webPromedium

Lab 72 — WriteFlow — Stored XSS via WYSIWYG Editor Sanitizer Bypass

hackadvisor

Task: Express.js knowledge base with WYSIWYG editor whose server-side sanitizer strips script tags and event handlers but allows iframe with srcdoc attribute. Solution: used iframe srcdoc with HTML-entity-encoded script tag to bypass sanitizer, exfiltrated admin's non-HttpOnly FLAG cookie via Interaction Server when admin bot reviewed the article.

$ ls tags/ techniques/

nodejs xss stored_xss nginx express admin_bot decoy_flag cookie_exfiltration interaction_server sanitizer_bypass rich_text_editor iframe_srcdoc wysiwyg_editor html_source_mode

admin_bot_exploitationdecoy_flag_avoidancestored_xss_via_iframe_srcdochtml_entity_encoding_sanitizer_bypasscookie_exfiltration_via_image_srcinteraction_server_oob_exfiltration

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 105 — WriteFlow — Indirect Prompt Injection via Document Analysis— hackadvisor
[web][Pro]Lab 181 — PostFlow — Stored XSS via Cache Poisoning— hackadvisor
[web][Pro]Lab 37 — WriteFlow — NoSQL Injection via Nested $where in Mongoose Populate— hackadvisor
[web][Pro]Lab 183 — ArticleFlow — Stored XSS via Fat GET Cache Poisoning— hackadvisor
[web][Pro]DeskFlow — Session Fixation via Support Ticket URL— hackadvisor