Why doesn't this XSS attack work? - xss

I want to inject some XSS code into a site. The source code is like this:
<span class="c_red">"aaa"</span>
The word aaa is displayed on the screen.
Then I injected some shellcode into the searchbox. The code I inputed is like this:
</span><img src=* onerror=alert(1) /><span>"
So, the result code is
<span class="c_red">"</span><img src=* onerror=alert(1) /><span>""</span>
Why can't I get the alert box on the screen?

You didn't provide enough informations about the problem, but I think it may be caused by:
The website you are trying to inject uses Str_Replace or different method to replace some characters from your code, rendering it useless.
You placed your image out of span, possibly forcing the server operator to ignore your code.
Try checking the source code of website (CTRL+U), and look if your injected code is in the source code, and if its not highlighted by red color (that means the part is not correctly typed, and will be ignored by some browsers)

Related

Kate Text Editor regexp for CNC code alteration on PC

When using some CAM software, the CNC code is usually generated properly with spaces.
But for example when moved to "Citizen Cincom L20" machine via USB or network and edited there it lose spaces and also lose semicolons while preserving new lines which does work as semicolons anyway.
But since editing of CNC program happens in 3 places: CAM Software(ESPRIT in this case), CNC machine controller and also via text editor on the computer as postprocessor in ESPRIT is garbage.I've come up with this regex
([0-9]{1,2})([A-Z])
\1 \2
so
G1G99X5.4Z-.5F.12
Becomes
G1 G99 X5.4 Z-.5 F.12
that works in Kate to space everything back again for clearer reviwing of code. The only issue about it is that I need to do that manually for every file and I would like to automate it, preferably via Kate, so it would happen upon opening any ????.PRG plain text files.
But I do not exactly know how such happening should be called is it like macro or what ?
I'm looking for some suggestions to accomplish this. Or maybe some alternative solutions
First, go to View -> Tool Views -> Show Search and Replace. You will see
Make sure you:
Enable {} regex option on the right as you are using a regex
Enable "AB" option on the right that enables case sensitive matching
Select In Folder value from the dropdown on the right
Fill out the regex, replacement, Folder and the Filter fields with the appropriate values
Click Search button.
You will see the results in a separate pane and Replace / Replace Checked buttons will become enabled.
Review the replacements and click Replace Checked:
Then you may check the updated file contents, and if you are satisifed with the results, use Save All, also by pressing CTRL+L.

XSS DOM vulnerable

I tested site for vulnerables (folder /service-contact) and possible XSS DOM issue came up (using Kali Linux, Vega and XSSER). However, i tried to manually test url with 'alert' script to make sure it's vulnerable. I used
www.babyland.nl/service-contact/alert("test")
No alert box/pop-up was shown, only the html code showed up in contact form box.
I am not sure i used the right code (i'm a rookie) or did the right interpretation. Server is Apache, using javascript/js.
Can you help?
Thanks!
This is Not Vulnerable to XSS, Whatever you are writing in the URL is Coming in Below Form section ( Vraag/opmerking ) . And the Double Quotes (") are Escaped. If you try another Payload like <script>alert(/xss/)</script> That Also won't work, Because this is Not Reflecting neither Storing. You will see output as a Text in Vraag/opmerking. Don't Rely on Online Scanners, Test Manually, For DOM Based XSS ..Check Sink and Sources and Analyze them.
The tool is right. There is a XSS-Vulnerability on the site, but the proof of concept (PoC) code is wrong. The content of a <textarea> can only contain character data (see <textarea> description on MDN). So your <script>alert("test")</script> is interpreted as text and not as HTML code. But you can close the <textarea> tag and insert the javascript code after that.
Here is the working PoC URL:
https://www.babyland.nl/service-contact/</textarea><script>alert("test")</script>
which is rendered as:
<textarea rows="" cols="" id="comment" name="comment"></textarea<script>alert("test")</script></textarea>
A little note to testing for XSS injection: Chrome/Chromium has a XSS protection. So this code doesn't exploit in this browser. For manual testing you can use Firefox or run Chrome with: --disable-web-security (see this StackOverflow Question and this for more information).

