Their are multiple end points where we can get Xss in web apps but most of time they are self 😛 which require user interaction to trigger so to make it exploitable or Poc we are left with 2 options typically :p
- Using Clickjacking
- Using CSRF
depending upon which above 2 cases are present we can create poc
So here i will discuss real example in one of the yahoo acquisition “polyvore” which i reported
Their were multiple fields vulnerable to xss they were self but their page was vulnerable to clickjack so we can exploit by putting a relative xss vector to bypass filter into fields with the help of user by tricking him to play a game of drag and drop .
which is atleast better then standalone poc atleast will convey the team :v
I will create separate post how to do it via csrf (no such fantasy involved in that too ) but clickjack involve little configs so just a bookmark post if you got such situations.
So i have just written custom .py script which will create a clickjack to xss poc .On running the script it will ask you the 2 things
- Xss vector to bypass the filter
- Custom clickjack code which you can create from here here
Q.) Why custom clickjack code ?
Because their are specific textfields ,textarea which are vulnerable and needed to include as a part of game ! you will better undestand in the video below .
Now you can give this file to victim !
Greetz to #kotowicz for great work in Clickjacking domain .
That’s all guys 🙂