..
We can select the categories of the movie and the web app will the name of the movies but if you look at the URL there is genre=action specified that could be vulnerable to injection let’s check
Error
* genre=’)]/password | a[contains(a,’
* genre=’) or contains(genre, ‘
* genre=’) or not(contains(genre, ‘teck’) and ‘1’=’2
these are the few conditions which we can use, although it is difficult to crack the Xpath field level until we know the detail of xml like this syntax value, genre, password these are xml fields.
genre=’)]/password | a[contains(a,’
genre=’) or contains(genre, ‘
Twitter / Hack The Box / CTF Team / Teck_N00bs Community Telegram
Comments