GitBook: [master] 3 pages modified

SUMMARY.md

@@ -313,6 +313,7 @@
   * [CommonsCollection1 Payload - Java Transformers to Rutime exec\(\) and Thread Sleep](pentesting-web/deserialization/java-transformers-to-rutime-exec-payload.md)
   * [Basic .Net deserialization \(ObjectDataProvider gadget, ExpandedWrapper, and Json.Net\)](pentesting-web/deserialization/basic-.net-deserialization-objectdataprovider-gadgets-expandedwrapper-and-json.net.md)
   * [Exploiting \_\_VIEWSTATE parameter](pentesting-web/deserialization/exploiting-__viewstate-parameter.md)
+* [Domain/Subdomain takeover](pentesting-web/domain-subdomain-takeover.md)
 * [Email Header Injection](pentesting-web/email-header-injection.md)
 * [File Inclusion/Path traversal](pentesting-web/file-inclusion.md)
 * [File Upload](pentesting-web/file-upload/README.md)
@@ -326,6 +327,7 @@
 * [OAuth to Account takeover](pentesting-web/oauth-to-account-takeover.md)
 * [Open Redirect](pentesting-web/open-redirect.md)
 * [Parameter Pollution](pentesting-web/parameter-pollution.md)
+* [PostMessage Vulnerabilities](pentesting-web/postmessage-vulnerabilities.md)
 * [Race Condition](pentesting-web/race-condition.md)
 * [Rate Limit Bypass](pentesting-web/rate-limit-bypass.md)
 * [SQL Injection](pentesting-web/sql-injection/README.md)
@@ -343,7 +345,6 @@
     * [Second Order Injection - SQLMap](pentesting-web/sql-injection/sqlmap/second-order-injection-sqlmap.md)
 * [SSRF \(Server Side Request Forgery\)](pentesting-web/ssrf-server-side-request-forgery.md)
 * [SSTI \(Server Side Template Injection\)](pentesting-web/ssti-server-side-template-injection.md)
-* [Domain/Subdomain takeover](pentesting-web/domain-subdomain-takeover.md)
 * [Unicode Normalization vulnerability](pentesting-web/unicode-normalization-vulnerability.md)
 * [Web Tool - WFuzz](pentesting-web/web-tool-wfuzz.md)
 * [XPATH injection](pentesting-web/xpath-injection.md)

pentesting-web/cross-site-websocket-hijacking-cswsh.md

@@ -80,34 +80,6 @@ function handleReply(event) {
 
 As Web Sockets are a mechanism to **send data to server side and client side**, depending on how the server and client handles the information, **Web Sockets can be used to exploit several other vulnerabilities**:
 
-![](../.gitbook/assets/image%20%28129%29.png)
-
-## Tips/Bypasses in PostMessage vulnerabilities
-
-Copied from [https://jlajara.gitlab.io/web/2020/07/17/Dom\_XSS\_PostMessage\_2.html](https://jlajara.gitlab.io/web/2020/07/17/Dom_XSS_PostMessage_2.html)
-
-* If `indexOf()` is used to check the origin of the PostMessage event, remember that it can be bypassed if the origin is contained in the string as seen in [_The Bypass_](https://jlajara.gitlab.io/web/2020/07/17/Dom_XSS_PostMessage_2.html#bypass)
-* [@filedescriptor](https://twitter.com/filedescriptor): Using `search()` to validate the origin could be insecure. According to the docs of `String.prototype.search()`, the method takes a regular repression object instead of a string. If anything other than regexp is passed, it will get implicitly converted into a regexp.
-
-```text
-"https://www.safedomain.com".search(t.origin)
-```
-
-In regular expression, a dot \(.\) is treated as a wildcard. In other words, any character of the origin can be replaced with a dot. An attacker can take advantage of it and use a special domain instead of the official one to bypass the validation, such as **www.s.afedomain.com**.
-
-* [@bored-engineer](https://bored.engineer/): If `escapeHtml` function is used, the function does not create a `new` escaped object, instead it over-writes properties of the existing object. This means that if we are able to create an object with a controlled property that does not respond to `hasOwnProperty` it will not be escaped.
-
-```text
-// Expected to fail:
-result = u({
-  message: "'\"<b>\\"
-});
-result.message // "&#39;&quot;&lt;b&gt;\"
-// Bypassed:
-result = u(new Error("'\"<b>\\"));
-result.message; // "'"<b>\"
-```
-
-`File` object is perfect for this exploit as it has a read-only `name` property which is used by our template and will bypass `escapeHtml` function.  
+  
 
 

pentesting-web/postmessage-vulnerabilities.md

@@ -0,0 +1,30 @@
+# PostMessage Vulnerabilities
+
+## Tips/Bypasses in PostMessage vulnerabilities
+
+Copied from [https://jlajara.gitlab.io/web/2020/07/17/Dom\_XSS\_PostMessage\_2.html](https://jlajara.gitlab.io/web/2020/07/17/Dom_XSS_PostMessage_2.html)
+
+* If `indexOf()` is used to check the origin of the PostMessage event, remember that it can be bypassed if the origin is contained in the string as seen in [_The Bypass_](https://jlajara.gitlab.io/web/2020/07/17/Dom_XSS_PostMessage_2.html#bypass)
+* [@filedescriptor](https://twitter.com/filedescriptor): Using `search()` to validate the origin could be insecure. According to the docs of `String.prototype.search()`, the method takes a regular repression object instead of a string. If anything other than regexp is passed, it will get implicitly converted into a regexp.
+
+```javascript
+"https://www.safedomain.com".search(t.origin)
+```
+
+In regular expression, a dot \(.\) is treated as a wildcard. In other words, any character of the origin can be replaced with a dot. An attacker can take advantage of it and use a special domain instead of the official one to bypass the validation, such as **www.s.afedomain.com**.
+
+* [@bored-engineer](https://bored.engineer/): If `escapeHtml` function is used, the function does not create a `new` escaped object, instead it over-writes properties of the existing object. This means that if we are able to create an object with a controlled property that does not respond to `hasOwnProperty` it will not be escaped.
+
+```javascript
+// Expected to fail:
+result = u({
+  message: "'\"<b>\\"
+});
+result.message // "&#39;&quot;&lt;b&gt;\"
+// Bypassed:
+result = u(new Error("'\"<b>\\"));
+result.message; // "'"<b>\"
+```
+
+`File` object is perfect for this exploit as it has a read-only `name` property which is used by our template and will bypass `escapeHtml` function.
+