Welcome back to the Cross-site scripting series, so far we looked at soo many things from basic HTML to stored and reflected XSS and some methods to create own payload depending on the web application behaviour. let’s look at the final example for stored XSS, after this example, we will look at the difference in stored and reflected XSS and the different location where both XSS can be found in advance methods like header XSS, cookie-based XSS and basic information about cookie and its security.
once again I am using my local DVWA for stored XSS example but this time with medium security, if you are using the dvwa change your security to medium.
you will see the same comment box but this time with more security let’s try to understand what happens when you enter anything. enter something in both message and name field and click sign guestbook and your comment will be posted.
Now when your comment is posted right-click and see the page source, now examine the page source code from all the previous methods we have looked at soo far, now try to create a payload depending on your examination.
To find the XSS in a systematic way check the page source code first see the above image, once you check the source code try to find what is allowed in many web application security they block certain keywords or symbols to prevent XSS attack. you check all the thing by submitting request one by one like entering “script” then submit and check source code does script keyword is blocked or not.
same for other enter < and check source code does this sign get blocked and create your payload based on what is blocked. in some case, web application allow script but block <script> </script> in this case, you can use another payload which doesn’t have a script tag which we looked in the previous article or you can try manipulating letters sometimes it works like this <ScrIpt> </sCriPt> .
but if you can’t figure out the payload for this one take, let’s solve this :
First, enter the normal payload like shown in the above image and submit it and check the page source you can see that only <script> </script> tag is blocked, look at the above explanation on how to bypass it either creates a payload which doesn’t require script tag or manipulate the letters. let’s manipulate the letter first.
with the above payload still same issue it looks like the script tag is completely blocked now let’s try something else this time try with img tag which doesn’t require script tag
with above img payload, our script still not executing that’s the reason why should try the method I showed you above try to find what is blocked.
Now let’s try on name field instead of the message field, first try with a simple script you can see that you can’t enter the more than 7-8 character without even sending anything to the server website is checking your input that’s called client-side validation, we will look at what is client-side validation in the next article for advance Xss but to bypass client-side script you will need to set up a proxy with your browser you can use burp suite. you can their article on how to configure it.
once you have configured your burp and browser try our attack enter anything in the name field and click sign guestbook (make sure intercept is on) now you will see your request to the server in your burp suite proxy
you can see your request here now as name field has restriction now you can bypass the restriction simple enter you payload here <img src=a onerror=alert(1)>
your request will be modified and click forward.
you will pop up as your payload is executed, we will look at what is client-side validation and how to use burp suite etc.
a simple tip it’s important to understand the language the web application is using like PHP PYTHON etc. once you know that which language web application is using thy to figure or guess what will the backed code that preventing your payload to be executed as it will be backend code you can’t see it but you have to guess for DVWA you can see backend code for help and reference, click on source and you will see the backed code and can understand the security but in real-world it’s about guessing.
You can join our telegram channel for free ebooks and other updates. You can follow us on Twitter and Instagram.