maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/pentesting-web/xss-cross-site-scripting/xss-in-markdown

Browse Source
This commit is contained in:
Translator 2025-01-26 09:38:13 +00:00
parent 1864a17305
commit d6c1ef2e26
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/pentesting-web/xss-cross-site-scripting/xss-in-markdown.md
View File

@ -6,7 +6,7 @@ Ikiwa una nafasi ya kuingiza msimbo katika markdown, kuna chaguzi chache unazowe
### HTML tags ### HTML tags
Njia ya kawaida zaidi ya kupata XSS katika markdown ni kuingiza vitambulisho vya kawaida vya HTML vinavyotekeleza javascript, kwa sababu waandishi kadhaa wa markdown pia watakubali HTML. Njia ya kawaida zaidi ya kupata XSS katika markdown ni kuingiza lebo za kawaida za HTML ambazo zinaendesha javascript, kwa sababu wahakiki wa markdown kadhaa pia watakubali HTML.
```html ```html
<!-- XSS with regular tags --> <!-- XSS with regular tags -->
<script> <script>
@ -14,11 +14,11 @@ alert(1)
</script> </script>
<img src="x" onerror="alert(1)" /> <img src="x" onerror="alert(1)" />
``` ```
Unaweza kupata mifano zaidi katika [ukurasa mkuu wa XSS wa hacktricks](). Unaweza kupata mifano zaidi katika [ukurasa mkuu wa XSS wa hacktricks](README.md).
### Viungo vya Javascript ### Viungo vya Javascript
Ikiwa vitambulisho vya HTML si chaguo, unaweza daima kujaribu kucheza na sintaksia ya markdown: Ikiwa vitambulisho vya HTML si chaguo, unaweza kila wakati kujaribu kucheza na sintaksia ya markdown:
```html ```html
<!-- markdow link to XSS, this usually always work but it requires interaction --> <!-- markdow link to XSS, this usually always work but it requires interaction -->
[a](javascript:prompt(document.cookie)) [a](javascript:prompt(document.cookie))
@ -42,7 +42,7 @@ t:prompt(document.cookie))
``` ```
### HTML Sanitiser Markdown Bypass ### HTML Sanitiser Markdown Bypass
Msimbo ufuatao ni **ukaguzi wa ingizo la HTML** na kisha **kupeleka kwa parser ya markdown**, kisha, XSS inaweza kuanzishwa kwa kutumia tafsiri mbaya kati ya Markdown na DOMPurify Msimbo ufuatao unafanya **kusafisha ingizo la HTML** na kisha **kulipeleka kwa parser ya markdown**, kisha, XSS inaweza kuanzishwa kwa kutumia tafsiri mbaya kati ya Markdown na DOMPurify
```html ```html
<!--from https://infosecwriteups.com/clique-writeup-%C3%A5ngstromctf-2022-e7ae871eaa0e --> <!--from https://infosecwriteups.com/clique-writeup-%C3%A5ngstromctf-2022-e7ae871eaa0e -->
<script src="https://cdn.jsdelivr.net/npm/dompurify@2.3.6/dist/purify.min.js"></script> <script src="https://cdn.jsdelivr.net/npm/dompurify@2.3.6/dist/purify.min.js"></script>