Questions tagged [xss]
Cross-Site Scripting: An attack method that involves injection of code or markup into a webpage. There are three major types of XSS: Reflected XSS, Stored XSS (aka persistent XSS) and DOM-based XSS (aka client side XSS).
1,540
questions
1
vote
0
answers
50
views
How to launch XSS code from an INPUT tag?
I have a website with the following code:
<input class="Header--search--form-input" name="search" value="" onfocus="alert(1)" autofocus="...
5
votes
3
answers
1k
views
What is the next layers of defence against cookie stealing if GET parameter is vulnerable to XSS and there is no HttpOnly flag in a website?
If a GET parameter in a website is vulnerable to XSS and the user input is reflected without any change or escaping or filtering and also HttpOnly is not set for session cookie, is stealing the cookie ...
- 61
10
votes
2
answers
4k
views
A web site allows upload of pdf/svg files, can we say it is vulnerable to Stored XSS?
It is possible to have JavaScript code in pdf or svg files. I think JavaScript inside svg runs in almost all browsers and I think JavaScript inside pdf generally always runs in chrome.
So during a ...
- 119
1
vote
1
answer
80
views
SVG XSS - When script tag and on* attributes are filtered
I'm looking at an XSS lab that has the tags: script, iframe, object and embed filtered, and all on* attributes are filtered. However, svg is allowed.
Is this exploitable, with no user interaction ...
- 33.8k
0
votes
1
answer
258
views
XSS against improper character sanitization [closed]
I have the following code from an XSS challenge and I've been told that it's vulnerable to XSS. And the hint to the question points to https://html.spec.whatwg.org/multipage/parsing.html#tag-open-...
- 17
0
votes
1
answer
50
views
Running blog under /blog, security considerations
I'd like to set up a self-hosted Ghost.org blog for a SaaS. I have two options:
example.com/blog
blog.example.com
Everywhere I read they recommend the /blog for SEO. However, I'm concerned about the ...
- 101
0
votes
0
answers
68
views
Overcoming Middleware: Exploiting XSS to Retrieve Data
I am attempting to perform an XSS attack on my server and have successfully bypassed the CSP. In my server code, I store all users in the following manner:
.get("/users", adminReq, (req, ...
- 13
1
vote
0
answers
57
views
Overcoming Cookie Theft Barrier in XSS Attack despite CSP Implementation
I have a website that includes CSP rules:
.use(
helmet.contentSecurityPolicy({
directives: {
defaultSrc: ["'self'"],
scriptSrc: [
"'self'",
"cdnjs....
- 13
0
votes
1
answer
128
views
Bypassing CSP and implementing XSS attack
I am using Content Security Policy (CSP) rules in my code to defend against XSS attacks. Here are the CSP rules I have implemented using Helmet:
.use(
helmet.contentSecurityPolicy({
directives: {
...
- 13
0
votes
1
answer
125
views
Is it possible to trick a user into logging in to a site, then stealing a non HttpOnly cookie that will be set after they log in?
If a user has already logged in, and then the site sets a non HttpOnly cookie, then it seems possible to trick the user into doing something that would lead to the cookie being stolen.
If the cookie ...
- 11
0
votes
0
answers
78
views
Cross Site Scripting with URL protocol schema javascript
I'm testing a web application and I found a XSS vulnerability. I can inject schemas like data:// or tel:// but they have blocked the javascript:// schema. On current browsers the origin is null if I ...
- 1
-1
votes
1
answer
174
views
How to sanitize $_SERVER url variables?
An attacker used the HTTP_REFERER variable to inject Javascript by sending the following in the Header:
Referer:
javascri&#...
- 160
0
votes
2
answers
74
views
Is There a way to exploiting / Make exploit scenario for Header based reflected XSS?
I've found a reflected XSS, but the problem is that the attack vector is the header (any header). Is there a way to develop an exploit scenario based on this?
2
votes
1
answer
186
views
Secure way to output encoding HTML for insert raw html via javascript
I want to be 100% secure, I create raw html this way:
const template = document.createElement('template')
template.innerHTML = html_raw
const cloned = template.content.cloneNode(true)
document....
- 41
0
votes
2
answers
144
views
Does CSP protect against XSS in url?
If I have a web app that is vulnerable to XSS in the url (reflected XSS), does CSP protect against this type of XSS?
Ex: when I run www.example.com/<script>alert(1);</script> in the ...
- 67