SKF write-ups
Search…
Introduction
Cross Site Scripting (XSS)
Cross Site Scripting - Attribute (XSS-Attribute)
Cross Site Scripting - href (XSS-href)
Cross Site Scripting - DOM (XSS-DOM)
Cross Site Scripting - DOM-2 (XSS-DOM-2)
CSRF
CSRF - Samesite
CSRF - Weak
XML External Entity (XXE)
File upload
Clickjacking
Ratelimiting (Brute-force login)
HttpOnly Session Hijacking XSS
Exposed docker daemon
SQLI (Union)
SQLI (Like)
SQLI (Blind)
URL Redirection
URL Redirection - Harder
URL Redirection - Harder-2
Formula Injection
Client Side Template Injection (CSTI)
CORS exploitation
Parameter Binding
Local File Inclusion 1 (LFI-1)
Local File Inclusion 2 (LFI-2)
Local File Inclusion 3 (LFI-3)
Remote File Inclusion (RFI)
Content-Security-Policy (CSP)
Session Puzzling
Command Injection (CMD)
Command Injection 2 (CMD-2)
Command Injection 3 (CMD-3)
Command Injection 4 (CMD-4)
Command Injection Blind (CMD-Blind)
Server Side Request Forgery (SSRF)
Server Side Template Injection (SSTI)
Insecure Direct Object References (IDOR)
Deserialisation Yaml (DES-Yaml)
Deserialisation Pickle (DES-Pickle)
Deserialisation Pickle 2 (DES-Pickle-2)
GraphQL DOS
GraphQL IDOR
GraphQL Injections
GraphQL Introspection
GraphQL Mutations
JWT Null
JWT Secret
Race Condition
Race Condition File-Write
DoS Regex
Information Leakeage in Comments
Information Leakeage in Metadata
Auth Bypass
Auth Bypass - 1
Auth Bypass - 2
Auth-bypass - 3
Auth-bypass - Simple
Untrusted Sources (XSSI)
Python - Untrusted Sources (XSSI)
NodeJS - Untrusted Sources (XSSI)
Java - Untrusted Sources (XSSI)
TLS Downgrade
Client Side Restriction Bypass
Client Side Restriction Bypass - Harder
Credentials Guessing
Credentials Guessing - 2
CSS Injection (CSSI)
Prototype Pollution
Right To Left Override (RTLO)
Ldap Injection
Ldap Injection - harder
template item
Powered By GitBook
Python - Untrusted Sources (XSSI)

Running the app Docker

1
$ sudo docker pull blabla1337/owasp-skf-lab:untrusted-sources-js
Copied!
1
$ sudo docker run -ti -p 127.0.0.1:5000:5000 blabla1337/owasp-skf-lab:unstrusted-sources-js
Copied!
Now that the app is running let's go hacking!

Running the app Python3

First, make sure python3 and pip are installed on your host machine. After installation, we go to the folder of the lab we want to practise "i.e /skf-labs/XSS/, /skf-labs/jwt-secret/ " and run the following commands:
1
$ pip3 install -r requirements.txt
Copied!
1
$ python3 <labname>
Copied!
Now that the app is running let's go hacking!
Docker image and write-up thanks to Zerocopter!

Reconnaissance

Step1

When including third-party functionality, such as a web widget, library, or other source of functionality, the software must effectively trust that functionality. Without sufficient protection mechanisms, the functionality could be malicious in nature (either by coming from an untrusted source, being spoofed, or being modified in transit from a trusted source). The functionality might also contain its own weaknesses, or grant access to additional functionality and state information that should be kept private to the base system, such as system state information, sensitive application data, or the DOM of a web application.
This might lead to many different consequences depending on the included functionality, but some examples include injection of malware, information exposure by granting excessive privileges or permissions to the untrusted functionality, DOM-based XSS vulnerabilities, stealing user's cookies, or open redirect to malware
First, let's check the application to see if there are any sources being loaded in the app that return a 404.
When inspecting the network tab we see that the application fails to load a JS file to the URL
1
https://localhost:8081/script-provider/javascript.js
Copied!
note: in a penetration test we would now see if the domain that is used to grab the js source file from is free for us to register

Exploitation

Step1

Now, in order to leverage a successfull XSS attack we need to set up our own local server on port 8081 that serves the our malicious javascript:
1
from flask import Flask, request, url_for, render_template, redirect, send_file
2
​
3
app = Flask(__name__)
4
app.config['DEBUG'] = True
5
​
6
​
7
@app.route('/<path:path>')
8
def static_file(path):
9
return send_file(path)
10
​
11
if __name__ == '__main__':
12
app.run(debug=True,host='0.0.0.0', port=8081)
Copied!

Step2

We ofcourse also need to set the right path where to serve the file from:

Step3

The content of the JS file that we use to deliver the malicious XSS from looks no more basic than this:

Step4

Now it is time to start our web server.

Step5

We visit the target application where we now find our 'alert' that we coded in our javascript.js file
Previous
Untrusted Sources (XSSI)
Next
NodeJS - Untrusted Sources (XSSI)
Last modified 2mo ago
Export as PDF
Copy link
Edit on GitHub
Contents
Running the app Docker
Running the app Python3
Reconnaissance
Step1
Exploitation
Step1
Step2
Step3
Step4
Step5