Portswigger
  • Portswigger
  • Server-Side Request Forgery
    • Server-Side Request Forgery (SSRF)
  • SSRF with filter bypass via open redirection vulnerability
  • Blind SSRF with out-of-band detection
  • Cross-Site Scripting
    • Cross-Site Scripting (XSS)
  • Reflected XSS into a JS string with angle brackets and double&single quotes HTML-encoded escape
  • XSS into a template literal w/ angle brackets, single, double quotes, backslash & backticks Escaped
  • Authentication
    • Authentication
  • Username enumeration via subtly different responses
  • 2FA broken logic
  • Username enumeration via response timing
  • Username enumeration via account lock
  • Password reset poisoning via middleware
  • Path Traversal
    • Path Traversal
  • File path traversal, traversal sequences stripped with superfluous URL-decode
  • File path traversal, traversal sequences blocked with absolute path bypass
  • Business Logic Vulnerabilities
    • Business Logic Vulnerabilities
  • Insufficient workflow validation
  • Inconsistent handling of exceptional input
  • Server-Side Template Injection
    • Server-Side Template Injection
  • Basic server-side template injection
  • Basic server-side template injection (code context)
  • SQL Injection
    • SQL Injection
    • Blind SQL injection with conditional responses
  • SQL injection UNION attack, retrieving data from other tables
  • SQL injection attack, listing the database contents on non-Oracle databases
  • API Testing
    • API Testing
  • Exploiting an API endpoint using documentation
  • Exploiting a mass assignment vulnerability
  • Finding and exploiting an unused API endpoint
  • JWT ATTACK
    • JWT Attack
    • JWT authentication bypass via unverified signature
  • JWT authentication bypass via jku header injection
  • JWT authentication bypass via flawed signature verification
  • HTTP HOST HEADER ATTACKS
    • HTTP Host header attacks
  • Basic password reset poisoning
  • Host header authentication bypass
  • No SQL Injection
    • NoSQL Injection
  • Detecting NoSQL injection
  • Exploiting NoSQL operator injection to bypass authentication
  • Exploiting NoSQL injection to extract data
  • FILE UPLOAD VULNERABILITIES
    • File Upload Vulnerabilities
  • Web shell upload via obfuscated file extension
  • OAuth Authentication
    • OAuth Authentication
  • OAuth account hijacking via redirect_uri
  • ACCESS CONTROL VULNERABILITIES
    • Access Control Vulnerabilities
  • User ID controlled by request parameter with data leakage in redirect
  • User ID controlled by request parameter with password disclosure
  • User role controlled by request parameter
  • User role can be modified in user profile
  • URL-based access control can be circumvented
  • INFORMATION DISCLOSURE VULNERABILITIES
    • Information Disclosure Vulnerabilities
  • Information disclosure in version control history
  • XML external entity injection
    • XML External Entity (XXE) Injection
  • Exploiting XXE using external entities to retrieve files
  • Exploiting blind XXE to retrieve data via error messages
  • Blind XXE with out-of-band interaction
  • Blind XXE with out-of-band interaction via XML parameter entities
  • OS COMMAND INJECTION
    • OS Command Injection
  • Blind OS command injection with out-of-band data exfiltration
  • PROTOTYPE POLLUTION
    • Prototype Pollution
  • Privilege escalation via server-side prototype pollution
  • WEB CACHE POISONING
    • Web Cache Poisoning
  • Web cache poisoning via an unkeyed query parameter
Powered by GitBook
On this page

XSS into a template literal w/ angle brackets, single, double quotes, backslash & backticks Escaped

Link: https://portswigger.net/web-security/cross-site-scripting/contexts/lab-javascript-template-literal-angle-brackets-single-double-quotes-backslash-backticks-escaped

PreviousReflected XSS into a JS string with angle brackets and double&single quotes HTML-encoded escapeNextAuthentication

Last updated 3 months ago

Description:

This lab contains a vulnerability in the search blog functionality. The reflection occurs inside a template string with angle brackets, single, and double quotes HTML encoded, and backticks escaped. To solve this lab, perform a cross-site scripting attack that calls the alert function inside the template string.

Referensi:

Proof of concept:

  1. Cek seluruh fitur yang ada

  2. Analisa request dan response disetiap fiturnya

  3. Dari hasil analisa didapati bahwa terdapat beberapa karakter yang bakal di escape unicode seperti karakter \’<>`. Tapi terdapat beberapa karakter yang tidak terescape unicode seperti {}$;(). Maka dari itu, buat payload ${alert(3)}

    Terlihat berhasil memunculkan pop-up alert XSS dengan menggunakan payload tersebut

Thanks, Stay Ethical & Happy Hacking! 🍻

reflected cross-site scripting
LogoAllAboutBugBounty/Cross Site Scripting.md at master · daffainfo/AllAboutBugBountyGitHub