Collaborate Disseminate
My web application allows users to make custom divs with whitelisted attributes. One of them is data-{user-input}.
Recently I have seen the following XSS payload:
[[div data-test/onmouseover=alert(1)]]
So I added the following code:
… Continue reading Bypass XSS filter in data- attribute
I operate a blog using Google’s Blogger platform about programming. I use highlight.js for syntax highlighting, and now on my posts I see the console warning: One of your code blocks includes unescaped HTML. This is a potentially serious s… Continue reading "One of your code blocks includes unescaped HTML." JS console security warning
On https://ais.osym.gov.tr/ I saw an XSS vulnerable input. I tried some payloads without malicious intent which only contained alerts or console logs. The code img \x00src=x onerror=alert(1) worked.
Now the problem is whenever I try to re… Continue reading Accidentally locked an XSS vulnerable input
Can I visit a malicious website by using Tor with settings set to safest or by using NoScript on an ordinary browser with settings set to untrusted?
If not then is there any way to visit a malicious website safely?
I have this message from Checkmarx:
The application’s = embeds untrusted data in the generated output with location, at line 19 of ****.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, … Continue reading Checkmarx Client DOM XSS Violation in ReachJS
I was testing an application recently and i came across with a Reflected XSS vulnerability via HTTP POST Request with JSON body. Although this condition can’t be exploitable from his own, due respond’s corresponding MIME type application/… Continue reading Reflected XSS found in web application via POST request with JSON body. Is this issue exploitable?
I was was inspecting elements in a website and I randomly stumbled onto this piece of code .
</style><meta name="add-styles-here"/><meta name="add-scripts-here"/></head><body><kbn-csp da… Continue reading Risk of injecting a malicious script/code?
So I am testing an application and I almost got an XSS vulnerability but only if I can comment on the rest of the code. e.g. Originally this is how the target returns the user-entered input:
I’ve been able to get this to this far:
Request… Continue reading Is there any way to bypass javascript comment filtering (XSS)
I am doing one of Portswigger’s labs on web security, specifically CORS (cross origin resource sharing). I am having trouble understanding why there is a need for URL encoding certain parts of the XSS payload.
As a brief summary, the lab i… Continue reading Need for URL encoding in XSS / CORS lab
By Owais Sultan
Application testing is a process that helps ensure the quality and safety of your software applications, whether the…
This is a post from HackRead.com Read the original post: How SAST Will Improve Your Overall Security: Intro
Continue reading How SAST Will Improve Your Overall Security: Intro