Defacing the Web application
lets start :)
What is XSS?
A Typical web app works by receiving a HTML code from a backend and rendering it on client side browser. when a vulnerable web app doesn't properly sanitize user input, Attacker can inject a malicious javascript code to the input, so once a user views a same page , they unknowingly excecutes the malicious javascript code.This attack is named as XSS(Cross Site Scripting).
What is Defacing?
One of the most common attacks usually used with stored XSS vulnerabilities is website defacing attacks.
Defacinga website means changing its look for anyone who visits the website. It is very common for hacker groups to deface a website to claim that they had successfully hacked it.
Few Months back I Tested Faceprep and their parent companies prograd and junior prograd i found a P0 bugs in their web app like Auth bypass using JWT token, idor,and etc…. , i got a responce from them and pay a Reward for those bugs.
After that i Tested ProGrad and checking for SSTI,CSRF,IDOR,XSS and many more
While checking for XSS i change a Name of account and check where it is reflected. its reflecting on main page and that blacklisting our payload , i tried a lot and confused with their blacklisting.
After some time i Accidentally check the Leaderboard where a basic payload executed.
<script>alert(1)</script>
its Executes a javascript
after Excutes a Javascript i decided to deface a total web app using this XSS so i used some of javascript code heres there are
As we can see, we can specify the
bodyelement withdocument.getElementsByTagName('body'), and by specifying[0], we are selecting the firstbodyelement, which should change the entire text of the web page, However, before sending our payload and making a permanent change, we should prepare our HTML code separately and then useinnerHTMLto set our HTML code to the page source.
Complete payload:
Let’s Update profile and see the leaderboard
Thank you for Reading this blog❤️🍾
Last updated