webPromedium

Lab 293 — CloudNest — Reflected XSS in Login Callback Label

hackadvisor

Task: Express.js workspace platform with admin bot URL review, reflected XSS in callback_label parameter on /login page. Solution: Injected autofocus/onfocus XSS payload via button breakout, used localhost:8080 to bypass X-XSS-Protection, exfiltrated admin flag via unauthenticated /api/support-tickets endpoint.

$ ls tags/ techniques/

nodejs xss express honeypot admin_bot reflected_xss decoy_flag same_origin_exfiltration autofocus_onfocus localhost_bot callback_label_injection x_xss_protection_bypass httponly_cookie no_csp

admin_bot_exploitationreflected_xss_exploitationsame_origin_data_exfiltrationautofocus_onfocus_xss_triggerlocalhost_url_discoverysupport_ticket_exfiltrationhoneypot_avoidancebutton_element_breakout

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 408 — MailNest — Broken Authentication via Unauthenticated Password Reset— hackadvisor
[web][Pro]Lab 113 — CloudNest— hackadvisor
[web][Pro]Lab 328 — DataNest — NoSQL Operator Injection in Authentication— hackadvisor
[web][Pro]Lab 75 — StayNest — Stored XSS in Hotel Booking Form— hackadvisor
[web][Pro]Lab 153 — FlowDesk — CSRF Account Takeover via Email Change— hackadvisor