Collaborate Disseminate
There is a standard XSS exploitation technique where one can use javascript keyword in <a href=””> to execute javascript code. Example:
<a href=”javascript:alert(42);”>please clickme</a>
Let’s us consider PHP code wh… Continue reading Is XSS possible when using htmlspecialchars and https prefix check in href?
I would like to create a honeypot (bot) to hunt browser zero-days (and browser extensions). What is the best way to find those 0days automatically (I would like to create a sandboxed bot which would visit websites and check i… Continue reading Honeypot for hunting browser zero-days, rootkits and malware [on hold]
We have an overview with known but fixed vulnerabilities for this browsers: Google Chrome, Mozilla Firefox and Internet Explorer. Such lists exist for many other browsers too. We also have such vulnerabilities which were neve… Continue reading How common is the usage of browser zero-days in the wild?
Let’s assume we are talking about top 10 most used web browsers: Usage share of web browsers
https://www.cgisecurity.com/questions/httptrace.shtml
‘TRACE’ is a HTTP request method used for debugging which echo’s back
input back … Continue reading Is it still possible to use HTTP TRACE for XSS in modern Web Browsers?
I want to exploit XSS vulnerability. But my exploitation scenario is a bit different rather than just stealing cookies via XSS, sending them to attacker’s website and reusing them later (life is hard).
We have a self-written… Continue reading Complex XSS exploitation scenario [on hold]
There is a cron job running as root on a web server every 15 minutes:
php cli-script.php
(cli stands for “Command Line Interface”, so is only accessible from command-line)
It is not possible to directly modify the PHP scri… Continue reading Exploiting cron job running as root
My question is build on top of the answer of the question about SUID exploitation:
SUID not used after exploit
The person (official answer) is stating that:
Many popular implementations of sh drop privileges when they s… Continue reading Unix/Linux shells which use effective UID instead of real UID
I’m familiar about a tool called DirBuster which allows to enumerate files and directories on a server. Is there any tool which allows to enumerate servers internal (non-public) files and directories, e.g. through some LFI/pa… Continue reading Tools for file system enumeration (LFI/directory traversal exploitation) [on hold]
Is it possible to extract CSRF-token by using inline-CSS injection (inside style attribute)? (It seems to be impossible, because it is not possible to define CSS classes inside attributes.)
<p style=<?php echo htmlsp… Continue reading CSS injection: Extract CSRF-token by using inline-css injection
Are there any XSS-exploitation-tools where you don’t need first to get a public server (which is owned by you) where you install them on? You should be able to run them from your local machine. But you still need a C&C-se… Continue reading Tools to exploit XSS [on hold]