티스토리 뷰
in this write up i will explain to you how i was able to turn self xss To stored xss In JSP Application
While searching on webarchive for JSP files of the target i found a file named common.jsp which return the ip of visitor and as everyone else might do i tried to see if i can control it via some headers such x-forwarded-for , fortunately i was able to do that
but it's just self-xss so i need to find a way to make it stored like caching so i went to try some things like cache-key query string and cache deception common.jsp/css.css but none of them work
luckily while i was thinking for a way to do that i remembered there is such a thing called Path Parameter in JAVA , so i tried to check if i could use that with .css in the end of URL and trick the proxy to cache it
GET /folder/common.jsp;mahdi.css HTTP/1.1
Host: target.com
X-Forwarded-For: <svg/onload=alert(document.domain)>the Backend: return content of the page + XSS payload and treat anything after semicolon as Path Parameter
Proxy: will cache it based on the end of url as css file