Reflected XSS in a JavaScript URL with some characters blocked

I am new to the field of Web Security and am practising labs from Portswigger Web Security Academy. In this lab, https://portswigger.net/web-security/cross-site-scripting/contexts/lab-javascript-url-some-characters-blocked , we have to call the alert function with 1337 as the parmeter.

The solution given on the website is https://your-lab-id.web-security-academy.net/post?postId=5&%27},x=x=%3E{throw/**/onerror=alert,1337},toString=x,window%2b%27%27,{x:%27

The decoded version for reference https://your-lab-id.web-security-academy.net/post?postId=5&'},x=x=>{throw/**/onerror=alert,1337},toString=x,window+'',{x:'

From what I understand, there is a javascript statement like var a = "get_parms" and we are trying to break out of the string, close the block and execute our own code.

x=x=>{throw/**/onerror=alert,1337} is the arrow function which assigns alert as global error handler and thorws 1337.

toString=x, window+'' assigns x to toString and then forces a string conversion on window. Now, I have two questions

  1. Why does this work only when I click the back to blog button, in spite of forcing the string conversion on window?
  2. What is the use of the bolded characters in the URL? https://your-lab-id.web-security-academy.net/post?postId=5&‘},x=x=>{throw/****/onerror=alert,1337},toString=x,window+”,{x:’

Thanks in advance.

Can small characters really carry that much?

Let’s take a gnome for the example. Here is what the PHB 37 says for its size:

Size. Gnomes are between 3 and 4 feet tall and average about 40 pounds. Your size is small.

The PHB 176 also says the following for the carrying capacity:

Carrying Capacity. Your carrying capacity is your Strength score multiplied by 15. This is the weight (in pounds) that you can carry, which is high enough that most characters don’t usually have to worry about it.

[…]

Size and Strength. Larger creatures can bear more weight, whereas Tiny creatures can carry less. For each size category above Medium, double the creature’s carrying capacity and the amount it can push, drag or lift. For a Tiny creature, halve these weights.

If this gnome has a Strength of 10, it means it can carry 10*15=150 pounds ! More than the triple of its own weight !

Am I missing something or can small characters really carry that much ?

PS: I know D&D isn’t meant to be a realistic simulation, but still.

Is logging number of special characters in password a bad idea?

Recently I started new work, and going through documentation and code to understand what company is doing. While doing that, I noticed there is logged number of special characters in his password.

Personally, I don’t think it is good idea as disclose some information regarding password, especially for users who didn’t used any special characters. From other hand, this issue wasn’t picked up by pen testers.

I was wonder, is it me being too paranoiac and this is not a real issue, or it is a issue which was overlooked during pentesting.

Internal server error with special characters in request body – possible vulnerability?

While blackbox testing of web-application, I found some unexpected behavior. Request body of original request, sent by browser, contained post parameter like this:

user[email]=test@test.test 

After some fuzzing, application returned 500 (Internal Server Error) on queries that started by %00 (null byte), followed by characters not equal to %09, %0a (new line), %0b, %0c, %0d and %20 (space). If it is followed by one more null byte, or one of already mentioned characters, it behaves properly.

I’m pretty new to web testing, and wondered what can cause this, and is it really unexpected behavior.

I suggested this code to execute some code and sanitizing other characters like “, ‘ and others to prevent command injection, but null byte terminates string with the command, so the command goes wrong (for example, missing ‘ or ” in the command), but why it needs other character after the null byte?

Or maybe this is related to specialized functions to send mail in other languages?

Also, I thought about database processing, but it still does not make sense, why we need this characters in the end, and why new line, space and others, changes the behavior.

What could lead to this behavior, and is it worthy point to research deeper?

I have password reset link with a long string of characters. What do those characters mean? [closed]

I have password reset link with login/reset_password?h=f7f7935cf3f63b3c01fc6987fb80f05c what does this h=32 characters mean?

I am testing a password reset functionality and found out that there is an URL parameter h with 32 characters in the password reset link. What is the purpose of these 32 characters?

Can players resurrect their old, dead characters, once they’re a higher level?

Resurrection can revive someone that has been dead for less than a century. So let’s say my level 5 druid dies and I make a barbarian to continue adventuring with my party, then a year later when we are high enough, our Cleric wants to resurrect my druid from way back when (remembering where we buried the body).

This feels like it definitely can happen, right? If so, then won’t most dead characters be able to come back, eventually, especially at higher levels? Almost feels like death isn’t as permanent as I thought it should be, unless if I’m missing something?

Can I use REGEX to 301 a URL with extra characters at the end?

I’ve just set up PHPlist to manage my email subscribers.

When folks opt-in, they’re taken to this page:

https://www.example.com/lists/?p=subscribe&id=1

I’d like to redirect them to a custom page here:

https://www.example.com/welcome

I tried to 301 from /lists/?p=subscribe&id=1 to /welcome, but this won’t work. I presume this is because of the characters after /lists/.

And, I can’t 301 from /lists to /welcome because /lists is the first portion of the unsubscribe page as well.

Is there a way I can 301 from the full address above with REGEX? Or is there another way to get folks to a custom page–without editing PHP’s code base?

Thanks!