webPromedium

Lab 42 — ProsePad — DOM Clobbering to Stored XSS

hackadvisor

Task: ProsePad collaborative writing platform sanitizes article HTML but preserves id/name attributes and data: URIs in href; a widget loader script reads window.appConfig.cdnUrl to load a script. Solution: DOM clobbering via two anchor elements with same id creates HTMLCollection, named access via name attribute provides attacker-controlled data:text/javascript URI as script src, exfiltrating admin flag via comment API.

$ ls tags/ techniques/

nodejs xss javascript stored_xss express admin_bot dom_clobbering sanitizer_bypass data_uri htmlcollection named_access

dom_clobbering_htmlcollectionnamed_property_access_on_htmlcollectiondata_uri_script_deliverysame_origin_exfiltration_via_apisanitizer_bypass_id_name_attributes

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 33 — PulsePress — Reflected XSS in Search Page— hackadvisor
[web][Pro]Lab 73 — NetShield — Reflected XSS via 404 Page Attribute Injection— hackadvisor
[web][Pro]Lab 140 — Pressboard — XXE via RSS Feed Import— hackadvisor
[web][Pro]Lab 345 — PrintForge — RCE via Ghostscript Command Injection— hackadvisor
[web][Pro]DocuNest— hackadvisor