I have found DOM-based XSS vulnerability at "https://bumble.com/de/contact-us" but when I try to exploit it as POC "https://bumble.com/de/contact-us/<svg/onload=alert(document.domain)>" it doesn't show nothing.
URL: "https://bumble.com/de/contact-us"
Parameter: "window.localStorage"
Attack Details:
Source: window.localStorage
Location: https://bumble.com/de/contact-us?wvstest=javascript:domxssExecutionSink(1,"'">()locxss")#javascript:domxssExecutionSink(1,"'">()locxss")
Execution Sink: set HTML code
HTML code set:
javascript:domxssExecutionSink(2,"'">()storelocalxss") ...
Related
I'm building a simple browser using PySide2+Python 3.9, but I find that it doesn't play any videos correctly. I don't know how to solve it.
I tried to visithttps://v.qq.com/x/page/w3041d29ecr.htmlHowever, in the page, I saw that your browser does not support this video. On the console, I see these outputs:
js: A cookie associated with a cross-site resource at http://mediav.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
js: Uncaught (in promise) NotSupportedError: The element has no supported sources.
It seems that my code does not support video resources.
I used the following code to configure WebEngineView:
self.browser.settings().setAttribute(QWebEngineSettings.PluginsEnabled, True)
self.browser.settings().setAttribute(QWebEngineSettings.JavascriptEnabled, True)
self.browser.settings().setAttribute(QWebEngineSettings.AllowRunningInsecureContent, True)
self.browser.settings().setAttribute(QWebEngineSettings.LocalContentCanAccessFileUrls, True)
self.browser.settings().setAttribute(QWebEngineSettings.LocalContentCanAccessRemoteUrls, True)
But I found that the browser still could not display the video correctly.
From some questions, I learned that maybe I need to recompile PySide2, but how should I compile it? Or how can I solve this problem?
i am developing an nodejs express application that is running in the ibm cloud. Via Hostedscan i tested my application for security issues.
im getting follwing result:
"X-Content-Type-Options Header Missing"
The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIMEsniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.
Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.
my url that have a risk:
https://xxx.xxx.xxx.xxx:xxxxx/socket.io/socket.io.js
its a get method
i implemented following solution
(server.js)
const helmet = require("helmet")
.....
app.use(helmet.noSniff())
with this code a part of the security issues where gone like :
https://xxx.xxx.xxx.xxx:xxxxx/
https://xxx.xxx.xxx.xxx:xxxxx
https://xxx.xxx.xxx.xxx:xxxxx/chatroom
but the secuirty risk with https://xxx.xxx.xxx.xxx:xxxxx/socket.io/socket.io.js is still reminding.
i also tryed in my index.html following, because i thought the security risk could be because my client is also interacting with socket.io
<script
src="https://cdnjs.cloudflare.com/ajax/libs/socket.io/4.5.1/socket.io.js"
integrity="sha512-xxxxxxxx....."
crossorigin="anonymous">
</script>
does anyone have an approach?
I am trying to build an Excel/Word task pane add-in that should show content from our site. The content/data is passed in XML format.
What I have tried to do is the following:
Office.initialize = function (reason) {
$(document).ready(function () {
app.initialize();
$.support.cors = true;
var data = '';
$.ajax({
type: "GET",
contentType: "application/json; charset=utf-8",
url: 'http://addons.mysite.com/excel-taskpane-data.php',
data: data,
dataType: "json",
success: onQuerySuccess,
error: onQueryError
});
function onQuerySuccess(res, statusText) {
console.log('success!!' + res.statusText);
}
function onQueryError(res, statusText){
console.log('failed!!' + res.statusText);
}
});
};
As you can understand from the code above I was just checking if connection could be made to the external source, but I am getting "Access Denied" in the console.
I am not really sure how should I request data from an external source and whether it is possible at all?
Please help
You mentioned 'external' so I bet http://addons.mysite.com/ is not the domain that serves your web add-in.
To make it work you have to check several things.
Serving with Https. As written by Michael make sure you use https. Mixed content (mixing of http and https) is blocked by most server and Office web add-ins can only be served with https.
Make sur your PHP web api supports CORS.
I am no PHP expert so here is a small link
Try to specify https://addons.mysite.com as AppDomain
The sandboxed iFrame allow only request and navigation on the same domain (the one that you use to serve you web-addin). But you can specify some exceptions see here. It works with navigation and I am not sure it works with XHR...
If step 3 did not work try to use JSON/P techniques as described here
JSON/P with Office add-ins
Yes, you can make Ajax HTTP requests from Office web add-ins such as your Excel/Word task pane. They work exactly the same as they would on a normal web page, except we have an additional requirement of using "https" rather than "http" to access the endpoint.
I can't identify the cause of your specific issue without information about the actual endpoint you're calling. Start by just trying your code on a normal web page and access it normally with a web browser. Once you have that working, then point an add-in to the page. That should fix your issue, but if you still have a problem where the exact same code is working in a normal browser and failing in an add-in, let us know.
