Collaborate Disseminate
I decided to look into non-alphanumeric JavaScript again and see if it was possible to execute it without parenthesis. A few years ago I did a presentation on non-alpha code if you want some more information on how it works take a look at the slides. U… Continue reading Executing non-alphanumeric JavaScript without parenthesis
Every experienced pentester knows there is a lot more to XSS than alert(1) – filtering, encoding, browser-quirks and WAFs all team up to keep things interesting. AngularJS Template Injection is no different. In this post, we will examine how we adapted… Continue reading Adapting AngularJS Payloads to Exploit Real World Applications
Every experienced pentester knows there is a lot more to XSS than <script>alert(1)</script> – filtering, encoding, browser-quirks and WAFs all team up to keep things interesting. AngularJS Template Injection is no different. In this post, we will examine how we adapted template injection payloads to bypass filtering and encoding and exploit Piwik and Uber.
Lower case conversion
Piwik, an Continue reading Adapting AngularJS Payloads to Exploit Real World Applications
I originally reported this issue to Microsoft on 4th September 2015 but it remains unfixed. As it has been so long since my original report I have decided to blog about the details now.
IE had a flaw in the past where you could use the location object… Continue reading Edge XSS filter bypass
I originally reported this issue to Microsoft on 4th September 2015 but it remains unfixed. As it has been so long since my original report I have decided to blog about the details now.
IE had a flaw in the past where you could use the location object… Continue reading Edge XSS filter bypass
Abstract
Naive use of the extremely popular JavaScript framework AngularJS is exposing numerous websites to Angular Template Injection. This relatively low profile sibling of server-side template injection can be combined with an Angular sandbox escap… Continue reading XSS without HTML: Client-Side Template Injection with AngularJS
Abstract
Naive use of the extremely popular JavaScript framework AngularJS is exposing numerous websites to Angular Template Injection. This relatively low profile sibling of server-side template injection can be combined with an Angular sandbox escap… Continue reading XSS without HTML: Client-Side Template Injection with AngularJS
Clickjacking vulnerabilities are endemic throughout the web and really quite serious in the right circumstances. Manually crafting a proof of concept attack can mean laborious hours of offset-tweaking, so we’ve just released Burp Clickbandit, a point… Continue reading Burp Clickbandit: A JavaScript based clickjacking PoC generator
Clickjacking vulnerabilities are endemic throughout the web and really quite serious in the right circumstances. Manually crafting a proof of concept attack can mean laborious hours of offset-tweaking, so we’ve just released Burp Clickbandit, a point… Continue reading Burp Clickbandit: A JavaScript based clickjacking PoC generator
At PortSwigger, we regularly run pre-release builds of Burp Suite against an internal testbed of popular web applications to make sure it’s behaving properly. Whilst doing this recently, Liam found a Cross-Site Scripting (XSS) vulnerability in [REDACTED], inside a hidden input element:
<input type="hidden" name="redacted" value="default" injection="xss" />
XSS in hidden inputs is frequently very Continue reading XSS in Hidden Input Fields