diff options
| -rw-r--r-- | Stored XSS/Resources/notes.md | 10 | ||||
| -rw-r--r-- | Stored XSS/flag | 1 |
2 files changed, 11 insertions, 0 deletions
diff --git a/Stored XSS/Resources/notes.md b/Stored XSS/Resources/notes.md new file mode 100644 index 0000000..e628343 --- /dev/null +++ b/Stored XSS/Resources/notes.md @@ -0,0 +1,10 @@ +## Exploit + +1. At `http://10.0.2.15/?page=feedback` there is a form whose content can be input by users and that is not filtered in any way +1. Simply add a feedback with any name and a message containing an HTML script to execute, for example `<script>alert(123)</script>` + +## Fix + +[https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/02-Testing_for_Stored_Cross_Site_Scripting]() + +Never render untrusted HTML, JS, CSS or URLs without encoding/sanitization. diff --git a/Stored XSS/flag b/Stored XSS/flag new file mode 100644 index 0000000..c3b8286 --- /dev/null +++ b/Stored XSS/flag @@ -0,0 +1 @@ +0fbb54bbf7d099713ca4be297e1bc7da0173d8b3c21c1811b916a3a86652724e |