reflected-xss – Page 5 – WindowsTechs.com

XSS attack being blocked by the browser

Posted on April 12, 2021 by stannage

I’m trying to validate / test and XSS attack; however when I navigate to the page, the browser (tried on Chrome and Edge) tells me:

A parser-blocking, cross site (i.e. different eTLD+1) script,
is invoked via document.write. The network
r… Continue reading XSS attack being blocked by the browser→

XSS exploitation: AJAX isn’t working properly [closed]

Posted on April 6, 2021 by Woden

I am working on a test case with a website demonstration. For now, I’ve discovered reflected XSS on the website for the profile preview, meaning the data is not sent to the server-side. Next, when I look through the source code, I got the … Continue reading XSS exploitation: AJAX isn’t working properly [closed]→

Does escaping quotes in a HTML attribute context prevent XSS?

Posted on April 2, 2021 by CR00D3X

I’m learning about XSS and I found I can inject code in this tag a few days ago.
Tag:
<div id="pagenotfound" title=’Cannot find /it/search/testtesttesttetst\’onload=alert(1)’>

My payload:
/testtesttesttetst’onload=alert(1)… Continue reading Does escaping quotes in a HTML attribute context prevent XSS?→

Blocking reflected XSS on common web servers

Posted on March 15, 2021 by jwalker

How is it possible to block reflected XSS on common web servers, such as IIS, Apache HTTP Server and Nginx?
The Content-Security-Policy: reflected-xss filter doesn’t work on latest Chrome and X-XSS-Protection was removed from latest Chrome… Continue reading Blocking reflected XSS on common web servers→

Further exploit self XSS

Posted on February 24, 2021 by Opera of the Phantom

I´m pentesting a clients website and found a self XSS Vulnerability in the Login Page: in case of a login error the Error Page shows the Username, so if you input <script>alert("XSS")</script> as User, it shows the al… Continue reading Further exploit self XSS→

Is an XSS via Cross-Site File Upload (CSFU) practically exploitable?

Posted on February 17, 2021 by Cob013

I came across a very interesting case:

The user uploads a file
The file contains <script>alert(2)</script>
The web app shows the file’s content to the user -> the XSS payload is executed
The file is not stored in any way, s… Continue reading Is an XSS via Cross-Site File Upload (CSFU) practically exploitable?→

where is the custom tag and why using id in the solution? [closed]

Posted on January 30, 2021 by Mohit

Portswigger reflected XSS lab with custom tags
link for lab
(https://portswigger.net/web-security/cross-site-scripting/contexts/lab-html-context-with-all-standard-tags-blocked)
Purpose of lab:

lab description:
Lab is about reflected XSS w… Continue reading where is the custom tag and why using id in the solution? [closed]→

can i execute javascript in href when i have text before my input?

Posted on December 2, 2020 by eyal

This is where I took this example from:
<a href="<?php echo $_GET[‘e’];?>">Back</a>
In this code, I can do http://my_url?e=javascript:alert()
But what can I do if my code is like this:
<a href="e<?php… Continue reading can i execute javascript in href when i have text before my input?→

how does this type of reflected xss payload work

Posted on November 28, 2020 by sdksdk

I’ve seen the typical reflected XSS payloads which contain html tags, or where inputs are reflected inside javascript. But I’ve also stumbled across a certain payload which makes no sense to me.
An example of the payload in question:

hxtp… Continue reading how does this type of reflected xss payload work→

XSS with Template Literals

Posted on November 19, 2020 by pentesterdude

I suspect I have a potential XSS vulnerability at a client-side level, however, I’m not able to exploit it successfully.
The URL I’m using consists of three parameters that reflect back to the user and it is as follows:
https://host/email_… Continue reading XSS with Template Literals→