当前节点:brutelogic
时间节点
2021-06-24 00:28:31brutelogic.com.br
XSS polyglots are quite popular among beginners and lazy XSS testers since they only require a single copy and paste. Although doomed to be easily flagged by any decent filter or WAF, they can be useful to spot most of the XSS cases out there. Here we will try to build a cost-effective XSS polyglot, … Continue reading Building XSS Polyglots
The post Building XSS Polyglots appeared first on Brute XSS.
2021-03-08 08:22:49brutelogic.com.br
Content Security Policy (CSP) is the last line of defense against the exploitation of a XSS vulnerability. When correctly implemented, it seems to be extremely effective in doing so (nowadays). Here we will deal with the possible ways to abuse flaws in its implementation. For a comprehensive reference on CSP check here. Some basic samples … Continue reading CSP Bypass Guidelines
The post CSP Bypass Guidelines appeared first on Brute XSS.
2020-09-18 02:01:56brutelogic.com.br
Testing for Cross-Site Scripting (XSS) might seem easy at first sight, with several hacking tools automating this process. But regardless of how tests to find a XSS are performed, automated or manually, here we will see a step-by-step procedure to try to find most of the XSS cases out there. For that we will use … Continue reading Testing for XSS (Like a KNOXSS)
The post Testing for XSS (Like a KNOXSS) appeared first on Brute XSS.
2020-09-18 02:01:56brutelogic.com.br
In some cases, an information passed in one of the HTTP headers of the application is not correctly sanitized and it’s outputted somewhere in the requested page or in another end, giving rise to a XSS situation. But unfortunately, once an attacker can’t make a victim to edit his/her own HTTP headers in an actual … Continue reading XSS via HTTP Headers
The post XSS via HTTP Headers appeared first on Brute XSS.
2020-09-16 08:29:02brutelogic.com.br
Some Cross-Site Scripting (XSS) vectors arise from strict but allowed possibilities, forming tricky combinations. It’s all about contexts and sometimes the interaction between different contexts with different filters lead to some interesting bypasses. Although in the same document (or page), usually the source code of a HTTP response is formed by 3 different contexts: HTML, … Continue reading Filter Bypass in Multi Context
The post Filter Bypass in Multi Context appeared first on Brute XSS.
2020-05-10 09:35:35brutelogic.com.br
Some Cross-Site Scripting (XSS) vectors arise from strict but allowed possibilities, forming tricky combinations. It’s all about contexts and sometimes the interaction between different contexts with different filters lead to some interesting bypasses. Although in the same document (or page), usually the source code of a HTTP response is formed by 3 different contexts: HTML, … Continue reading Filter Bypass in Multi Context
The post Filter Bypass in Multi Context appeared first on Brute XSS.