Web for Pentester-1 XSS Solutions

XSS (Cross-site Scripting)

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.

For more details = https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

There are three types of XSS:

  • Reflected: The payload is directly reflected back in the response.
  • Stored: The payload can be reflected back directly in the response but will more importantly be reflected back in the response when you come back to this page or to another page. The payload is stored in the backend of the application.
  • DOM-based: The payload is not reflected back in the page. It gets executed dynamically when the browser renders the page.

Example 1:

Use the basic payload and you should be able to get an alert box.

Screen Shot 2016-07-26 at 13.19.36

Example 2:

In the second example, some filtering is involved. If you play using and , you can see that they are filtered by web developer. So we try and to bypass the filter.

Screen Shot 2016-07-26 at 13.27.05

Example 3:

Now, there is more filtering, which seems to prevent your previous payload. If you play more, you can see the alert box.

Screen Shot 2016-07-26 at 13.35.19

Example 4:

Here, the developer decided to prevent the word: script. But there are a lot of ways to get JavaScript to be run.

Payload = <img src=x onerror=alert(1)>

We choose, <img> tag directly with the event onerror.

Screen Shot 2016-07-26 at 13.44.26

Example 5:

Here, the <script> tag is accepted and gets reflected back. But when you try to inject a call to alert, the PHP script stops its execution. The problem seems to come from a filter on the word alert. So we will use the word prompt” instead of the word alert”.

Screen Shot 2016-07-26 at 13.50.45

Example 6:

To get your alert box, you will not need to inject a script tag, you will just need to correctly complete the pre-existing JavaScript code and add your own payload.

Screen Shot 2016-07-26 at 14.50.56

Screen Shot 2016-07-26 at 13.59.58

Example 7:

This time, you won’t be able to use special characters, since they will be HTML-encoded. So we should complete the code correctly.

Screen Shot 2016-07-26 at 15.39.36.png

Example 8:

Now, we will try to run the script in the tag <form … >. So we first need to get through the directory. Then, we will add the payload.

Screen Shot 2016-07-26 at 15.52.53

Example 9:

Here is a DOM XSS vulnerability.We just need to add our payload after the “#” and we need to refresh the page.

Screen Shot 2016-07-26 at 15.57.50.png

That’s all…



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s