Collaborate Disseminate
While studying the XSS vulnerability, I encountered a significant doubt. I noticed that when we include " in a URL, it gets encoded as %22. Therefore, I believe we can utilize the decoded version of ", ensuring it remains as &quo… Continue reading When we url encode (") will become (%22), is there any way we can decode (")?
Group-IB identified a large-scale malicious campaign primarily targeting job search and retail websites of companies in the Asia-Pacific region. The group, dubbed ResumeLooters, successfully infected at least 65 websites between November and December 2… Continue reading ResumeLooters target job search sites in extensive data heist
I have submit the following text <script>javascript:alert(document.domain); in a feedback of a restaurant listed on a website and feedback is sent to website not restaurant.
I want to verify but I am not sure if the code is valid or … Continue reading is <script>javascript:alert(document.domain); a valid script for xss?
I want to ask about the http-dombased-xss.nse script. When I’m testing DOM-based xss in xss.challenge.training.hacq.me/challanges/baby02.php. The test I’m doing with nmap is like this.
nmap -p80 –script http-dombased-xss.nse –script-args… Continue reading Why http-dombased-xss.nse script in nmap dosen’t work? [closed]
I want to ask about the http-dombased-xss.nse script. When I’m testing DOM-based xss in xss.challenge.training.hacq.me/challanges/baby02.php. The test I’m doing with nmap is like this.
nmap -p80 –script http-dombased-xss.nse –script-args… Continue reading Why http-dombased-xss.nse script in nmap dosen’t work? [closed]
I found a HTML injection on a markdown although it seems odd as the user already can use html in the box
So I tried to turn it to XSS but after a day with trial and error I concluded that the website has a whitelist that allows only and … Continue reading XSS Bypass Whitelist
Is it possible to upload a reverse shell and execute it via XSS?
How can a hacker steal my session where my form does not have CSRF tokens but my session cookies are HTTPonly? how would he get my session cookie in this case? is this possible?
for example, to be clearer, I have my session authenticated i… Continue reading HTTPonly token without CSRF is safe?
Whenever the topic comes up, almost every source recommends to never store authentication tokens in a place where they can be accessed by client-side Javascript. The recommendation is almost always to store them in an http-only cookie to p… Continue reading Is storing authentication tokens in local storage with a strong CSP safe?
I’ve observed that React can HTML encode specific characters to prevent XSS vulnerabilities in certain contexts. For instance, consider the following code in App.jsx:
function App() {
const XSSProblematicChars = "><‘\"(… Continue reading React chars to HTML encode?