Hi hackers. Last time I wrote about onpointer * xss, I write a not well-known event-handle for xss now. (https://www.hahwul.com/2019/07/onpoint-xss-payload-for-bypass-xss-protection.html)

Hi hackers. I crafted XSS payloads for bypass event handler protection. it is just simple code.

Hi hackers. It’s a long time I didn’t write blog post. I found JSONP Hijacking a not SOP case. I’m going to briefly explain it. 오랜만에 SOP우회가 아닌 JSONP Hijacking 발견해서 간략하게 내용 풀어봅니다.

Some event handlers do not appear in the OWASP list. It is a touch event like ontouch*. It is a limited item on mobile devices, so it has a less effective effect than general purpose, but it is a good item to trigger XSS.

XSpear 관련해서 이런 건의사항이 하나 있었습니다. Burp, ZAP 등에서 사용하는 패킷 데이터를 파일로 저장한 후 옵션을 주어 읽으면 자동으로 URL, Header 등을 파싱해서 사용하는 형태를 말씀하신 것 같습니다.(마치 sqlmap의 그것 처럼)

I Simply write it (for note). It is easy to develop using terminal-table.

오늘 오후쯤 신기한 페이로드를 하나 찾아서 메모해뒀다가 글로 작성해봅니다. 아마도 자바스크립트 내부에 코드가 삽입되었지만 문자열을 탈출할 수 없을 때 사용할 수 있으며 이런 형태의 패턴이 들어가는 곳도 은근히 있을 것 같습니다.

Hi friends?! I shared post the applications settings in ZAP yesterday. I’m going to share some of the settings that I was writing separately today. Let’s get started, my go-to settings :)

Use sdcard directory on Termux

1) run termux-setup-storage command on termux terminal

ZAP has one interesting feature. It is a function that can use external applications. This makes it easier and more powerful for security testing to work with external tools. Today’s post is how to use the Apply bridge(?) in ZAP.