I have found an entry point that make me able to close the quotation mark then write a payload but my payload doesn’t pops up an alert window.
Let me explain with examples;
When I visit www.example.com/foo, the page contains <link rel=alternate href="https://www.example.com/foo" />
Using foo" onerror=alert() junk="x, page reflects <link rel=alternate href="https://www.example.com/foo" onerror=alert() junk="x"/> But in this case, no alert pop-up shows up.
I tried it on my machine by copying page source and saw that If I could change rel=alternate to rel=import , then alert popup would show up. Unfourtunately I can’t do that in the target site.
So any idea about ;
why the event is not being triggered with rel=alternate
what is the key difference between import and alternate here?
what type of payload triggers a JavaScript execution (XSS I mean) here?
PS: I am not able to use < , > or their URL encoded versions to close the tag and open up a script tag.
My question is bit same as monochrome, I want to trigger javascript inside img tag.
when I upload image as my profile picture a PATCH request is send to PATCH image link of my profile picture, so whenever I open my profile the profile image is called by that link.
Now in that PATCH request I exchange the image link by my server IP (http://X.X.X.X:1337) and when someone open my profile, my profile image is called but as I exchanged the image link with my server IP the application send a GET request for image to my server.
When DOM is loaded it looks like: <img src="http://X.X.X.X:1337"> in img tag
there is no CSP enforced application call any IP,socket,domain, data uri.
As the src is called for image even I call a js file it do no get executed it get stored as normal text.
If I put a xss payload it is sent for http request.
if I use data uri scheme with SVG+XML with xxs payload the image is loaded but not javascript.
Now how can I make it harmful currently I can get only IP of the Victim.
In your situation, you can’t inject Javascript code. The purpose of the <img> tag is for displaying images. Web browsers treat any file loaded by <img> as an image. However, what you may be able to do is leak the Referer header that sometimes includes interesting information.
Did you try breaking the src attribute with an URL like http://x.x.x.x:1337/"'?
The PATCH request submits in JSON and if I put " then it breaks JSON.
The parameter is this:
{“MAX_COLLABORATORS”:100,“web”:{“siteURL”:""},“ios”:{“iPhoneStoreId”:"",“iPadStoreId”:""},“android”:{“className”:"",“googlePlayStoreId”:""},“description”:"`","_loading":false,"_loadingImage":true,"_dirty":true,"_saved":null,“imageURL”:“htttp://x.x.x.x:1337/”}