Scribd
Upload
36 views6 pages

XSS Attack

In this practical, students will learn how to perform a standard XSS attack on a vulnerable web app called bwapp. They will input HTML tags like <b> and <script> into reflected GET and POST fields to trigger pop-ups and manipulate the page. Specifically, entering <script>alert('hacked')</script> into the GET fields causes an alert box to appear, demonstrating a successful XSS attack. The document recommends validating special characters and using a specific charset to help prevent XSS vulnerabilities.

Uploaded by

Tarik Ameziane
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
36 views6 pages

XSS Attack

In this practical, students will learn how to perform a standard XSS attack on a vulnerable web app called bwapp. They will input HTML tags like <b> and <script> into reflected GET and POST fields to trigger pop-ups and manipulate the page. Specifically, entering <script>alert('hacked')</script> into the GET fields causes an alert box to appear, demonstrating a successful XSS attack. The document recommends validating special characters and using a specific charset to help prevent XSS vulnerabilities.

Uploaded by

Tarik Ameziane
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

Practical DAY 6

In this practical we will learn how to perform a standard XSS attack using html-based queries that we will
send back to the vulnerable web app. For this practical we will use our bwapp vulnerable VM. Start the
machine, log in to the web app and select Cross-site-Scripting — Reflected GET challenge.

Once the webpage for the challenge opens we will see two input fields. We will start by placing a=our
names or any other data in these fields and observe the URL after we submit the data. Here we can see
that both values we entered are now shown in the URL in web browsers address bar. The fact that the
value of a variable is now a part of the URL is an indicator that we can input non expected values for a
variable and inject Javascript code.
So we can now try and write some basic html syntax into the fields in the page and check the behavior of
this web app <b>student
xss

If we look at the output on the screen we can see that the first name value (student) is displayed in bold
letter and that in the URL we can find the HTML code <b> r. The fact that the app was actually accepting
and decoding HTML code instead of rejecting or displaying it as plain text (instead of rendering it and
showing student) is a clear sign that we can execute code through these fields.

As we alredy know that the fields will accept entries with < & > tag instead of bold letter we will
inject <script> tag into the field.

<script>alert( 'hacked' )</script> (you can put this in one or both fields)
As you can see the web page displayed a pop up window with the exact text that we wrote!

2. Cross-site-Scripting — Reflected (POST )


Once again, log in to the web app and select Cross-site-Scripting — Reflected (POST ) challenge. By
following above steps and the methodology we learned so far create an XSS on the web page.
Write the code you used to cause the app to display a window.
Now please choose Cross-site-Scripting — Reflected (POST ) from the drop-down menu and click Hack.
Now the same input we can try again the first name as <b>Anshuman</b> and last name as Pattnaik.
As you can see we got the same output as GET the first name printed in a bold letter.
So let’s try inject <script> tag and let’s see what’s happening.
As you can see it shows the first name value Anshuman in an alert dialogue box. So here these two input
fields are XSS vulnerable.
Note
There two things to prevent XSS in both GET and POST
First step:- Always do a proper validation of the special characters in an input field.
Second step:- Use <meta> tag of charset — ISO-8859–1 on your web pages.
<META http-equiv=”Content-Type” content=”text/html; charset= ISO-8859–1">
In that case, there is a possibility to reduce the number of possible forms of a script injection. So it’s good
to follow the above steps.

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy