Hello and welcome to the side. Very secure coding. Course my name Miss anywhere, and this is AWAS top 10 for 2013.
A three cross I scripting lab in solution. This is tthe e Web goat reflected cross site scripting solution. This is the lab solution for cross site scripting reflected cross site scripting attacks.
Now the lesson says it's always good practice to validate all input on the server side. Cross site scripting can occur when a kn validated user input is used in an http response.
In a reflected cross site scripting, attack
an attacker king craft to U R L with the attacks script and post it to another website e mail it or otherwise get a victim to click on it
now in this particular lab. What we're going to do is we're going to manipulate this table
so that instead of having to pay these prices for each item, we actually want to set the price to be zero, and we want to order a bunch of them
and we want to pay nothing.
You know, this is going to be possible because, as the lesson alluded to, there's no input validation being done on the server side as well as
there is no output in coding that is being done in htp response, which means we can pretty much have our way with with this whole page. And so, in order for you to better understand how they exploit is done,
I actually have some, uh, some of the code here from the HTML page. So I have if you right, click the page source right, and you search for certain words, you can basically get this table,
and this table is nothing more than those shopping items. So here's the studio laptop. Ah, notebook case. Another note. Put another note book and a service plan,
and then you can see the different prices for each etcetera in these air. What we're going to set to zero
for the prices to become zero and for the quantity to become
a lot like the 100,000 items.
Basically, we're looking for the tag name of table data and That is what you see here that I just showed below from the page source.
And we're going to actually look for the dot because the dot has the dollar amount on. We're going to instead set that to the price of zero
and then also we're going to look for input. We're actually going to set the value for the quantity from one to be 100,000.
Okay. And so that's that's how um, the script is going to work. So
you'll go ahead and copy this
and we're going to exploit this three digit access code.
I did have an alert there to let you know that something is happening.
And so, as you can see, we've successfully changed the price to be zero for each of the items.
And we've also increased our quantity to be 100,000 of each.
And we are not getting charged anything on our credit card.
Now, if you wanted to preserve the original credit card number, you can play around with the scripts, amore. But this basically provides the main basis for understanding the lesson. And of course, we've got we've gotten credit for this