Web - Client
Saturday 27 January 2018, 10:15 #1
Web - Client - XSS - Stored - filter bypass
This one is a bit infuriating... I managed to build a javascript payload bypassing the filter and exfiltrating cookies, but for now its execution can only be triggered by an event not used by the admin visiting the page (a human admin would trigger it).
I’m a bit stuck. Should I continue looking for exotic onXXX=... events on HTML elements, since not all of them are filtered?
Saturday 24 February 2018, 00:59 #2
Web - Client - XSS - Stored - filter bypass
Hi,
I got only user-session cookie, which is mine. I bypassed the filter but i could still not let the admin trigger an onXXX event, like you sir. The searching... goes on, even if the admin must have read the message. Do not lose you head..