www.myservice.org, should contact the REST server via something like www.myservice.org/api because doing otherwise would entail a security threat. I didn’t say this was a bad idea, but I insisted on splitting the API server from the SPA-serving one for the following reasons

  • Scaling
  • Separation of concerns
  • Easier code management

I’m much more of a developer than a system admin and security expert, so I couldn’t promptly reply their rejection. Why would having two api.myservice.org and www.myservice.org servers represent a security issue? I was vaguely told about Cross-site scripting but even then the reasoning wasn’t perfectly clear to me.

web application – XSS via Ajax request?

I’m currently honing in on my web exploitation skills and came across this JavaScript function here:

 Event.observe(window, 'load', function() {
    new Ajax.Request('/dir/dir', {
      method: 'post',
      parameters: 'actionx3DrefreshAjaxModulex26ampx3BmodIdx3D_1895_1x26ampx3BgroupIdx3D_1_1x26ampx3Bgroup_idx3Dx26ltx3BXSS',', 
      onSuccess: function(transport) {
        try {
          var res = transport.responseXML.getElementsByTagName('x')(0).textContent;
          $('div_1').innerHTML = res.stripScripts();
          page.globalEvalScripts(res,true);
        } catch (e) { 
          $('div_1').innerHTML = 'Failed';
        }
      },
      onFailure: function(transport) {
        $('div_1').innerHTML = 'Fail';
      }
    });
  });

My understanding of the script is that when the page loads, an Ajax POST request will be sent, and if it’s successful, it’ll call the function and try do something but I’m not entirely sure what it’s doing…

I feel like this might be an attack vector, as you can inject values into the parameters field via the URL, except things like <script> are filtered and switched out with <xxxx>. <body onload`=alert(1)> seems to get through unfiltered, but it requires the back tick, which makes the alert not work.

I’m just wondering what other possible payloads there could potentially be, if any? When I inject <XSS (like in the code above) it falls through to the catch statement so I’m not sure if there’s something I can do to make it not cause an exception and pass things through as valid input.

Is this XSS input being escaped?

I have a website that reflects the current url in an opengraph meta tag.

So if the url is :

https://example.com/my/link/here"/><script>prompt(1)</script>

the meta tag should be

<meta property="og:url" content="https://example.com/my/link/here"/><script>prompt(1)</script> ">

except what I do get is :

<meta property="og:url" content="https://example.com/my/link/here%22/%3E%3Cscript%3Eprompt(1)%3C/script%3E">

The only characters it seems to be escaping are > < and ". Single quotes and some other special characters I tried don’t get html encoded. Is this potentially a false negative?