As you know webpages use HTML code and render it to show you its function like if there is an HTML coding for the form which takes username and password then browser take the coding and show you the output which is created from that code and doesn’t show you the code.
Every Html code has this two sign < > and tags which is just a function or command which tell the browser that what it is supposed to do like it’s a tag which tells the browser that it’s an image tag there could be an image. some common tag you should know
one thing to remember every tag start like this <h1> and end with </h1> with this / sign tag is closed and other function or code after that is different. there are some tag that doesn’t have end tag to end them they use the same start-tag to end it like input tag <input> <input>
there is some attribute in Html which comes under the tag, one tag could have soo many attributes. Like this <input type=’text’ value=’xyz’ <input>
type and value are the attributes for input tag and text and Xyz is the value for those attributes.
If it starts with a single quote mark (‘) it must end with (‘) same if it starts double quote (“) the same ending should be (“).
So let’s look at another vulnerable website for this I am using DVWA in my local machine which is vulnerable web app for practice. If you have DVWA installed open it in your browser and select the Reflected XSS ( low Security)
DVWA Low Security Reflected XSS
Once you open the Dvwa reflected xss you will see and input option enters anything like a hacker. you can see when you submit your input it reflect back to your page.
Why reflecting is very important for this kind of XSS if it’s reflecting that means there should be an Html code for this reflected input, for example, we entered hacker and submit it to the server and server reply it back and show you search query in hacker in your browser and browser show which it gets from server as an HTML coding then our search query hacker should in the HTML code.
Now right click on the browser and click view page source and press ctrl+f and search your query which is hacker, you will see that server gave a response to the browser as an HTML and server has included our search hacker as an HTML tag inside a pre tag
1. web application is vulnerable to XSS.
You can join our telegram channel for free ebooks and other updates. You can follow us on Twitter and Instagram.
Share it If you like it