Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-22 12:43:23 +00:00
Code Issues Projects Releases Packages Wiki Activity

GitBook: [#3027] No subject

Browse source
This commit is contained in:
CPol 2022-02-22 10:32:26 +00:00 committed by gitbook-bot
parent 4a5d3a49d3
commit 501bf1ba56
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
2 changed files with 26 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
pentesting-web/xss-cross-site-scripting/README.md
View file

@ -395,6 +395,26 @@ Read the[ Blacklist Bypasses of the previous section](./#blacklist-bypasses).
Read the J[avaScript bypass blacklist of the following section](./#javascript-bypass-blacklists-techniques).
### CSS-Gadgets
If you found a **XSS in a very small part** of the web that requires some kind of interaction (maybe a small link in the footer with an onmouseover element), you can try to **modify the space that element occupies** to maximize the probabilities of have the link fired.
For example, you could add some styling in the element like: `position: fixed; top: 0; left: 0; width: 100%; height: 100%; background-color: red; opacity: 0.5`
But, if the WAF is filtering the style attribute, you can use CSS Styling Gadgets, so if you find, for example
> .test {display:block; color: blue; width: 100%\}
and
> \#someid {top: 0; font-family: Tahoma;}
Now you can modify our link and bring it to the form
> \<a href=”” id=someid class=test onclick=alert() a=””>
This trick was taken from [https://medium.com/@skavans\_/improving-the-impact-of-a-mouse-related-xss-with-styling-and-css-gadgets-b1e5dec2f703](https://medium.com/@skavans\_/improving-the-impact-of-a-mouse-related-xss-with-styling-and-css-gadgets-b1e5dec2f703)
## Injecting inside JavaScript code
In these case you **input** is going to be **reflected inside the JS code** of a `.js` file or between `<script>...</script>` tags or between HTML events that can execute JS code or between attributes that accepts the `javascript:` protocol.

7
pentesting/pentesting-web/spring-actuators.md
View file

@ -1,6 +1,6 @@
# Spring Actuators
**Page copied from** [**https://www.veracode.com/blog/research/exploiting-spring-boot-actuators**](https://www.veracode.com/blog/research/exploiting-spring-boot-actuators)****
**Page copied from** [**https://www.veracode.com/blog/research/exploiting-spring-boot-actuators**](https://www.veracode.com/blog/research/exploiting-spring-boot-actuators)
## Exploiting Spring Boot Actuators
@ -16,6 +16,7 @@ The following Actuator endpoints could potentially have security implications le
* /shutdown - shuts the application down
* /mappings - shows all of the MVC controller mappings
* /env - provides access to the configuration environment
* /actuator/env
* /restart - restarts the application
* /heapdump - Builds and returns a heap dump from the JVM used by our application
@ -207,3 +208,7 @@ public class AwesomeScriptEngineFactory implements ScriptEngineFactory {
## Env + H2 RCE
See this page to find how to exploit the /env + H2 combination: [https://spaceraccoon.dev/remote-code-execution-in-three-acts-chaining-exposed-actuators-and-h2-database](https://spaceraccoon.dev/remote-code-execution-in-three-acts-chaining-exposed-actuators-and-h2-database)
## More Information
* [https://tutorialboy24.blogspot.com/2022/02/introduction-to-spring-boot-related.html](https://tutorialboy24.blogspot.com/2022/02/introduction-to-spring-boot-related.html)