Client-Side on MrAzoth

Clickjacking

Tue, 24 Feb 2026 00:00:00 +0000

Clickjacking

Severity: Medium–High | CWE: CWE-1021 OWASP: A04:2021 – Insecure Design

What Is Clickjacking?

Clickjacking (UI redress attack) overlays an invisible <iframe> of the target site over a fake UI, tricking users into clicking target UI elements while believing they’re interacting with the attacker’s page.

Victim sees: "Click here to win a prize!" button
Reality:     Transparent iframe of target.com/delete-account is positioned
             so the victim clicks the "Confirm Delete" button instead

Impact escalation: clickjacking + CSRF → privileged actions; clickjacking + XSS → cookie theft; clickjacking drag-and-drop → text exfiltration.

CORS Misconfiguration

Tue, 24 Feb 2026 00:00:00 +0000

CORS Misconfiguration

Severity: High | CWE: CWE-942 OWASP: A01:2021 – Broken Access Control

What Is CORS?

Cross-Origin Resource Sharing (CORS) allows browsers to make cross-origin requests. A server opts in by returning Access-Control-Allow-Origin headers. The vulnerability occurs when the server reflects the attacker’s origin, allows null origin, or uses overly broad wildcards — combined with Access-Control-Allow-Credentials: true — letting an attacker’s site read authenticated responses from the victim’s browser.

Normal same-origin: browser blocks cross-origin reads (by default)
CORS misconfigured: server says "yes, attacker.com can read my responses"
                    → attacker.com JS reads victim's authenticated API data

Key rule: Access-Control-Allow-Origin: * with Access-Control-Allow-Credentials: true is spec-forbidden — browsers reject it. The dangerous case is when the server dynamically reflects a specific origin.

CSRF (Cross-Site Request Forgery)

Tue, 24 Feb 2026 00:00:00 +0000

CSRF (Cross-Site Request Forgery)

Severity: High | CWE: CWE-352 OWASP: A01:2021 – Broken Access Control

What Is CSRF?

CSRF forces an authenticated user’s browser to send a forged request to a target site. The browser automatically includes cookies (session tokens) with same-site requests, so the forged request carries valid authentication. The attacker doesn’t steal credentials — they hijack the session action.

Victim is logged into bank.com (has session cookie)
Attacker sends victim to: evil.com/csrf.html
Page silently submits: POST bank.com/transfer?to=attacker&amount=5000
Browser auto-attaches: Cookie: session=VALID_SESSION
Bank processes it: ✓ authenticated, executes transfer

Conditions required:

DOM Clobbering

Tue, 24 Feb 2026 00:00:00 +0000

DOM Clobbering

Severity: Medium–High | CWE: CWE-79, CWE-20 OWASP: A03:2021 – Injection | A05:2021 – Security Misconfiguration

What Is DOM Clobbering?

DOM Clobbering exploits the browser behavior where HTML elements with id or name attributes become properties on the global window object (and document object). When JavaScript code references window.x or document.x without first defining it, an attacker who can inject HTML can control that reference by injecting an element with id="x".

postMessage Attacks

Tue, 24 Feb 2026 00:00:00 +0000

postMessage Attacks

Severity: High | CWE: CWE-346, CWE-79 OWASP: A03:2021 – Injection | A01:2021 – Broken Access Control

What Are postMessage Attacks?

window.postMessage() enables cross-origin communication between browser windows/iframes/workers. Security issues arise when the receiving message handler:

Fails to validate the event.origin — accepts messages from any origin
Passes event.data to dangerous sinks (eval, innerHTML, location, document.write)
Uses event.source unsafely to send sensitive data back

Attack surface: the handler is JavaScript code — exploitation leads to XSS, open redirect, CSRF, data theft, and iframe communication abuse.

Prototype Pollution (Client-Side)

Tue, 24 Feb 2026 00:00:00 +0000

Prototype Pollution (Client-Side)

Severity: High | CWE: CWE-1321 OWASP: A03:2021 – Injection

What Is Prototype Pollution?

Every JavaScript object inherits from Object.prototype. If an attacker can inject arbitrary properties into Object.prototype, those properties are inherited by all objects in the application — leading to property injection, logic bypass, and XSS.

// Normal:
let obj = {};
obj.admin        // undefined

// After prototype pollution via:
Object.prototype.admin = true;

// Now ALL objects are "admin":
let obj = {};
obj.admin        // true ← inherited from prototype

Attack surface: any function that recursively merges, clones, or sets properties from user-controlled paths like __proto__, constructor.prototype, or prototype.

WebSocket Security Testing

Tue, 24 Feb 2026 00:00:00 +0000

WebSocket Security Testing

Severity: High | CWE: CWE-345, CWE-20, CWE-79 OWASP: A03:2021 – Injection | A07:2021 – Identification and Authentication Failures

What Are WebSocket Attacks?

WebSockets provide full-duplex, persistent connections. Unlike HTTP, WebSocket frames lack built-in CSRF protection, don’t require Content-Type negotiation, and are often less scrutinized for injection. Attack surface: Cross-Site WebSocket Hijacking (CSWSH), injection via WebSocket messages, and authentication bypass.

Upgrade handshake:
GET /chat HTTP/1.1
Host: target.com
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==
Origin: https://target.com

→ After upgrade: bidirectional message frames
→ No per-message CSRF protection
→ No per-message authentication header requirement

Discovery Checklist

Find WebSocket endpoints: browser DevTools → Network → WS filter
Check Upgrade handshake — does server validate Origin header?
Test CSWSH: connect from attacker.com — does it use victim’s session cookie?
Replay captured WebSocket messages with modified data (Burp WS Repeater)
Test injection in WebSocket message payloads: XSS, SQLi, CMDi, SSTI
Check authentication: is auth checked at handshake only or per-message?
Test for IDOR in message IDs/room IDs
Test for privilege escalation via message type manipulation
Check if WebSocket messages are reflected (stored XSS via WS)
Test token-based auth: JWT in WS URL or first message — test bypass
Test reconnection — does reconnect revalidate auth?
Test wss:// downgrade to ws:// (cleartext)

Payload Library

Attack 1 — Cross-Site WebSocket Hijacking (CSWSH)

If the server doesn’t validate the Origin header during the WebSocket handshake, an attacker’s page can initiate a WebSocket connection that carries the victim’s session cookie.