webPromedium

Lab 33 — PulsePress — Reflected XSS in Search Page

hackadvisor

Task: blog platform with search reflecting input in two places with inconsistent sanitization. Solution: exploit reflected XSS in unencoded reflection point, use same-origin comment posting to exfiltrate admin's flag cookie when external requests are blocked.

$ ls tags/ techniques/

nodejs xss cookie_stealing express admin_bot reflected_xss same_origin_exfiltration differential_encoding

admin_bot_exploitationreflected_xss_exploitationsame_origin_data_exfiltrationcookie_theft_via_javascriptdifferential_encoding_bypass

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 231 — PagePulse — XSS via Web Cache Poisoning— hackadvisor
[web][Pro]Lab 140 — Pressboard — XXE via RSS Feed Import— hackadvisor
[web][Pro]PublishWave — XSS via HTTP Cache Poisoning— hackadvisor
[web][Pro]Lab 36 — PulseBoard — Prototype Pollution to RCE via EJS— hackadvisor
[web][Pro]Lab 326 — PulseBoard — NoSQL Injection in Authentication— hackadvisor