webPromedium
Lab 48 — PulseDesk — Stored XSS via Widget postMessage DOM Injection
hackadvisor
Task: Support ticketing platform with embeddable chat widget using postMessage API and URL hash auto-configure, both feeding innerHTML XSS sink; HTML sanitizer allows iframe with relative src. Solution: Craft base64-encoded XSS config (avoiding + and = characters) in iframe src hash fragment, inject via ticket description, admin bot triggers DOM XSS, cookie exfiltrated via same-origin ticket reply POST.
$ ls tags/ techniques/
nodejsxssbase64stored_xsscookie_stealingexpressadmin_botdecoy_flagiframepostmessageinnerhtmlsame_origin_exfiltrationdom_xssurl_hashwidgethtml_sanitizer
admin_bot_exploitationdom_xss_via_innerhtml_hash_configbase64_encoding_without_plus_or_equalssame_origin_cookie_exfiltration_via_ticket_replyiframe_injection_through_sanitizer_allowlisturlsearchparams_base64_corruption_bypass
🔒
Permission denied (requires tier.pro)
Sign in to access full writeups
Sign in with GitHub to continue. No email required.
$sign in$ grep --similar
Similar writeups
- [web][Pro]Lab 70 — LivePulse— hackadvisor
- [web][Pro]Lab 226 — LiveDesk — SQL Injection via WebSocket Message Search— hackadvisor
- [web][Pro]PulseDesk — Blind SQL Injection in Password Reset Token Extraction— hackadvisor
- [web][Pro]DesignPulse — Reflected XSS via SVG Badge Injection— hackadvisor
- [web][Pro]Lab 378 — PulseBoard — Cache Poisoning XSS via Next.js Header Misclassification— hackadvisor