You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have encountered an Content Spoofing in a major website. The website reflects the text inserted after the first fwd slash.
e.g example.com/[dot]content_reflected_on_page
This is reflected on language dropdown section of the page. So I assume the value with dot is considered as a language file.
example.com/de - displays the page in german, shows de at language dropdown.
example.com/det - Error page, no reflection
example.com/anything.visit example.com - displays anything.visit example.com at language dropdown.
However I am not able to break out of the tag. Single, double qoute, gt, lt symbols are encoded before displaying.
Which led me to thinking of trying this on automated tool. But I noticed that the tool allows only injection of payload at parameters.
Solution:
You can use --path to test payload on path, also use --level 1 to set the particular path.
I had to give a custom payload list having dot in each line. https://github.com/payloadbox/xss-payload-list/blob/master/Intruder/xss-payload-list.txt sed 's/^/\./' xss-payload-list.txt > xss_payload_dot_added.txt python3 xsstrike.py -u "https://example.com/" --level 1 --path -f ~/Downloads/xss_payload_dot_added.txt
The text was updated successfully, but these errors were encountered:
Uh oh!
There was an error while loading. Please reload this page.
I have encountered an Content Spoofing in a major website. The website reflects the text inserted after the first fwd slash.
e.g
example.com/[dot]content_reflected_on_pageThis is reflected on language dropdown section of the page. So I assume the value with dot is considered as a language file.
example.com/de- displays the page in german, showsdeat language dropdown.example.com/det- Error page, no reflectionexample.com/anything.visit example.com- displaysanything.visit example.comat language dropdown.However I am not able to break out of the tag. Single, double qoute, gt, lt symbols are encoded before displaying.
Which led me to thinking of trying this on automated tool. But I noticed that the tool allows only injection of payload at parameters.
Solution:
You can use --path to test payload on path, also use --level 1 to set the particular path.
I had to give a custom payload list having dot in each line.
https://github.com/payloadbox/xss-payload-list/blob/master/Intruder/xss-payload-list.txt
sed 's/^/\./' xss-payload-list.txt > xss_payload_dot_added.txtpython3 xsstrike.py -u "https://example.com/" --level 1 --path -f ~/Downloads/xss_payload_dot_added.txtThe text was updated successfully, but these errors were encountered: