Brain Storming: Quiz-1(Web App) Solution

Hi,

Hope everyone is doing good. It's been a while since I posted small quiz under the heading Brain Storming: Quiz-1(Web App), but due to lack of time, I was not able to post the solution.

I have received messages and comments from few people for posting the answer. Thanks to Rinkish Khera, Jaya Ram Kumar Pothi, Sanyam Chawla, etc. for reminding me to post the answers.

The questions in quiz can be found here: Brain Storming: Quiz-1(Web App).

Answers:

1) Yes, it is possible to perform XSS in this case. As when HTML Entities with its default settings is used, single quote ( ‘ ) is not encoded. Htmlentities comes with single quote ( ‘ ) not filtered by default and you have to specify a special switch called ENT_QUOTES to declare that. Thus, a simple payload like the one given below will work.

<input type='text' value='text' onmouseover?='alert(1)'>

2) SameSite prevents the browser from sending the cookie along with cross-site requests. The main goal is mitigating the risk of cross-origin information leakage. It also provides some protection against cross-site request forgery attacks. You can read more about it here: SameSite Cookie Attribute

3) Yes, it is possible to access the /admin/ directory from different location. This can be done by using X-Forwarded-Headers to bypass 403 restrictions. You can read about this in detail here: Enumerating IPs in X-Forwarded-Headers to bypass 403 restrictions

4) Yes, it is possible to perform XSS in such case by using True-Client-IP header. A nice post explaining exploitation by GeekBoy can be found here: https://www.geekboy.ninja/blog/tag/self-xss/

5) XSS payload when "parenthesis (), backtick ` & pseudo protocols" are blocked: <svg/onload?=window.onerror=alert;throw/xss/>

6) Yes, by performing Cross Site History Manipulation(XSHM) attack, it is possible to perform Two Way CSRF attacks.

7) Yes, it is possible to steal the sensitive token by exploiting the above mentioned configuration of CORS. To read about it in depth, please refer to the following post: Exploiting Misconfigured Cross Origin Resource Sharing

8)  System.multicall method allows us to execute multiple methods inside a single request. It is very useful as it allow application to pass multiple commands within one HTTP request. You can read more about it here: Brute Force Amplification Attacks Against Wordpress Xmlrpc

9) Pingback.ping method in XMLRPC can be used to perform Pingback Denial of Service attack. You can read more about it here: Wordpress XML RPC Pingback Vulnerability Analysis

10) When user supplied data is reflecting inside a page with Content-Type: text/xml, XSS can be performed in the following fashion:

XSS in XML

<html>
<head></head>
<body>
<something:script xmlns:something="https://www.w3.org/1999/xhtml">alert(1)</something:script>
</body>
</html>

That's all folks! In case you have any doubts/suggestions/feedback, feel free to drop messages/comments.

Remain curious & keep learning.