mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-22 04:33:28 +00:00
GitBook: [#3027] No subject
This commit is contained in:
parent
4a5d3a49d3
commit
501bf1ba56
2 changed files with 26 additions and 1 deletions
|
@ -395,6 +395,26 @@ Read the[ Blacklist Bypasses of the previous section](./#blacklist-bypasses).
|
|||
|
||||
Read the J[avaScript bypass blacklist of the following section](./#javascript-bypass-blacklists-techniques).
|
||||
|
||||
### CSS-Gadgets
|
||||
|
||||
If you found a **XSS in a very small part** of the web that requires some kind of interaction (maybe a small link in the footer with an onmouseover element), you can try to **modify the space that element occupies** to maximize the probabilities of have the link fired.
|
||||
|
||||
For example, you could add some styling in the element like: `position: fixed; top: 0; left: 0; width: 100%; height: 100%; background-color: red; opacity: 0.5`
|
||||
|
||||
But, if the WAF is filtering the style attribute, you can use CSS Styling Gadgets, so if you find, for example
|
||||
|
||||
> .test {display:block; color: blue; width: 100%\}
|
||||
|
||||
and
|
||||
|
||||
> \#someid {top: 0; font-family: Tahoma;}
|
||||
|
||||
Now you can modify our link and bring it to the form
|
||||
|
||||
> \<a href=”” id=someid class=test onclick=alert() a=””>
|
||||
|
||||
This trick was taken from [https://medium.com/@skavans\_/improving-the-impact-of-a-mouse-related-xss-with-styling-and-css-gadgets-b1e5dec2f703](https://medium.com/@skavans\_/improving-the-impact-of-a-mouse-related-xss-with-styling-and-css-gadgets-b1e5dec2f703)
|
||||
|
||||
## Injecting inside JavaScript code
|
||||
|
||||
In these case you **input** is going to be **reflected inside the JS code** of a `.js` file or between `<script>...</script>` tags or between HTML events that can execute JS code or between attributes that accepts the `javascript:` protocol.
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Spring Actuators
|
||||
|
||||
**Page copied from** [**https://www.veracode.com/blog/research/exploiting-spring-boot-actuators**](https://www.veracode.com/blog/research/exploiting-spring-boot-actuators)****
|
||||
**Page copied from** [**https://www.veracode.com/blog/research/exploiting-spring-boot-actuators**](https://www.veracode.com/blog/research/exploiting-spring-boot-actuators)
|
||||
|
||||
## Exploiting Spring Boot Actuators
|
||||
|
||||
|
@ -16,6 +16,7 @@ The following Actuator endpoints could potentially have security implications le
|
|||
* /shutdown - shuts the application down
|
||||
* /mappings - shows all of the MVC controller mappings
|
||||
* /env - provides access to the configuration environment
|
||||
* /actuator/env
|
||||
* /restart - restarts the application
|
||||
* /heapdump - Builds and returns a heap dump from the JVM used by our application
|
||||
|
||||
|
@ -207,3 +208,7 @@ public class AwesomeScriptEngineFactory implements ScriptEngineFactory {
|
|||
## Env + H2 RCE
|
||||
|
||||
See this page to find how to exploit the /env + H2 combination: [https://spaceraccoon.dev/remote-code-execution-in-three-acts-chaining-exposed-actuators-and-h2-database](https://spaceraccoon.dev/remote-code-execution-in-three-acts-chaining-exposed-actuators-and-h2-database)
|
||||
|
||||
## More Information
|
||||
|
||||
* [https://tutorialboy24.blogspot.com/2022/02/introduction-to-spring-boot-related.html](https://tutorialboy24.blogspot.com/2022/02/introduction-to-spring-boot-related.html)
|
||||
|
|
Loading…
Reference in a new issue