Posts

Showing posts from May, 2018

How to reduce risk of XSS while allowing html tags

1. Allow a limited set of HTML tags:

  'a'
  'em'
  'strong'
  'cite'
  'code'
  'ul'
  'ol'
  'li'
  'dl'
  'dt'
  'dd'

Refer to the way that Drupal does -  https://api.drupal.org/api/drupal/modules%21filter%21filter.module/function/filter_xss/6.x



2. Remove all script event handlers (onload/onerror/on[a-z]{1,10}=) and src based payload (src=javascript:alert()when storing product information.


on[a-z]{1,10}=

javascript:

data:

[Hone Your Ninja Skill] Think Beyond - Tweets Display

http://honeyourskills.ninja/target/beyond/?url=display-tweets.php

With this complex world where applications are massively interconnected and cohesively making the best use of one another's data, attack can happen from every angle if you don't think beyond.

[Hone Your Ninja Skill] Think Beyond - Dig online

With this complex world where applications are massively interconnected and cohesively making the best use of one another's data, attack can happen from every angle if you don't think beyond.

https://honeyourskills.ninja/target/beyond/?url=dig-online.php

[Hone Your Ninja Skill] Whitelist filter bypass ("URL")

http://honeyourskills.ninja/target/data_restriction/?url=whitelist-filter-bypass-url.php

In input validation, whitelisting approach is said to be better than blacklisting one.  Yet non-robust implementation in whitelisting  could also allow attacker to bypass your defense.

[Hone Your Ninja Skill] Simple Tactical XSS Filter Bypass

Mission: Achieve script execution when submitting form.
Hint: It is simple. Just a matter of tactics, techniques, and procedures.

http://honeyourskills.ninja/target/simple-tactical-xss-filter-bypass.php

[Hone Your Ninja Skill] Blacklist filter bypass on < > and =

http://honeyourskills.ninja/target/xss/challenges/blacklist-filter-bypass-bracket-allowed.php

[Hone Your Ninja Skill] Blacklist filter bypass on > < ( ) and =

Mission: Achieve arbitrary script execution when clicking above link.
http://honeyourskills.ninja/target/blacklist-filter-bypass-bracket-equal.php?callback=printToPage

[Hone Your Ninja Skill] Blacklist filter bypass on Blacklist filter bypass on > < ( and )

Mission: Bypass "( )" character restriction and achieve script execution.  http://honeyourskills.ninja/target/blacklist-filter-bypass-bracket.php?callback=printToPage

[Hone Your Ninja Skill] Blacklist filter bypass ("domain name")

Mission: Try submitting an equivalence of blacklisted "yehg.net" word in the form below for fun: 

http://honeyourskills.ninja/target/blacklist-filter-bypass-domain.php

Does your app properly destroy session?

Image

Bypassing referrer check with no script involved

No more to use scripting approach like https://github.com/knu/noreferrer

This useful meta tag helps for CSRF POC preparation when you come across an application that checks referrer header:
<meta name="referrer" content="no-referrer">

https://caniuse.com/#feat=referrer-policy

When your XSS finding is NOT impressed

If your XSS finding is not convinced by your clients/stakeholders, demonstrate the impact with BeEF or simple executable download payload could help: Exe Download POC: https://lnkd.in/fWF_nEK BeEF: http://beefproject.com/