From 501bf1ba561ad42b9a8a90acc96820c5dea53715 Mon Sep 17 00:00:00 2001 From: CPol Date: Tue, 22 Feb 2022 10:32:26 +0000 Subject: [PATCH] GitBook: [#3027] No subject --- .../xss-cross-site-scripting/README.md | 20 +++++++++++++++++++ pentesting/pentesting-web/spring-actuators.md | 7 ++++++- 2 files changed, 26 insertions(+), 1 deletion(-) diff --git a/pentesting-web/xss-cross-site-scripting/README.md b/pentesting-web/xss-cross-site-scripting/README.md index e98bfbf28..15f4d8774 100644 --- a/pentesting-web/xss-cross-site-scripting/README.md +++ b/pentesting-web/xss-cross-site-scripting/README.md @@ -395,6 +395,26 @@ Read the[ Blacklist Bypasses of the previous section](./#blacklist-bypasses). Read the J[avaScript bypass blacklist of the following section](./#javascript-bypass-blacklists-techniques). +### CSS-Gadgets + +If you found a **XSS in a very small part** of the web that requires some kind of interaction (maybe a small link in the footer with an onmouseover element), you can try to **modify the space that element occupies** to maximize the probabilities of have the link fired. + +For example, you could add some styling in the element like: `position: fixed; top: 0; left: 0; width: 100%; height: 100%; background-color: red; opacity: 0.5` + +But, if the WAF is filtering the style attribute, you can use CSS Styling Gadgets, so if you find, for example + +> .test {display:block; color: blue; width: 100%\} + +and + +> \#someid {top: 0; font-family: Tahoma;} + +Now you can modify our link and bring it to the form + +> \ + +This trick was taken from [https://medium.com/@skavans\_/improving-the-impact-of-a-mouse-related-xss-with-styling-and-css-gadgets-b1e5dec2f703](https://medium.com/@skavans\_/improving-the-impact-of-a-mouse-related-xss-with-styling-and-css-gadgets-b1e5dec2f703) + ## Injecting inside JavaScript code In these case you **input** is going to be **reflected inside the JS code** of a `.js` file or between `` tags or between HTML events that can execute JS code or between attributes that accepts the `javascript:` protocol. diff --git a/pentesting/pentesting-web/spring-actuators.md b/pentesting/pentesting-web/spring-actuators.md index 95ef124cf..f73c6768d 100644 --- a/pentesting/pentesting-web/spring-actuators.md +++ b/pentesting/pentesting-web/spring-actuators.md @@ -1,6 +1,6 @@ # Spring Actuators -**Page copied from** [**https://www.veracode.com/blog/research/exploiting-spring-boot-actuators**](https://www.veracode.com/blog/research/exploiting-spring-boot-actuators)**** +**Page copied from** [**https://www.veracode.com/blog/research/exploiting-spring-boot-actuators**](https://www.veracode.com/blog/research/exploiting-spring-boot-actuators) ## Exploiting Spring Boot Actuators @@ -16,6 +16,7 @@ The following Actuator endpoints could potentially have security implications le * /shutdown - shuts the application down * /mappings - shows all of the MVC controller mappings * /env - provides access to the configuration environment +* /actuator/env * /restart - restarts the application * /heapdump - Builds and returns a heap dump from the JVM used by our application @@ -207,3 +208,7 @@ public class AwesomeScriptEngineFactory implements ScriptEngineFactory { ## Env + H2 RCE See this page to find how to exploit the /env + H2 combination: [https://spaceraccoon.dev/remote-code-execution-in-three-acts-chaining-exposed-actuators-and-h2-database](https://spaceraccoon.dev/remote-code-execution-in-three-acts-chaining-exposed-actuators-and-h2-database) + +## More Information + +* [https://tutorialboy24.blogspot.com/2022/02/introduction-to-spring-boot-related.html](https://tutorialboy24.blogspot.com/2022/02/introduction-to-spring-boot-related.html)