reflected-xss – Page 9 – WindowsTechs.com

Bypassing htmlspecialchars() for XSS (Reflected) and using an event handler is not an option in this case

Posted on April 7, 2019 by daya

I am trying to bypass high security XSS on DVWA. So the vulnerable code(I highly doubt that is it really vulnerable?) is:-

<?php

if(!array_key_exists (“name”, $_GET) || $_GET[‘name’] == NULL || $_GET[‘name’] == ”){

$isempty = tru… Continue reading Bypassing htmlspecialchars() for XSS (Reflected) and using an event handler is not an option in this case→

Finding hidden parameters manually for XSS

Posted on March 29, 2019 by user11177344

I am researching about XSS and Google helped me a lot about learning like how to bypass XSS filters, POST and GET based XSS .

I am really curious to know how to find hidden parameters manually for XSS testing purposes.

Als… Continue reading Finding hidden parameters manually for XSS→

XSS triggered but chrome didn’t show popup. What exactly was going on?

Posted on March 24, 2019 by user101

Related to my previous question on XSS in canonical link.

At the beginning I turned off Chrome’s XSS auditor and tried executing XSS with just onload event using following payload which did not trigger.

” onload=”alert(1… Continue reading XSS triggered but chrome didn’t show popup. What exactly was going on?→

Reflected XSS which only displays in the input

Posted on March 20, 2019 by esssss

I am trying to execute an XSS in an HTTP GET request,but it just displays the input without running the script.

I checked in BurpSuite and I see it added my input to referer: url and then my input.

How can i make the XSS ru… Continue reading Reflected XSS which only displays in the input→

Stealing csrf token With Event Handlers xss

Posted on February 27, 2019 by Atik Rahman

I am testing site which was vulnerable to xss

https://www.example.com/search/test” onfocus=”alert(1)” autofocus=”

Reflecting area

<input class=”” name=”search” id=”search” placeholder=”Enter keyword(s)” value=”test” … Continue reading Stealing csrf token With Event Handlers xss→

CSS Injection without colon

Posted on February 1, 2019 by br0wnrice

I’m looking for a way to create a CSS injection proof-of-concept. I can insert the following and it gets reflected in the browser:

The only issue is that the colon gets… Continue reading CSS Injection without colon→

XSS by pass in page returning 404

Posted on January 31, 2019 by Akshar Tank

I am at a page with domain of let say abc.com. When i make a request abc.com/anything,it return “404 /anything” is not found. So i tried to do XSS here but “,<,>,& is encoded. I tried abc.com/javascript:alert(1); but n… Continue reading XSS by pass in page returning 404→

What are the common features to identify XSS attack from Apache log file?

Posted on December 27, 2018 by Shree

I have tried some XSS vulnerability on web application such as webgoat, OWASP mutillidae, bWAPP. I want to know the features/keywords/footprints of cross site scripting attack in apache log file and from these footprints, it … Continue reading What are the common features to identify XSS attack from Apache log file?→

Exploit: Send cookie to another server from url

Posted on December 16, 2018 by vallikkv

I’m testing a web application and found that url contains “redirect=” where it navigates to new location once logged in.

http://IPAddress/?redirect_uri=test

I’m trying to exploit the cookie using redirect_uri as the HTTPOnl… Continue reading Exploit: Send cookie to another server from url→

Reflected XSS in multiline script block

Posted on November 15, 2018 by 6661620a

I am trying to exploit a reflected cross site scripting in a GET request where the reflection is in the first multi line script block.

It seems I can use every character but <, > and ” and the best payload I could come… Continue reading Reflected XSS in multiline script block→