Categoría: Portswigger Lab writeup

Reflected DOM XSS

Descripción This lab demonstrates a reflected DOM vulnerability. Reflected DOM vulnerabilities occur when the server-side application processes data from a request and echoes the data in the response. A script on the page then processes the reflected data in an unsafe way, ultimately writing it to a dangerous sink. To solve this lab, create an […]

DOM XSS in AngularJS expression with angle brackets and double quotes HTML-encoded

Descripción This lab contains a DOM-based cross-site scripting vulnerability in a AngularJS expression within the search functionality. AngularJS is a popular JavaScript library, which scans the contents of HTML nodes containing the ng-app attribute (also known as an AngularJS directive). When a directive is added to the HTML code, you can execute JavaScript expressions within double curly […]

DOM XSS in document.write sink using source location.search inside a select element

Descripción This lab contains a DOM-based cross-site scripting vulnerability in the stock checker functionality. It uses the JavaScript document.write function, which writes data out to the page. The document.write function is called with data from location.search which you can control using the website URL. The data is enclosed within a select element. To solve this lab, perform a cross-site scripting attack […]

Reflected XSS into a JavaScript string with angle brackets HTML encoded

Descripción This lab contains a reflected cross-site scripting vulnerability in the search query tracking functionality where angle brackets are encoded. The reflection occurs inside a JavaScript string. To solve this lab, perform a cross-site scripting attack that breaks out of the JavaScript string and calls the alert function. Reflected XSS into a JavaScript string with angle brackets […]

Multistep clickjacking

Descripción This lab has some account functionality that is protected by a CSRF token and also has a confirmation dialog to protect against Clickjacking. To solve this lab construct an attack that fools the user into clicking the delete account button and the confirmation dialog by clicking on «Click me first» and «Click me next» […]

Exploiting clickjacking vulnerability to trigger DOM-based XSS

Descripción This lab contains an XSS vulnerability that is triggered by a click. Construct a clickjacking attack that fools the user into clicking the «Click me» button to call the print() function. Exploiting clickjacking vulnerability to trigger DOM-based XSS writeup En este laboratorio, tendremos una página donde podremos enviar un comentario (‘Submit feedback’). Al hacerlo, la página […]

Clickjacking with a frame buster script

Descripción This lab is protected by a frame buster which prevents the website from being framed. Can you get around the frame buster and conduct a clickjacking attack that changes the users email address? To solve the lab, craft some HTML that frames the account page and fools the user into changing their email address […]

Clickjacking with form input data prefilled from a URL parameter

Descripción This lab extends the basic clickjacking example in Lab: Basic clickjacking with CSRF token protection. The goal of the lab is to change the email address of the user by prepopulating a form using a URL parameter and enticing the user to inadvertently click on an «Update email» button. To solve the lab, craft some […]

Remote code execution via polyglot web shell upload

Descripción This lab contains a vulnerable image upload function. Although it checks the contents of the file to verify that it is a genuine image, it is still possible to upload and execute server-side code. To solve the lab, upload a basic PHP web shell, then use it to exfiltrate the contents of the file /home/carlos/secret. […]

Basic clickjacking with CSRF token protection

Descripción This lab contains login functionality and a delete account button that is protected by a CSRF token. A user will click on elements that display the word «click» on a decoy website. To solve the lab, craft some HTML that frames the account page and fools the user into deleting their account. The lab […]