Ethical Hacking and Penetration Testing Guide



Yüklə 22,44 Mb.
Pdf görüntüsü
səhifə226/235
tarix07.08.2023
ölçüsü22,44 Mb.
#138846
1   ...   222   223   224   225   226   227   228   229   ...   235
Ethical Hacking and Penetration Testing Guide ( PDFDrive )

Svg Craziness: Bypass 2
Consider a scenario where a website is insane enough to use SVG and it’s using htmlspecialchars 
for filtering out the input. Your input will be reflected in the following manner:



376
◾ 
Ethical Hacking and Penetration Testing Guide
Now we submit the following input:
www.site.com/test.php?var=text
"
;alert(1)//
This is how your input would be reflected with htmlspecialchars enabled:

This will execute JavaScript even if HTML chars have been enabled, and htmlspecialchars 
converted your 
"
to its html entity ““"”. However, it still executes under SVG because it 
introduces an additional context (xml) into the html context. A solution would be to render a 
double encode instead of a single encode of to the characters.
The following is the screenshot of a jsfiddle’s output:
Bypass 3: href Attribute
This third one is the easiest of them all. You would often come across this particular scenario. 
Imagine your input is being reflected in href tag and then being parsed and displayed on the 
screen.
Click
An attacker injects the following payload as an input:
Javascript:alert(1);
It would be reflected as follows:
Click
This will bypass htmlspecialchars and result in a valid JavaScript execution. Here is the real-
world example of this scenario.


Web Hacking
◾ 
377
Stored XSS/Persistent XSS
We learned about various techniques for identifying reflected XSS vulnerabilities. Let’s talk about 
the second form of XSS, that is, stored or persistent XSS. Unlike reflected XSS, in stored XSS 
vulnerabilities, the user input gets stored in a database or on a server and is reflected back later. 
The identification and detection techniques are the same as the reflected XSS; however, the only 
difference is that the data are stored. Stored XSS vulnerabilities are most dangerous of all as they 
require very less user interaction. Let’s now look at an example of a simple stored XSS.
We have a guestbook that allows random guests to write a message. The guestbook accepts two 
parameters: name and message. We will try testing both of them for XSS vulnerabilities.
Payloads
Name: 
rafay">
Message: 
">
As we click the “Sign Guestbook” button, our name with our comment is posted; however, the 
problem is that both of these inputs are not properly escaped before they are reflected back to us. 
And since the input is stored in the page, we call it a stored XSS.
This means that the JavaScript would be executed when anyone visits the page containing 
guestbook. We will see how this can be dangerous a bit later.



Yüklə 22,44 Mb.

Dostları ilə paylaş:
1   ...   222   223   224   225   226   227   228   229   ...   235




Verilənlər bazası müəlliflik hüququ ilə müdafiə olunur ©azkurs.org 2024
rəhbərliyinə müraciət

gir | qeydiyyatdan keç
    Ana səhifə


yükləyin