Welcome!

Welcome to the 1337pwn community forums. Register now for an account.

Register Now

Announcement

Collapse
No announcement yet.

XSS: Searching JavaScript Files for Variable Names to Disclose Hidden Parameters

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    XSS: Searching JavaScript Files for Variable Names to Disclose Hidden Parameters

    In penetration tests, pentesters should search JavaScript (JS) files thoroughly for variable names and continue by attempting every single one of them as GET/POST parameters to disclose hidden parameters. This frequently leads to Cross-site Scripting (XSS).

    Example:
    Code:
    Search for var siteKey = "123aBC"
    Code:
    Test for XSS - https://domain?siteKey=";alert(1337pwn)//
    Code:
    Test for XSS - https://domain?siteKey="><script>alert(1337pwn);</script>
    As we can observe, searching for JavaScript variable names and examining if they are also HTTP parameters can be incredibly useful in a pen test.

    Remember that even though there are automated pen test tools that can test parameters of a domain, professional penetration testers should manually search for vulnerabilities within parameters. It's never a good idea to rely exclusively on automated tools for your pen tests.

    #2
    Some good tips here PR070. Ideally, an experienced pentester should use both automated and manual methods.

    So one computer running automated tools, while the pentester is on another computer manually looking for potential vulnerabilities.

    The computers should be in close proximity to the pentester. This allows the pentester to easily switch back and forth between the machines when needed.

    Comment

    Working...
    X