all InfoSec news
HackTheBox - Bookworm
Jan. 20, 2024, 3:26 p.m. | IppSec
IppSec www.youtube.com
00:50 - Start of nmap
04:30 - Discovering a potential XSS in the Notes field of an order. Content Security Policy (CSP) blocks us, because JS cannot be on the same page. Looking for a file upload functionality.
08:29 - Finding out we can upload anything we want to the avatar. This should allow us to bypass the CSP in the book edit field
11:55 - Confirmed XSS on the page, checking if there's an IDOR Vulnerability …
avatar can content security csp file file upload hackthebox introduction nmap order page policy security security policy start upload xss
More from www.youtube.com / IppSec
Jobs in InfoSec / Cybersecurity
SOC 2 Manager, Audit and Certification
@ Deloitte | US and CA Multiple Locations
Lead Technical Product Manager - Threat Protection
@ Mastercard | Remote - United Kingdom
Data Privacy Officer
@ Banco Popular | San Juan, PR
GRC Security Program Manager
@ Meta | Bellevue, WA | Menlo Park, CA | Washington, DC | New York City
Cyber Security Engineer
@ ASSYSTEM | Warrington, United Kingdom
Privacy Engineer, Technical Audit
@ Meta | Menlo Park, CA