Part 4 Reflected XSS JS context Demo
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
Already have an account? Sign In »
9 hours 31 minutes
Hello and welcome to the side Berry Secure coding Course. My name is Sonny Wear, and this is tthe e OAS Top 10 for 2013.
A three cross site scripting demo
This is the demo for reflected cross site scripting,
using the job script context to actually manipulate the U. R L
Now, as you go to this particular page,
which is located under a one injection other
When you take a look at the page, it really doesn't look like there's any kind of input being done or any way to inject militia script into this page.
But if you take a look at the U. R. L,
you will notice that there is actually a page that's being requested,
followed by another parameter, which is user name and that has value right now off anonymous.
So what we want to do is we want to turn on burp suite, and we want to intercept the request that's going to this page in order to get this to work ahead despite of this particular website,
and how you can do that is you go ahead and add in where your Mattila is running
the I P address in the port.
And then you go over to the site map
you make sure that your requested items are in our being shown in the site lap,
and then you can just right click and spider this host.
So once you do that, you should be able to properly intercept the request.
So we have an interception now,
Um, and how you generate this is just by
going over to the menu and selecting that item
and it will intercept that.
So I want to go ahead and send this request over to the repeater
so that we're able to send the same request over and over again without having to go through the menu.
So since we have this, we can go ahead and turn our interceptor off,
go back to the repeater and go ahead and send our request using this go button
that gives us our response.
So, in order to see where we could possibly inject are malicious code, let's go ahead and manipulate our user name parameter here
instead of anonymous. I'm actually gonna put
my name in all capitals
and send that request,
and then we're gonna search for that string,
and it has
this string that gets displayed.
So the next thing we want to do is we can see that
are same stream comes back to us, but we're not sure. Still, if the programmer has put in
any kind of output in coding and so how we contest that is if we actually wrapped around our particular value that we're injecting in here special characters
and see if they actually returned back to us. So I'm gonna put less than sign.
I'm going to add,
uh, function like
and how about some comments
and then unending HTML tags.
And so when I send that request
and I look for my match,
I can see that those same characters get display back to me. So this reassures me that no output in coding is being done by the programmer in his program.
So, knowing this information,
what I want to do is begin to create my payload and put my payload in this username parameters position.
Now how I want to go about it is. I really need to study
Starting. Of course. With this string, I've got to end this string first. So let's go ahead and start our payload building.
So we know we and we need to end that string
And then we need to
go ahead and
address the this ending. Try block.
they try. A block is going to end with a catch statement.
So how we conduce, this is we could actually mimic this This try block right here.
Okay. And so we could actually we could just copy this,
paste it here,
go ahead and end that catch. Block. Right. Grab this.
And so now where we are ready for actual payload.
So let me go ahead and end that with a semi colon.
So now our payload we're going to
I'm just going to put the term injected
just so that I can
reassure myself that it's actually coming through on the response properly first before actually do the attack.
And then the last thing that we want to do is remember that we're actually trying to
replace all of this, so this may not be complete, but I'm gonna go ahead and click. Go and look at my response,
okay? And so I can see that my
my statement is ending properly.
This this string is being ended with the quote and then I have my semi colon.
I have my ending catch block.
I have the opening curly brace closing curly brace.
I have my payload of alert injected.
However, there's a problem. And the problem is that I still have this remaining catch block. So this was theory. Jinnah ll catch block.
And so I need to put a try statement in there
in order to complete that catch block.
And so I need to add that into,
uh, my request.
So let me go ahead and do that. I'm gonna put my try
my curly brace,
and I need to put something I need to put something that handles the start
of that string. Remember that started with with the quotes and so I'm just going to put the letter a equals and then a beginning string.
So that should enable me to properly close off everything. Let's go ahead and run this
and we can test it out.
The try, catch Flock.
He's being properly closed.
I have my payload. In this case, I'm just
reflecting back a string. But of course, in a real attack,
you would actually inject your malicious script to do something behind the scenes. And then I start my try block.
And yes, the string is properly started and ended. Course it does nothing.
what this tribe lock does is then closes off
this remaining catch block. So I think my payload is ready.
I'm gonna go ahead and take this
and copy that.
Send it over to the decoder
and go ahead and encode that is You are Well,
Go back to the proxy.
Send in my request.
Paste in my you're Ellen Coated Payload.
And I have been successful in injecting my malicious script