Part 1: XSS Exploitation and Code Analysis

Today, I'll solve the XSS challenges from the "Web For Pentesters" vulnerable app and analyze the code behind what we see. Let's start...Example 1:What does the code above do? It GET's the parameter "name" and echoes it back to the user. Also. we will not see any input sanitization on this example, so our XSS payload will look like this:<script> alert('1st example')</script>  Example 2:In this example, the code does exact the same thing as the first one. The only difference in this one is the sanitization. The input has been defined inside the brackets and will be replacing it. Our payload will look like this:<ScripT>alert('ex2')</ScripT>  Example 3:The above code does exact what the second one does. In this one, the developer also sanitizes the capital letters. Our payload will look like this:<sc<script>ript>alert('ex3')</sc</script>ript>  Example 4:This code is absolutely different from the rest. In this one, any use of the word script capital or not, will kill the application. Our payload must not have the word script inside. Our payload will look like this:<h1><font color=blue>ex4</h1><img src=" " onerror=alert('ex4')/> 

---

That's it for now. Stay tuned for more posts in the future...