Collaborate Disseminate
I am trying to perform XSS but to get out of the context and write the payload I need to use Angle brackets and the angle brackets are html encoded. I tried double encoding technique with url encoding+html encoding, url encoding+url encodi… Continue reading How to use html encoded characters to perform XSS?
If an SVG file with an XSS payload is hosted on say cdn.example.com and is loaded as a display picture on say mainprod.com, can the XSS payload within the SVG file access and steal cookies from mainprod.com despite the Same-Origin Policy (… Continue reading SOP (Same Origin Policy) and CDN SVG XSS
By Waqas
Gaming influencers are advising CS2 players to refrain from playing the game at the moment.
This is a post from HackRead.com Read the original post: Gamers Warned of Potential CS2 Exploit That Can Reveal IP Addresses
Continue reading Gamers Warned of Potential CS2 Exploit That Can Reveal IP Addresses
I am writing a mobile application for an already existing web app.
In the backend, I implemented the usual cookie-based session ID authentication. with a CSRF token generated on login and sent with each request in a custom header.
the prob… Continue reading Is it secure to use session ID as authentication token received from an HTTP header?
I have a invite users via email form on my website and I was wondering if this could be a potential XSS flaw?
I captured the request via Burp, and this is how it looks:
Input:
{
"toEnvWithEmail":"<script>alert(1)</s… Continue reading Potential XSS bug in email form?
I’ve discovered a behavior in a popular service’s markdown parser that allows the ‘style’ attribute to be used within ‘img’ tags through some crafted markdown code. This allows for the application of arbitrary CSS styles to the image, lead… Continue reading Is the ability to inject arbitrary CSS styles in an img tag a security vulnerability?
I’m reading an article that talks about XSS exploitation on AngularJS,
AngularJS will render the template in ng-html, and it bypasses sanitize-html.
My questions,
I’m wondering if other frameworks like Vue.js and React is also vulnerable… Continue reading Does other frontend framework have similar issue like AngularJS?
Is there a way to permanently add code to a website vulnerable to client-side XSS? so if you refresh the page, it is still changed?
if you can, how?
Continue reading Can you inject permanent code into a website by client-side XSS? [closed]
I would like to initialise a React application with an OIDC token.
This token will be stored in a private field of the "api client" object. This object will be used to execute API calls and it will automatically add the OIDC toke… Continue reading Is it safe to store the OIDC token in a private field of a javascript object?
I have been exploring customer support in a website as part of bug bounty program.
I then started a chat with their customer support and pasted the following in the box:
<!–<img src="–><img src=x onerror=javascript:alert… Continue reading Is this a type of XSS attack?