Lab 33 — PulsePress — Reflected XSS in Search Page

hackadvisor

Task: blog platform with search reflecting input in two places with inconsistent sanitization. Solution: exploit reflected XSS in unencoded reflection point, use same-origin comment posting to exfiltrate admin's flag cookie when external requests are blocked.

nodejs xss cookie_stealing express admin_bot reflected_xss same_origin_exfiltration differential_encoding

admin_bot_exploitationreflected_xss_exploitationsame_origin_data_exfiltrationcookie_theft_via_javascriptdifferential_encoding_bypass

$ ls tags/ techniques/

nodejs xss cookie_stealing express admin_bot reflected_xss same_origin_exfiltration differential_encoding

admin_bot_exploitationreflected_xss_exploitationsame_origin_data_exfiltrationcookie_theft_via_javascriptdifferential_encoding_bypass

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 283 — PulseMetrics — XSS via HTTP Response Splitting (CRLF Injection)— hackadvisor
[web][Pro]Lab 231 — PagePulse — XSS via Web Cache Poisoning— hackadvisor
[web][Pro]Lab 378 — PulseBoard — Cache Poisoning XSS via Next.js Header Misclassification— hackadvisor
[web][Pro]Lab 233 — PulseAPI — Regex Auth Bypass via Query String Injection— hackadvisor
[web][Pro]Lab 84 — PulseView— hackadvisor