Collaborate Disseminate
I’m a total beginner and im trying to solve Portswigger Academy labs. I’m studying on XSS right now and im stuck in somewhere.
Lab Details:This lab demonstrates a reflected DOM vulnerability. Reflected DOM vulnerabilities occur when the s… Continue reading Reflected DOM XSS Portswigger Lab
I was testing a website which does not have XSS in their scope. So I thought it would be a good idea to escalate XSS to a bug which is valid. I need to make a request to my server but the problem is closing tag > or forward slashes / ar… Continue reading XSS payload to Send request to server without closing tag
What’s the difference between Reflected XSS (RXSS) and Reflected-DOM XSS (RDOMXSS)? After some research, I think it can be concluded that Reflected-DOM XSS is:
Similarities:
The value is reflected by the target application
Characteristic… Continue reading Difference Between Reflected XSS and Reflected-DOM XSS
I am doing one of Portswigger’s labs on web security, specifically CORS (cross origin resource sharing). I am having trouble understanding why there is a need for URL encoding certain parts of the XSS payload.
As a brief summary, the lab i… Continue reading Need for URL encoding in XSS / CORS lab
I was doing a VAPT assessment in which I see some JSON body in the request which has orgid deviceid
So there any possibility to get XSS in json body?
Continue reading Is it possible to get xss in json body request?
I found a HTML injection vulnerability but there is an issue.
The following request returns the following:
curl "https://redacted.com/xss/para?meter="><h1>Test\</h1>"<meta name="url:url" content=&… Continue reading Parameter vulnerable for HTML injection but cannot exploit because of URL encoding
I am busy with the portswigger lab studies, doing "Reflected XSS into HTML context with most tags and attributes blocked".
I successfully fire the print() on myself and the simulated victim, but for extra practice in preparing fo… Continue reading portswigger Lab – Reflected XSS into HTML context with most tags and attributes blocked
I have an anchor that has href attribute populated by my input. I am trying to input javascript, but it always renders it useless since it always appears between double quotes.
So far, I have tried many inputs including:
javascript:alert(1… Continue reading XSS – Anyway to bypass double quotes in href of anchor?
While working on a site (https://website.com/site/site.apexp) the site redirects through a javascript function:
<html>
<script>
function redirectOnLoad() {
var escapedHash = ”;
var url = ‘https://website.com/s/login?ec… Continue reading Explotation of reload/redirect through javascript
I’m trying to make an automated XSS detection toolkit for myself and I’m using google’s firing range for testing it. For this particular case of escaped XSS in HTML context https://public-firing-range.appspot.com/escape/serverside/encodeUr… Continue reading How to bypass server-side URL encoding ? [Firing-Range automation]