Possible bug in Blade templating system with html special characters

I'm not necessarily sure about this but it seems there's something strange going on with umlauts, accented characters and such on Blade templates with Laravel 5.1.
I was banging my head on the wall with a string that ended in an ä-letter which I really, really couldn't get decoded with html_entity_decode no matter what I tried.
Here's what I had in my Blade template file as I was going mad:
{{ html_entity_decode('just-another-string-ä') }}
Now, when I render the template in a browser window I obviously get:
just-another-string-ä
But in the source I have the following:
just-another-string-äauml;
Which in my understanding does not stand for the string that I had given in the blade template.
...several minutes pass by...
After a while I changed the string to:
just-another-string-ä-test
And as a source-code result I get:
just-another-string-ä-test
Which indeed is much easily decoded than the "almost-double-auml" I got with the first string. In addition to the final letter/word replace I also noticed that things work as expected when I enter a line break in the Blade template after the line.
{{ html_entity_decode('just-another-string-ä') }}
{{-- erase this comment --}}
And everything is in order in the source code:
just-another-string-ä
Have I completely missed something here or does this smell like a bug?
Okay I've found the problem, though not really much of a solution.
After looking into this I found that it's not a Blade issue. Neither is it PHP or Apache - it's your browser.
For example, just create yourself an HTML file with the following contents:
this-is-a-string-ä
For me (at least in Chrome, I haven't tested other browsers), this will produce the same issues as you are seeing. If you have no trailing newline, view source will break, but if you do have one, it's fine.
So the solution is simple, enable the "blank newline at end of file" setting in your text editor. You should really have this turned on anyway, for example diffs work a touch better with a blank line at the end of a file (they don't see a difference where there is none), which means, by extension, version control systems like Git handle them a bit better. And it doesn't really hurt to have this enabled that I've ever found.
I would imagine that this is almost certainly a known issue, but I haven't looked into Chrome issue tracker or anything. Feel free to do so though, if you do want to get to the bottom of it. I'd be interested to know :)

Regex with iframe in Yahoo! Pipes

I'm building a Yahoo! Pipe to pull an RSS feed from Reddit which links to some content in the description. I'm using a regex to match the href attribute of the anchor link in an item.description field. The regex I'm using is:
^.+?href="([^"]+)">\[link\].+?$
As a test, I set the replace to simply:
$1
and I see that the entire description field has been replaced with the URL. So far, so good.
I then put the following in the replace field. The idea being to iframe the content that's linked to:
Content: <iframe src="$1">no iframe support</iframe> End
What I get out however is:
Content: no iframe support End
I've confirmed that this is also coming through in the pipe's output and not just in the Yahoo! Pipes debug console.
I've so far tried replacing my angle brackets with < and > entities. I've tried wrapping the entire thing in a <![CDATA[ ... ]]> block and still, I get nothing. If I break my iframe tag by removing an angle bracket, the broken content comes through fine, but if I have a well-formed iframe element, it vanishes, leaving the "no iframe support" text. Am I doing something wrong here, or is Yahoo! actively preventing me from using iframe tags in my generated pipe? A cursory search on Google isn't turning up anything related to this.
The pipe in question is here:
http://pipes.yahoo.com/pipes/pipe.info?_id=2ba41448cadd2347d86f377efd3d199f
This Pipes FAQ Question "Why does Pipes Strip <object> and <embed> tags... ?" shows that a certain amount of sanitization is performed, by placing content (at least certain content) into an iframe for the safety of RSS consumers - though it does not state it specifically, this probably also removes other iframes in order to avoid nesting and other work-arounds.
Yahoo is big enough I would doubt they have a week sanitizer, but an extremely long shot is that you might be able to fool it by nesting the iframe in a bunch of other tags (again I doubt this will work). Also depending upon which step does the sanitization, perhaps adding part of the tag in one step, then adding another part somewhere else might work (yet again, doubt overwhelms me)
Not sure what else to suggest, other than getting something else to consume and transform your RSS a little bit more (by fixing otherwise broken tags??) - but that's what you're using pipes for to begin with, isn't it? Idunno...
Good luck!
Pipes has an fanatical devotion to the RSS spec and the spec says the description field is plain text only. HTML etc is supposed to go in the content:encoded field, not that I've had much luck getting pipes to do that.

paste code with syntax colors and alignment

I am looking for some blog site where i will be able to directly paste c++ code examples
in my publishes and see the code with all the alignments and colors like i see it on pastie.org.
I need all those things be made automatically because i don't know HTML and can't make by myself the code changes.
Get wordpress + WP-Syntax.
You won't be able to "copy and paste" the code directly, but you'll have to wrap it like this:
<pre lang="c++">
CODE GOES HERE
</pre>
I use this JavaScript for syntax highlighting in blogger. It's very easy to use.
The key feature of above highlihter is that script permanently hosted on http://softwaremaniacs.org/, so that make it possible is to use script on blogger.com.
Another one nice syntax highlighter could be found at code.google.com (it could be integrated in blogger.com).
(source: googlecode.com)
I use the "Online syntax highlighting" at http://tohtml.com
Paste your code in the text box there, select the programming language and color scheme and it will generate a webpage with your syntax highlighted code. Copy and paste that into your blogger editor and you are good to go.