Showing Articles About
xss
-
Ben Berkowitz 
Phil Sofia - 8 Sep 2022
Prototype Pollution Primer for Pentesters and Programmers
Prototype pollution is a JavaScript vulnerability where attackers can manipulate object prototypes to inject malicious properties. The attack involves two stages: polluting the prototype and then exploiting functions that process polluted objects. A demonstration using jQuery BBQ and jQuery shows how an attacker can potentially execute arbitrary JavaScript in web applications.
- 29 Sep 2020
Application-level Purple Teaming: A case study
An application-level purple teaming approach was demonstrated using a file-sharing web application. The methodology focused on improving logging, alerting, and potential response mechanisms by systematically identifying detection gaps across enumeration and injection attack categories. The project used tools like Elasticsearch, Logstash, Kibana, and ElastAlert to enhance application security detection capabilities.
- 7 Sep 2020
Securing AEM With Dispatcher
This article explores securing Adobe Experience Manager (AEM) using Dispatcher configuration. It demonstrates how to prevent security vulnerabilities by carefully configuring Dispatcher rules to block potential exploits. The walkthrough includes identifying and mitigating Dispatcher bypasses and cross-site scripting (XSS) attacks through systematic testing and rule refinement.
- Oliver Simonnet
- 8 Aug 2019
Getting Real with XSS
This article provides a comprehensive guide to practical Cross-Site Scripting (XSS) attacks in modern web applications. It explores technical challenges such as innerHTML limitations, Content Security Policy (CSP) restrictions, and techniques for bypassing browser security controls. The guide demonstrates how to craft meaningful XSS payloads that go beyond simple alert demonstrations.
- 12 Feb 2015
Popping alert(1) in Flash
This article explores cross-site scripting (XSS) vulnerabilities in Adobe Flash applications. It details how ActionScript can be exploited through unvalidated FlashVars, ExternalInterface calls, and remote content loading techniques. Multiple attack vectors are demonstrated, including manipulating URL parameters, loading malicious XML, and abusing URI schemes in Flash applications.