Part 5 - Discovering XSS

Video Activity

This lesson is about discovering XSS using NMAP which is script that posts specifically crafted strings to every form it discovers.

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
4 hours 20 minutes
Difficulty
Intermediate
CEU/CPE
5
Video Description

This lesson is about discovering XSS using NMAP which is script that posts specifically crafted strings to every form it discovers.

Video Transcription
00:04
>> We've discovered cross-site scripting with Arachni.
00:04
Let's discover some cross-site scripting with NMAP.
00:04
What we're going to do is NMAP tech p80.
00:04
It's telling NMAP to scan port 80
00:04
>> with this script here.
00:04
>> It's tech, tech script-http-stored-xss.nse.
00:04
Then afterwards you put the target.
00:04
This script will post specifically crafted strings
00:04
>> to every form of discovers.
00:04
>> Let's go check it out.
00:04
>> Here we are in our Kali environment.
00:04
>> We're going to do a test here
00:04
>> for stored cross-site scripting first.
00:04
>> Do NMAP tech p80, so port 80.
00:04
Then we do tech tech script-http-stored-xss.
00:04
Then we're going to add the tech,
00:04
tech script-args http spider,
00:04
max, page count to a 100.
00:04
We're going to then put our target at the end of that.
00:04
Remember we put the script args http spider,
00:04
that we cross the web page
00:04
>> and finds all the possible links for it.
00:04
>> We're going to hit "Enter" here
00:04
>> and see what it gets us.
00:04
>> I couldn't find any stored cross-site scripting.
00:04
However, there's some other forms of
00:04
>> cross-site scripting
00:04
>> that can be found and exploited,
00:04
>> such as DOM-based and PHP,
00:04
cross-site scripting as well.
00:04
We're going to run those scans
00:04
and see what we get back from them.
00:04
How we do that is,
00:04
we do the same exact command as you did before,
00:04
except instead of http-stored-xss,
00:04
you're going to put dom-based-xss instead,
00:04
so D-O-M B-A-S-E-D,
00:04
DOM-based and we're going to hit "Enter".
00:04
We get back from DOM-based
00:04
>> and it has found a potential
00:04
>> DOM-based cross-site scripting attack,
00:04
>> which is fantastic.
00:04
We have a potential target page
00:04
here to start trying to craft an attack,
00:04
but is there more?
00:04
Let's check out PHP self
00:04
>> and let's try to run an attack,
00:04
>> well, a check for this type of cross-site scripting.
00:04
Let's see if we get a little bit more back.
00:04
it has found a vulnerable
00:04
>> and exploitable vulnerability here.
00:04
>> If we look down here,
00:04
we can see the page that it was used.
00:04
That the page that was vulnerable.
00:04
You can see that they created a script here
00:04
>> and caused an alert prompt to pop up
00:04
>> with the Number 1 in the alert prompt.
00:04
>> When they close the script here.
00:04
If you wanted to go manually do this,
00:04
you could go and attempt this exploit yourself
00:04
>> using this proof of concept link,
00:04
>> which is very handy that
00:04
>> they actually give this proof of concept link here.
00:04
>> Show that this is actually
00:04
vulnerable rather than just
00:04
saying, hey, it's vulnerable.
00:04
They actually show you that it's vulnerable
00:04
>> and show you how to view that it's vulnerable,
00:04
>> which is very handy.
00:04
Let's move on to our next tool.
Up Next