当前节点:brutelogic
时间节点
2021年9月28日 00:46brutelogic
XSS is all about practice. It requires a lot of time to print in the mind all vectors, payloads and tricks at our disposal. There are lots of XSS cases, each one requiring a different approach and construct to pop the alert box. Thinking on that and following the previous XSS Test Page released with … Continue reading Training XSS Muscles
The post Training XSS Muscles appeared first on Brute XSS.
2021年6月24日 00:28brutelogic
XSS polyglots are quite popular among beginners and lazy XSS testers since they only require a single copy and paste. Although doomed to be easily flagged by any decent filter or WAF, they can be useful to spot most of the XSS cases out there. Here we will try to build a cost-effective XSS polyglot, … Continue reading Building XSS Polyglots
The post Building XSS Polyglots appeared first on Brute XSS.
2021年3月8日 08:22brutelogic
Content Security Policy (CSP) is the last line of defense against the exploitation of a XSS vulnerability. When correctly implemented, it seems to be extremely effective in doing so (nowadays). Here we will deal with the possible ways to abuse flaws in its implementation. For a comprehensive reference on CSP check here. Some basic samples … Continue reading CSP Bypass Guidelines
The post CSP Bypass Guidelines appeared first on Brute XSS.
2020年9月18日 02:01brutelogic
Testing for Cross-Site Scripting (XSS) might seem easy at first sight, with several hacking tools automating this process. But regardless of how tests to find a XSS are performed, automated or manually, here we will see a step-by-step procedure to try to find most of the XSS cases out there. For that we will use … Continue reading Testing for XSS (Like a KNOXSS)
The post Testing for XSS (Like a KNOXSS) appeared first on Brute XSS.
2020年9月18日 02:01brutelogic
In some cases, an information passed in one of the HTTP headers of the application is not correctly sanitized and it’s outputted somewhere in the requested page or in another end, giving rise to a XSS situation. But unfortunately, once an attacker can’t make a victim to edit his/her own HTTP headers in an actual … Continue reading XSS via HTTP Headers
The post XSS via HTTP Headers appeared first on Brute XSS.
2020年9月16日 08:29brutelogic
Some Cross-Site Scripting (XSS) vectors arise from strict but allowed possibilities, forming tricky combinations. It’s all about contexts and sometimes the interaction between different contexts with different filters lead to some interesting bypasses. Although in the same document (or page), usually the source code of a HTTP response is formed by 3 different contexts: HTML, … Continue reading Filter Bypass in Multi Context
The post Filter Bypass in Multi Context appeared first on Brute XSS.
2020年5月10日 09:35brutelogic
Some Cross-Site Scripting (XSS) vectors arise from strict but allowed possibilities, forming tricky combinations. It’s all about contexts and sometimes the interaction between different contexts with different filters lead to some interesting bypasses. Although in the same document (or page), usually the source code of a HTTP response is formed by 3 different contexts: HTML, … Continue reading Filter Bypass in Multi Context
The post Filter Bypass in Multi Context appeared first on Brute XSS.