How does Sanctuary interacts with “reflected” damages?

Through a peculiar course of events with a touch of homebrew, my cleric got to learn the spell Armor of Agathys. As a regular user of the Sanctuary spell, I wondered how these spells would interact in the following situation:

  1. Casting Sanctuary on myself as soon as fight starts
  2. Casting Armor of Agathys to add an additional defense
  3. A goblin succeeds the Sanctuary saving throw and hits me with a melee attack
  4. A goblin takes damages due to Armor of Agathys.

Does the Sanctuary spell end because I casted Armor of Agathys and after Sanctuary and the spell affects the gobelin when it takes damages ?

Would Sanctuary end if I were to cast Armor of Agathys 10 mins ago because this dark and shadowy dungeon looked dangerous ?

Would Sanctuary break if the damage reflection came from the effect of racial trait or a kinda spiky enchanted armour ?

Is nonce useless when user input is reflected within an inline script?

I stumbled upon a web app which is accepting user input and putting it into a variable within script tag.

The script tag does have a nonce attribute.

enter image description here

As am working on bypassing the XSS filter, I had this thought that this practice of reflecting user input within an inline script with nonce attribute beats the purpose of using it.

Is my understand correct or am I missing something here ?

Reflected XSS in form action – understanding

I am trying to learn basics of web security vulnerabilities.

I have found a website, where on reset password, you get a link in the email with a token, and when you click this link, the webpage opens and the url is reflected in a form action. Something like this:

password reset url: https://target.com/token=q123sefgetrt3dfe

and this is how it is reflected:

<form action="https://target.com/toekn=q123sefgetrt3dfe" method="post"> 

Based on this, i am trying to figure out if this can lead to reflected XSS. So in the url i tried something like this:

https://target.com/token=q123sefgetrt3dfe"/><script>alert(document.cookie)</script> 

so that the form tag is closed, and a script is inserted inside the form.

This reflects in the form action, but with url encoded, so quotes are turned to %22 and angular brackets to %3E.

Does this mean that reflected xss can’t be achieved here? is the browser encoding this , or the web page itself must be encoding this ? is there a way to bypass to see if there is a vulnerability?

Ways to exploit a form action value when it s reflected from URI on React-Django

I am working on a security testing project, where I have noticed that the form action of a login page takes whatever is fed to URI as a parameter, the respective part of the login page is as follows:

<form action="/admin/login/?param=Whateveryouputhere" method="post" id="login-form"> 

Actually, you can even omit the “param”, any value after the question mark will still be reflected. the default value for te param is “/next/” btw.

How could an attacker exploit it, especially via XSS? I tried to escape the the quotations but it failed (they are auto-replaced with URL-encodings). Does it mean it is safe?

I have also checked the network tab of the browser, no other relative JS files are loaded except favicon and magnific popup.

Finally, the URL is in the form of site.com/admin/login/?param=value

Reflected XSS in a JavaScript URL with some characters blocked

I am new to the field of Web Security and am practising labs from Portswigger Web Security Academy. In this lab, https://portswigger.net/web-security/cross-site-scripting/contexts/lab-javascript-url-some-characters-blocked , we have to call the alert function with 1337 as the parmeter.

The solution given on the website is https://your-lab-id.web-security-academy.net/post?postId=5&%27},x=x=%3E{throw/**/onerror=alert,1337},toString=x,window%2b%27%27,{x:%27

The decoded version for reference https://your-lab-id.web-security-academy.net/post?postId=5&'},x=x=>{throw/**/onerror=alert,1337},toString=x,window+'',{x:'

From what I understand, there is a javascript statement like var a = "get_parms" and we are trying to break out of the string, close the block and execute our own code.

x=x=>{throw/**/onerror=alert,1337} is the arrow function which assigns alert as global error handler and thorws 1337.

toString=x, window+'' assigns x to toString and then forces a string conversion on window. Now, I have two questions

  1. Why does this work only when I click the back to blog button, in spite of forcing the string conversion on window?
  2. What is the use of the bolded characters in the URL? https://your-lab-id.web-security-academy.net/post?postId=5&‘},x=x=>{throw/****/onerror=alert,1337},toString=x,window+”,{x:’

Thanks in advance.

Demonstrating reflected XSS with GET Parameter and URL encoding

A client is developing a website which is vulnerable to reflected XSS through a GET parameter:

https://example.com/vulnerable-url?")||true)alert("XSS");</script> 

I would like to demonstrate this vulnerability by providing a link like the above but the text contains characters (such as the ") which are URL encoded by a browser, resulting in an invalid, unexecuted script.
I’ve also found that using a form within HTML to perform a GET request also results in URL encoding of the payload string.

I can however use the BurpSuite proxy to make the request without URL encoding, resulting in the script execution.

I would like to demonstrate script using only a browser available in the client environment. Any ideas on how this could be achieved?

“Reflected XSS”-like attack on chatbot AI

This is a theoretical question. I just watched a certain video in which the author apparently unmasks a chatbot AI that is likely trying to harvest data and spread influence in a cult-like manner on a given social network. The video is hosted on YouTube: Who or What is Stephanie Lawson Stevens?

What really caught my attention was that at some point one of the investigators, who has an IT background, starts asking some questions to the user (who up to that point was just a person, not a supposed AI) and then infers from the answers that that might be an actual chatbot. The video I linked above shows the process.

I’m no specialist in AI at all but it made me wonder: The AI reads information coming from a text input (the chatbox). Would it be theoretically possible for a user to craft a certain coded message through a chat that, once read by the AI, acts as if a reflected XSS attack was made on the AI (the same way that people can reflect code that is executed by a victim’s browser)?

In this scenario, if the programming of the AI itself doesn’t include the necessary precautions in sanitizing the text input, the AI might read a snippet of code from the chatbox and end up executing it.

Is this an actual possibility?

Referer value reflected in location response?

I found a login form on a website that redirects you regardless if the insert credentials are correct or wrong (302 redirect). I noticed that the value of the header Referer: is sent to header Location: in response. So for example, if Referer is set to https://www.google.com you will be redirected to https://www.google.com. Is it possible to set an arbitrary Referer value via CSRF and redirect other users?

Logitech mouse G300s: the changes in Logitech Gaming SW were not reflected

Problem: changes made in Logitech Gaming SW (ie. led color, any button) were not reflected – mouse still used the original settings.

Solution (in my case): Karabinier-Elements -> Devices -> modify events from this device -> uncheck G300s Optical Gaming Mouse (Lochitech) + uncheck Manipulate LED too.

Note: I spent with this 2 hours, so I hope that this could help somebody, who is using Karabinier-Elements

(macOs Mojave 10.14, Logitech Gaming Sofware 9.02.22, Karabinier-Elements 12.2.0)