I am using cucumber and I keep getting this warning
Request to unknown URL: http://fonts.googleapis.com/css?family=Source+Sans+Pro
To block requests to unknown URLs:
page.driver.block_unknown_urls
To allow just this URL:
page.driver.allow_url("http://fonts.googleapis.com/css?family=Source+Sans+Pro")
To allow requests to URLs from this host:
page.driver.allow_url("fonts.googleapis.com")
I understand I need to set the page.driver.block_unknown_urls configurations but I am not sure where to do this in cucumber.
Could someone please explain where I should set this configuration in cucumber
For some reason, after logging into a site like gmail, htmlunit is not working. It is not able to find html elements.
The following is a very simple ruby script that shows the problem, note it assumes that webdriver server is running on the same machine running it:
require 'rubygems'
require 'watir-webdriver'
require 'rspec/expectations'
##
## THE FOLLOWING TWO WAYS WORK
#
#browser = Watir::Browser.new(:remote, :url => "http://127.0.0.1:4444/wd/hub", :desired_capabilities => :firefox)
#browser = Watir::Browser.new(:remote, :url => "http://127.0.0.1:4444/wd/hub", :desired_capabilities => :internet_explorer)
##
## THIS WAY FAILS
##
capabilities = Selenium::WebDriver::Remote::Capabilities.htmlunit(:javascript_enabled => true)
browser = Watir::Browser.new(:remote, :url => "http://127.0.0.1:4444/wd/hub", :desired_capabilities => capabilities)
#Login to gmail
browser.goto "http://gmail.com"
browser.text_field(:id,'Email').set 'roberttestingstuff041'
browser.text_field(:id,'Passwd').set 'k4238chsj55983w'
browser.button(:id,'signIn').click
sleep 5.0 #sleep shouldnt be needed, but just to be sure we are waiting long enough for log in to complete
frame = browser.frame(:id,'canvas_frame')
#It fails on the next line when using htmlunit
frame.link(:text, 'Sign out').exist?.should == true
frame.link(:text, 'Sign out').visible?.should == true
frame.div(:id, 'guser').exist?.should == true
frame.div(:text,'Compose mail').exist?.should == true
Note that if I create the browser object using firefox or IE, this simple test works.
It seems to get hung up on the redirects that happen during the login process. The site I am really trying to test follows a very similar pattern, so I set up this simplified example with gmail which seems to show the same problem.
Can anyone help turn this into a passing test? Note that I can get a similar test to work using Celerity, which is also based on HTMLUnit, so I believe there should be some way to make this work?
This is the error that shows in the webdriver server, clearly showing it failing to find the attribute:
12:31:16.321 INFO - WebDriver remote server: INFO: Executing: [find element: By.xpath: .//a[normalize-space()='Sign out'
] at URL: /session/1297704604365/element)
12:31:17.996 WARN - WebDriver remote server: WARN:
org.openqa.selenium.NoSuchElementException: Unable to locate a node using .//a[normalize-space()='Sign out']
System info: os.name: 'Windows 7', os.arch: 'x86', os.version: '6.1', java.version: '1.6.0_21'
Driver info: driver.version: EventFiringWebDriver
at org.openqa.selenium.htmlunit.HtmlUnitDriver.findElementByXPath(HtmlUnitDriver.java:699)
at org.openqa.selenium.By$6.findElement(By.java:205)
at org.openqa.selenium.htmlunit.HtmlUnitDriver$4.call(HtmlUnitDriver.java:1133)
I'm thinking that Gmail is detecting our headless browser (in this case HtmlUnit with Rhino) does not support JavaScript.
If you look at the return from Gmail after
browser.button(:id,'signIn').click
You will see that we are on a "JavaScript must be enabled" page
p browser.text
"<style> #loading {display:none} </style> <font face=arial>JavaScript must be enabled in order for you to use Gmail in standard view. However, it seems JavaScript is either disabled or not supported by your browser. To use standard view, enable JavaScript by changing your browser options, then try again. <p>To use Gmail's basic HTML view, which does not require JavaScript, click here.</p></font><p><font face=arial>If you want to view Gmail on a mobile phone or similar device click here.</font></p> \n Loading tim.koops#gmail.com\342\200\246 \n\n\n\n Loading standard view | Load basic HTML (for slow connections)"
In this case we could go to the HTML only version of Gmail to get you through, but unfortunately I think we're stuck for now. I will pass on this failing test case to the webdriver developers for review.
Also, hope those aren't your real Gmail credentials!
you need to enable javascript for the HtmlUnit driver.
It's disabled by default.
Use the Capability HTMLUNITWITHJS as opposed to the default HTMLUNIT.
I'm using the names in the Python bindings, but I'm sure Ruby is using something similar.