Introduction: In this post, we’ll explore a Stored Cross-Site Scripting (XSS) vulnerability where malicious input is stored in a web application and later reflected in an anchor (`<a>`) tag’s `href` attribute. While double quotes (`”`) are HTML-encoded, the attacker can still inject…
Introduction In this post, we’ll dissect a common Cross-Site Scripting (XSS) vulnerability where user input is reflected into an HTML attribute, but angle brackets (`<`, `>`) are HTML-encoded. This scenario is often encountered in web applications that attempt to sanitize…
Vulnerability Type: DOM-based Cross-Site Scripting (XSS) Attack Vector The vulnerable application uses jQuery to dynamically process the URL fragment identifier (`#`) and injects it unsafely into the DOM. By exploiting the `hashchange` event, an attacker can trigger malicious JavaScript execution when…
Introduction: In this post, we’ll explore a Stored Cross-Site Scripting (XSS) vulnerability where malicious input is stored in a web application and later reflected in an anchor (`<a>`) tag’s `href` attribute. While double quotes (`”`) are HTML-encoded, the attacker can…
Introduction In this post, we’ll dissect a common Cross-Site Scripting (XSS) vulnerability where user input is reflected into an HTML attribute, but angle brackets (`<`, `>`) are HTML-encoded. This scenario is often encountered in web applications that attempt to sanitize…
Vulnerability Type: DOM-based Cross-Site Scripting (XSS) Attack Vector The vulnerable application dynamically sets the `href` attribute of an anchor (`<a>`) tag using untrusted input from `location.search` (URL parameters) without proper sanitization. By injecting a `javascript:`pseudo-protocol payload, an attacker can execute…
Vulnerability Type: DOM-based Cross-Site Scripting (XSS) Attack Vector The vulnerable application dynamically injects user-controlled input from `location.search` (URL parameters) into the DOM using the `innerHTML` property, without proper sanitization. This allows an attacker to inject arbitrary HTML/JavaScript, leading to script…
Vulnerability Type: DOM-based Cross-Site Scripting (XSS) Attack Vector The vulnerable application dynamically writes user-controlled input from `location.search` (URL parameters) into the DOM using `document.write`, without proper sanitization. This allows an attacker to inject arbitrary JavaScript by breaking out of the…
Vulnerability Type: Reflected Cross-Site Scripting (XSS) Attack Vector The vulnerable application reflects user input directly into the HTML response without encoding or sanitization, allowing arbitrary JavaScript execution. The attack vector leverages a simple search functionality where the input is embedded…
Vulnerability Type: Stored Cross-Site Scripting (XSS) Attack Vector The vulnerable application stores user input (e.g., comments) directly in the database and reflects it un-sanitized in the HTML response. Unlike reflected XSS, stored XSS persists on the server, affecting all users…
