Effect OF XSS
suppose you are the victim and I am the attacker. you have facebook logged in so no need to enter your password to open your Facebook account. Now facebook is vulnerable for XSS. then I will create an XSS payload like this
and execute this payload in facebook and it looks like this,
(?s is for search option in URL) if I send this link to the victim and you click on the link then this script will execute in your browser and this script will copy your login cookie with facebook and send it to the allabouthack.com and as a site admin if I go to the allabouthack site log page I will see your cookie and will use this cookie to log in your facebook account without username and password.
We will look at different Xss Payload for all the XSS (Reflected, stored and DOM) Let’s continue with Reflted Xss.
DVWA Medium Security Reflected XSS
Open your DVWA and change the security from low to medium then click on the Reflected XSS.
Now enter the script we used with low security,
You can see two things is happening here with medium security.
1.) with medium security there is a filter at in the web application and it’s blocking our opening <script> tag because of that our payload is broken our script is closing but it is not starting it’s blocked.
2.) again our payload is inside the Html tag <pre>
To solve this and execute our payload we need to understand what we can do here.
1) we need to bypass the filter for <script> tag because it’s blocked there are soo many methods like encoding, create a payload which doesn’t require <script> etc we have to try all of them in the real scenario.
2.) else we have to create a payload which will work even inside the HTML tag or try to create a payload in such way that it executes outside the Html tag.
in real life, you should try to find out what is blocked like script as an English word is blocked or as a tag <script> apart from this which signs are blocked like < > ; / ‘ ” enter all of them one by one and see which is reflected and which one is blocked by doing this you get an idea how to can create your payload manually to bypass the filter or any other thing.
Let’s solve this DVWA medium-security like a real-life scenario
In the picture above for source code, you can see our input is inside a pre tag and it’s closing after our input what if we close pre tag by our self by giving </pre> in the search box. let’s try this enter the following payload there
</pre><script>alert(1)</script> submit it and see page source.
you can see that we were able to close the pre tag but again our opening script tag is blocked
there is one more pre tag after our payload at the end but it doesn’t matter because we have closed the pre tag first, now there is no sense of closing the pre tag because our opening script tag is blocked now let’s create a payload which doesn’t require the opening script tag but by the method above you can execute your payload outside the HTML tag.
. for owasp, there is no specific link because they have soo many cheat sheet you can search on google owasp XSS cheat sheet
and you will get of them.
Now we need a without script tag XSS payload lets create with img tag and add it’s attributed src so it will become like this <img src= img tag is to add an image inside the page src is for the location where your image is stored for payload we don’t want to add image we just want this img tag to execute our payload and source should be anything except the image so it will be like that <img src=0 you can replicate 0 with any number or string-like hello in src we have to give address of the image which we want to display in the web page we we are giving and unknown character and it will give us an error/broken image.
now we will add our script which is onerror=alert(1)> this script means if there is an error then show pop-up saying 1. so our full payload will be like that.
<img src=0 onerror=alert(1)>
You can join our telegram channel for free ebooks and other updates. You can follow us on Twitter and Instagram.
Share it If you like it