Home
Forums
New posts
Search forums
What's new
New posts
New profile posts
Latest activity
Members
Current visitors
New profile posts
Search profile posts
Log in
Register
What's new
Search
Search
Search titles only
By:
New posts
Search forums
Menu
Log in
Register
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Home
Forums
CARDING & HACKING
Hacking Tools
Application Guide: How to Bypass XSS Filters
Message
<blockquote data-quote="Dr. Smile" data-source="post: 387" data-attributes="member: 19"><p>There are vulnerabilities in almost any web project, and I will teach you how to use this circumstance for your own purposes. Practical, of course.</p><p></p><p><strong>How to Investigate the Site Name Element</strong></p><p>Any web application works on the principle of character encoding "<"and">". First, you need to figure out how the processing takes place. The check can be bypassed if it occurs on the HTML5 / Javascript client side.</p><p></p><p>So, open the page in a convenient browser, right-click on the "Site Name" form. You will see a context menu. In order to open a window with editing the properties of elements, you must select the item called "Inspect Element".</p><p></p><p><strong>How to remove all client side constraints</strong></p><p>Everything is very simple here. You just need to increase the value in the maxsize field, while first removing the pattern field. In total, we get:</p><p>Code:</p><p><input type = "text" placeholder = "Name of site" maxsize = "100" class = "form-control" required = "" name = "name"></p><p></p><p><strong>How to remove the code responsible for character encoding</strong></p><p>Most likely, the characters "<" and ">" are processed using the ex1.js (Javascript) file. The first step is to slightly edit the avascript code on the client side. To do this, I suggest using the Web Developer plugin. Remove the code that is responsible for encoding HTML characters by going to the Sources tab. Here's what we get:</p><p>Code:</p><p>var siteName = $ (". ex1 input [type = 'text']"). val (). trim (). replace (/ </ g, "<"). replace (/> / g, ">") ; var siteURL = $ (". ex1 input [type = 'url']"). val (). trim (). replace (/ </ g, "<"). replace (/> / g, ">") ;</p><p></p><p><strong>How to add payload</strong></p><p>After removing the client-side character processing, add the following payload to the Site Name field, remembering to click on Submit:</p><p>Code:</p><p><script> alert ('Ex1') </script></p><p></p><p>What do we have in the bottom line? With the help of the performed manipulations, we successfully inject the payload into the page. There is only one way to defend against such attacks: it is necessary that the verification of user data occurs on the server side.</p><p></p><p>Thanks for reading. Subscribe to the Levaya Simka channel, there will be a lot of interesting things ahead.</p></blockquote><p></p>
[QUOTE="Dr. Smile, post: 387, member: 19"] There are vulnerabilities in almost any web project, and I will teach you how to use this circumstance for your own purposes. Practical, of course. [B]How to Investigate the Site Name Element[/B] Any web application works on the principle of character encoding "<"and">". First, you need to figure out how the processing takes place. The check can be bypassed if it occurs on the HTML5 / Javascript client side. So, open the page in a convenient browser, right-click on the "Site Name" form. You will see a context menu. In order to open a window with editing the properties of elements, you must select the item called "Inspect Element". [B]How to remove all client side constraints[/B] Everything is very simple here. You just need to increase the value in the maxsize field, while first removing the pattern field. In total, we get: Code: <input type = "text" placeholder = "Name of site" maxsize = "100" class = "form-control" required = "" name = "name"> [B]How to remove the code responsible for character encoding[/B] Most likely, the characters "<" and ">" are processed using the ex1.js (Javascript) file. The first step is to slightly edit the avascript code on the client side. To do this, I suggest using the Web Developer plugin. Remove the code that is responsible for encoding HTML characters by going to the Sources tab. Here's what we get: Code: var siteName = $ (". ex1 input [type = 'text']"). val (). trim (). replace (/ </ g, "<"). replace (/> / g, ">") ; var siteURL = $ (". ex1 input [type = 'url']"). val (). trim (). replace (/ </ g, "<"). replace (/> / g, ">") ; [B]How to add payload[/B] After removing the client-side character processing, add the following payload to the Site Name field, remembering to click on Submit: Code: <script> alert ('Ex1') </script> What do we have in the bottom line? With the help of the performed manipulations, we successfully inject the payload into the page. There is only one way to defend against such attacks: it is necessary that the verification of user data occurs on the server side. Thanks for reading. Subscribe to the Levaya Simka channel, there will be a lot of interesting things ahead. [/QUOTE]
Name
Verification
Post reply
Home
Forums
CARDING & HACKING
Hacking Tools
Application Guide: How to Bypass XSS Filters
Top