XSS (Cross-site Scripting)
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.
For more details = https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
There are three types of XSS:
- Reflected: The payload is directly reflected back in the response.
- Stored: The payload can be reflected back directly in the response but will more importantly be reflected back in the response when you come back to this page or to another page. The payload is stored in the backend of the application.
- DOM-based: The payload is not reflected back in the page. It gets executed dynamically when the browser renders the page.
Use the basic payload and you should be able to get an alert box.
In the second example, some filtering is involved. If you play using and , you can see that they are filtered by web developer. So we try and to bypass the filter.
Now, there is more filtering, which seems to prevent your previous payload. If you play more, you can see the alert box.
Payload = <img src=x onerror=alert(1)>
We choose, <img> tag directly with the event onerror.
Here, the <script> tag is accepted and gets reflected back. But when you try to inject a call to alert, the PHP script stops its execution. The problem seems to come from a filter on the word alert. So we will use the word “prompt” instead of the word “alert”.
This time, you won’t be able to use special characters, since they will be HTML-encoded. So we should complete the code correctly.
Now, we will try to run the script in the tag <form … >. So we first need to get through the directory. Then, we will add the payload.
Here is a DOM XSS vulnerability.We just need to add our payload after the “#” and we need to refresh the page.