Stored XSS in onclick. Payload obfuscation with HTML encoding.

preview_player
Показать описание
Here we run a stored XSS attack on a lab that has a number of protections in place in the form of HTML encoding and escaping. The full title of this lab is 'Stored XSS into onclick event with angle brackets and double quotes HTML-encoded and backslash escaped'.

We'll see an example of how HTML encoding can be used for payload obfuscation.

In the post analysis section we also learn some differences regarding the DOM and the raw HTML response returned by the web server.

Support This Channel
======================

Please like and subscribe, it means a lot!

Please buy me a coffee so I can continue to make content.

Join our Discord

00:00 Introduction
00:21 Exploring the lab
02:13 Demonstrating escaping
03:44 Manual escaping
04:34 Ofuscation of payload with HTML encoding
05:31 Post analysis
Рекомендации по теме
Комментарии
Автор

you are amazing thanks
keep it up we want more lab solve

nazuko
Автор

many manty thanks to you. Incredible explanation here and below other xss videos. Fascinating content (not exaggeration). It's interesting how things can be explained that cleanly. Thanks agian

alex-vev
Автор

The - can be replaced by + sign, so both produce the same result acting as delimiters for the server to differentiate between the track function, the alert(1) and the &apos. Is that right ...

pranjalruhela
welcome to shbcf.ru