Not Found The requested URL /tmp/ j a v a s c r i p t :alert(0) was not found on this server. Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
#BugBounty #bugbountytip #BugBountyTips #infosec #XSS
Here is my obfuscated payload. It bypasses lots of WAF, including CloudFlare iirc.
<iframe src="%0Aj%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At%0A%3Aalert(0)">
iFrame with javascript URI payload. Line feeds [CRLF] obfuscate it.
-
-
-
You sure you're putting it in right place? I tested this inside an iFrame on a vulnerability app and works.
- Još 6 drugih odgovora
Novi razgovor -
-
-
This method isn't supposed to have a different origin?
-
Yeah, this should execute in its own context as it will have a different origin. In fact, javascript URIs in iframes execute in a null origin, which means more restrictions. No violation of SOP. Not a useful bypass.
- Još 4 druga odgovora
Novi razgovor -
-
-
Neat trick, but an iframe/src=javascript: will execute in a null origin.
- Još 8 drugih odgovora
Novi razgovor -
-
-
Its not working.. I tried in both chrome and mozilla.pic.twitter.com/mO7yzhITGQ
-
can you please have a look at https://partner-help.postmates.com
- Još 7 drugih odgovora
Novi razgovor -
-
-
-
You are hitting blocked by Chrome XSS filter? It seems I am testing on a site with CF. I guess maybe it's possible that because CF initially blocks the page with a "checking your browser" notification that maybe Chrome doesn't detect it. Can't test other payload as CF blocks.
- Još 2 druga odgovora
Novi razgovor -
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.