Add reflected XSS solution

1 files changed, 12 insertions, 0 deletions

diff --git a/Reflected XSS/Resources/notes.md b/Reflected XSS/Resources/notes.md
new file mode 100644
index 0000000..ce4de77
--- /dev/null
+++ b/Reflected XSS/Resources/notes.md
@@ -0,0 +1,12 @@
+## Exploit
+
+1. There is a clickable image that links to `http://10.0.2.15/?page=media&src=nsa`
+1. The application uses the `src` query parameter as the value of the `data` attribute of an `<object>` element **without validation**
+1. Thus, one can exploit XSS by supplying a `data:` URL instead of the expected image reference (nsa) in `src`
+1. Request `curl "http://10.0.2.15/?page=media&src=data:text/html;base64,$(echo -n '<script>alert(123)</script>' | base64)" | grep flag` to get the flag.
+
+## Fix
+
+[https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/01-Testing_for_Reflected_Cross_Site_Scripting.html]()
+
+Do not place untrusted user input directly into the `data` attribute of an `<object>` element. Only allow strict server-side mapping to expected media resources, and reject dangerous schemes such as `data:` and `javascript:` (i.e. sanitize user input).