https://is-xss-possible.pages.dev/
(Please note that this problem might be unresolvable, as it's a real-world one.)
I encountered the following JavaScript in the real world (this is the simplified version):
const obj = {};
/** | |
* This DLL is designed for use in conjunction with the Ruler tool for | |
* security testing related to the CVE-2024-21378 vulnerability, | |
* specifically targeting MS Outlook. | |
* | |
* It can be used with the following command line syntax: | |
* ruler [auth-params] form add-com [attack-params] --dll ./test.dll | |
* Ruler repository: https://github.com/NetSPI/ruler/tree/com-forms (com-forms branch). | |
* | |
* After being loaded into MS Outlook, it sends the PC's hostname and |
// ==UserScript== | |
// @name PostMessage Tracker | |
// @namespace Violentmonkey Scripts | |
// @match *://*/* | |
// @version 1.0 | |
// @author Ounissi zakaria (https://twitter.com/zakaria_ounissi) | |
// @description Each time an event listener is added for `message` it adds a menu command to tha message handler. | |
// @grant GM.registerMenuCommand | |
// @run-at document-start | |
// ==/UserScript== |
''' | |
IDA plugin to display the calls and strings referenced by a function as hints. | |
Installation: put this file in your %IDADIR%/plugins/ directory. | |
Author: Willi Ballenthin <william.ballenthin@fireeye.com> | |
Licence: Apache 2.0 | |
''' | |
import idc | |
import idaapi | |
import idautils |
https://is-xss-possible.pages.dev/
(Please note that this problem might be unresolvable, as it's a real-world one.)
I encountered the following JavaScript in the real world (this is the simplified version):
const obj = {};
This details how to capture voice text and rings associated with iridium satellite rebroadcasts of the Aircraft Communications Addressing and Report System (ACARS)
cd ~
Nuclei Templates
<body>
Most application security practitioners are familiar with Unicode XSS, which typically arises from the Unicode character fullwidth-less-than-sign. It’s not a common vulnerability but does occasionally appear in applications that otherwise have good XSS protection. In this blog I describe another variant of Unicode XSS that I have identified, using combining characters. I’ve not observed this in the wild, so it’s primarily of theoretical concern. But the scenario is not entirely implausible and I’ve not otherwise seen this technique discussed, so I hope this is useful.
Lab: https://4t64ubva.xssy.uk/
A quick investigation of the lab shows that it is echoing the name parameter, and performing HTML escaping: