XML External Entity (XXE) injection is a specific type of vulnerability that occurs when an XML parser insecurely processes external entity references within an XML document. Unlike standard XML injection, which often results in logic-based issues, XXE significantly expands the attack surface, poten...
Challenge Overview Source: BUUCTF Platform Objective: Retrieve the flag value. Approach The challenge presents a web page with minimal visible content. The URL contains a query parameter ?id=1, indicating this is a standard SQL injection vulnerability. Determining Injection Type First, test whether...
Preventing XSS (Cross-Site Scripting) Caution with safe and mark_safe When Django templates render variables, they escape HTML by default to prevent script injection. Using the safe filter or mark_safe() function disables this protection. Example: # Backend code from django.utils.safestring import m...
HTML Frontend Construction Deploy Apache web server and verify functionality via loopback address. Create authentication interfaces within the web root directory. <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>Secure Portal<...
Cross-Site Scripting (XSS) is a widespread web application vulnerability enabling attackers to inject malicious client-side scripts into web pages viewed by other users. These scripts execute in the victim's browser, potentially leading to data theft, session compromise, or defacement. XSS Classific...
Promotional web pages, such as those for claiming red packets, coupons, voting, or lotteries, are designed to offer random rewards to users. However, malicious actors can exploit direct API calls to manipulate outcomes, creating unfair advantages over legitimate participants. Securing Login Credenti...
What is the Same-Origin Policy? The Same-Origin Policy was introduced by Netscape in 1995 for web browsers. Initially, it meant that cookies set by webpage A could not be accessed by webpage B unless they were "same-origin." Same-origin is defined as having the same protocol, domain, and p...
Overview of Server-Side Request Forgery Server-Side Request Forgery (SSRF) is a security vulnerability where an attacker can induce a server-side application to make HTTP requests to an arbitrary domain of the attacker's choosing. This flaw typically arises when an application fetches a remote resou...