diff options
Diffstat (limited to 'Stored XSS/Resources')
| -rw-r--r-- | Stored XSS/Resources/notes.md | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/Stored XSS/Resources/notes.md b/Stored XSS/Resources/notes.md new file mode 100644 index 0000000..e628343 --- /dev/null +++ b/Stored XSS/Resources/notes.md @@ -0,0 +1,10 @@ +## Exploit + +1. At `http://10.0.2.15/?page=feedback` there is a form whose content can be input by users and that is not filtered in any way +1. Simply add a feedback with any name and a message containing an HTML script to execute, for example `<script>alert(123)</script>` + +## Fix + +[https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/02-Testing_for_Stored_Cross_Site_Scripting]() + +Never render untrusted HTML, JS, CSS or URLs without encoding/sanitization. |