I think XSS is a wonderful type of exploit, we can do many things with it but exploiting it is not always easy. A lot of vulnerabilities are still missed every day because the wrong attack vector was used. In this article, I want to present you with a path to follow that will walk you through a short piece of theory before sending you off onto my labs to give it a shot and actually apply what you learned. If you enjoyed this article, I would really appreciate if you share it with someone that could use it.
XSS or Cross-Site scripting is a vulnerability that can occur because developers do not sanitise user input properly. This may result in the user being able to insert a script into the webpage which executes with varying degrees of impact.
You may notice I have not talked about JS yet until this point and this is because XSS can occur in any scripting language such as ASP or the infamous Flash (which arguably had more holes than Swiss cheese). However JS is by far the most used scripting language so XSS vulnerabilities are found more in the JS scripting language.
Let’s look at a small example, this website takes user input and displays it directly on the page:
<?php
if(isset($_GET['q'])){
echo $_GET['q'];
}
?>
<form>
<label for="q">CheeseBook:</label><br>
<input type="text" id="q" name="q" value="Search..."><br>
<input type="submit" value="Submit">
</form>
This code would allow for the user to insert the following code into the query field:
<script>alert()</script>
You can find this code over at https://hackxpert.com/labs/RXSS/GET/01.php?q=<script>+alert()</script>
This is the most basic example of XSS, however you must know that this is not very impactful yet. Raising the impact of our XSS attacks is a whole other chapter but we need to take it slow and first establish the presence of an attack vector before we can exploit it further. Now that you know what a basic XSS attack looks like, let’s explore a bit further.
XSS can occur in different contexts, I am only touching on a few here but know that there are many more out there such as hidden inputs, html comment, JS template literals, etc…
An example of a JS literal injection would be the following code:
<div id=div></div>
<script>
var message = `0 search results for <?php echo $_GET['test']?>`;
document.getElementById('div').innerText = message;
</script>
<form>
<input id=test name=test>
<input type=submit value=search>
</form>
Because we used a backtick (`) we can make use of what is known as JS template literals, this can be dangerous as we can insert the following code to make an alert pop up:
${alert()}
Don’t pay too much attention to this though, I just wanted to give you an example of a strange context not everyone might think about. You can find this lab over at https://hackxpert.com/labs/RXSS/GET/90.php