search

google / firing-range

Apache License 2.0
1.38k stars 241 forks source link

Need some solutions for challenges #30

Open realworldpentesting opened 3 years ago

realworldpentesting commented 3 years ago

Need challenges for some of the below-mentioned list https://public-firing-range.appspot.com/dom/toxicdom/document/cookie_set/eval https://public-firing-range.appspot.com/dom/toxicdom/document/referrer/eval https://public-firing-range.appspot.com/dom/toxicdom/window/name/eval https://public-firing-range.appspot.com/address/location.hash/documentwrite Please provide solutions from these mentioned URLs it will be a great help from your side

thanks and regards

realworldpentesting commented 3 years ago

https://public-firing-range.appspot.com/address/location.hash/documentwrite see I am trying to exploit this URL like this https://public-firing-range.appspot.com/address/location.hash/documentwrite#%3Csvg%20onload=alert(1)%3E but it is URL encoding and this URL encoding I believe doing by the browser as we know browser does one URL encoding from their side always and that's why I am not able to trigger XSS there. Please help with all above-mentioned URLs

realworldpentesting commented 3 years ago

Hello, Will anybody resolve my issue?

realworldpentesting commented 3 years ago

@qll

realworldpentesting commented 3 years ago

Hey Will anybody revert back?

chmey commented 2 years ago

Need challenges for some of the below-mentioned list

Hello, I can help you out.

https://public-firing-range.appspot.com/dom/toxicdom/document/cookie_set/eval

This one should be simple. Go to the page and open the developer tools, inspect the script and understand that it will eval() the cookie's value. Edit the cookie value to something like alert(document.domain) in the Application->Storage section of the developer tools and refresh the page.

https://public-firing-range.appspot.com/dom/toxicdom/document/referrer/eval

This page takes the document.referrer object and pipes it into eval. Understand that an attacker can be in control of the referrer object as they can set it from a web server they control and redirect to the vulnerable site. In case of this challenge, I don't think it is vulnerable anymore as modern browsers escape the location object. It used to be exploitable but now would require unescape().

https://public-firing-range.appspot.com/dom/toxicdom/window/name/eval

Did you know you can set the window.name and then redirect to the vulnerable page by setting location? You can paste this into the address bar of your browser or host a similar document yourself:

data:text/html,

https://public-firing-range.appspot.com/address/location.hash/documentwrite

Don't think it's exploitable anymore as Chrome URL encodes location.hash.