Part 1: XSS Exploitation and Code Analysis

July 18, 2016 | Views: 5103

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Today, I’ll solve the XSS challenges from the “Web For Pentesters” vulnerable app and analyze the code behind what we see.

 

Let’s start…

Example 1:

ex1

What does the code above do? It GET’s the parameter “name” and echoes it back to the user. Also. we will not see any input sanitization on this example, so our XSS payload will look like this:
<script> alert(‘1st example’)</script>

ex_1

 

 

Example 2:

ex2

In this example, the code does exact the same thing as the first one. The only difference in this one is the sanitization. The input has been defined inside the brackets and will be replacing it. Our payload will look like this:
<ScripT>alert(‘ex2’)</ScripT>

ex22

 

 

Example 3:

ex3

The above code does exact what the second one does. In this one, the developer also sanitizes the capital letters. Our payload will look like this:
<sc<script>ript>alert(‘ex3’)</sc</script>ript>

ex33

 

 

Example 4:

ex4

This code is absolutely different from the rest. In this one, any use of the word script capital or not, will kill the application. Our payload must not have the word script inside. Our payload will look like this:
<h1><font color=blue>ex4</h1>

ex44

<img src=” ” onerror=alert(‘ex4’)/>

ex4_2

 


That’s it for now. Stay tuned for more posts in the future…

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
8 Comments
  1. Simple and clear. Good job.

Page 2 of 2«12
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel