after briefly discussing XSS here, even though it was a bit messy, now it’s time to discuss how to prevent this bug from existing on our website
XSS can run / be executed because of loose <script> tags that are executed / rendered by the browser, therefore we manipulate the browser so it does not execute HTML tags that are input by users. But don’t worry, we’re not going to mess with the browser, just a little handling before user input is displayed on the website
Well maybe the title is a bit click bait — SQL injection itself can’t directly inject all the way to an RDP account takeover xD
Actually the initial goal was just to download anime on moesubs.com, but when opening the website there was a URL that looked very suspicious: https://moesubs.com/?hal=dlrilisan&id=591 so I tried checking with ' and the site returned an error. After the error I balanced it using an SQL comment --+- and the page returned to normal, okay let’s continue …
Well, this post was made because the Surabaya Hacker Link challenges have been updated and many people were curious about this challenge but hadn’t solved it yet and suggested making a video tutorial, but since I can’t make a video, I’ll just write it here instead, updated challenges
It explains that we have to save John’s website and then we will be given a Telegram group link (flag).
initial appearance of the shl challenge page
PREFACE Just a small note when finding an exposed git repository on a website
NOTES Git is a version control system used by developers to build software collaboratively. The main function of git is to manage versions of your program source code by marking which lines and code were added or changed. Git will create a dotfiles (.git), which contains all its data including committed source code, therefore it’s better to route or restrict access to the git repository from outside. Why? Because …
Preface First of all, thanks to slashroot ctf because without slashroot ctf I might not have been able to provide these challenges through dewaweb.com. Thanks to all player who took the time to try this ‘simple’ challenge.
Notes clue “recon, tools, sign-in, submit”
This recon is very easy, actually you don’t need to use tools or scanners. There are still many websites that store important things in HTML comments.
It clearly shows info that the git repository (/.git/) was …
Background From observing several IT groups that I follow, many people keep asking, Is XSS dangerous?, How to upload a webshell via XSS?, Why is my XSS bug report not responded to? Is it because XSS is not dangerous?, Or maybe because the web admin is already you know what?, More or less those are the questions that come up, let’s discuss together what the characteristics of XSS are,
Definition Cross-site scripting is a type of computer security vulnerability typically found in web applications. …
