8000 Need some solutions for challenges · Issue #30 · google/firing-range · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
This repository was archived by the owner on Jan 10, 2023. It is now read-only.

Need some solutions for challenges #30

Open
realworldpentesting opened this issue Mar 1, 2021 · 5 comments
Open
8000

Need some solutions for challenges #30

realworldpentesting opened this issue Mar 1, 2021 · 5 comments

Comments

@realworldpentesting
Copy link

Need challenges for some of the below-mentioned list
https://public-firing-range.appspot.com/dom/toxicdom/document/cookie_set/eval
https://public-firing-range.appspot.com/dom/toxicdom/document/referrer/eval
https://public-firing-range.appspot.com/dom/toxicdom/window/name/eval
https://public-firing-range.appspot.com/address/location.hash/documentwrite
Please provide solutions from these mentioned URLs it will be a great help from your side

thanks and regards
@realworldpentesting
Copy link
Author

https://public-firing-range.appspot.com/address/location.hash/documentwrite
see I am trying to exploit this URL like this https://public-firing-range.appspot.com/address/location.hash/documentwrite#%3Csvg%20onload=alert(1)%3E but it is URL encoding and this URL encoding I believe doing by the browser as we know browser does one URL encoding from their side always and that's why I am not able to trigger XSS there. Please help with all above-mentioned URLs

@realworldpentesting
Copy link
Author

Hello,
Will anybody resolve my issue?

@realworldpentesting
Copy link
Author
realworldpentesting commented Mar 8, 2021
edited
Loading

@qll

@realworldpentesting
Copy link
Author
realworldpentesting commented Mar 16, 2021
edited
Loading

Hey
Will anybody revert back?

@chmey
Copy link
chmey commented Nov 29, 2021
edited
Loading

Need challenges for some of the below-mentioned list

Hello, I can help you out.

https://public-firing-range.appspot.com/dom/toxicdom/document/cookie_set/eval

This one should be simple. Go to the page and open the developer tools, inspect the script and understand that it will eval() the cookie's value. Edit the cookie value to something like alert(document.domain) in the Application->Storage section of the developer tools and refresh the page.

https://public-firing-range.appspot.com/dom/toxicdom/document/referrer/eval

This page takes the document.referrer object and pipes it into eval. Understand that an attacker can be in control of the referrer object as they can set it from a web server they control and redirect to the vulnerable site.
In case of this challenge, I don't think it is vulnerable anymore as modern browsers escape the location object. It used to be exploitable but now would require unescape().

https://public-firing-range.appspot.com/dom/toxicdom/window/name/eval

Did you know you can set the window.name and then redirect to the vulnerable page by setting location?
You can paste this into the address bar of your browser or host a similar document yourself:

data:text/html,<script>window.name="alert(1)";location="https://public-firing-range.appspot.com/dom/toxicdom/window/name/eval"</script>

https://public-firing-range.appspot.com/address/location.hash/documentwrite

Don't think it's exploitable anymore as Chrome URL encodes location.hash.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@chmey @realworldpentesting
0