Part 1: XSS Exploitation and Code Analysis

July 18, 2016 | Views: 5333

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Today, I’ll solve the XSS challenges from the “Web For Pentesters” vulnerable app and analyze the code behind what we see.


Let’s start…

Example 1:


What does the code above do? It GET’s the parameter “name” and echoes it back to the user. Also. we will not see any input sanitization on this example, so our XSS payload will look like this:
<script> alert(‘1st example’)</script>




Example 2:


In this example, the code does exact the same thing as the first one. The only difference in this one is the sanitization. The input has been defined inside the brackets and will be replacing it. Our payload will look like this:




Example 3:


The above code does exact what the second one does. In this one, the developer also sanitizes the capital letters. Our payload will look like this:




Example 4:


This code is absolutely different from the rest. In this one, any use of the word script capital or not, will kill the application. Our payload must not have the word script inside. Our payload will look like this:
<h1><font color=blue>ex4</h1>


<img src=” ” onerror=alert(‘ex4’)/>



That’s it for now. Stay tuned for more posts in the future…

Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
  1. Simple and clear. Good job.

Page 2 of 2«12
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?