How to do Cross Site Scripting (Simple tutorial )

1
123

xss ( Cross site scripting ) one of the vulnerabilities in most of the websites that working on java script today. This methodology will originate from the client side to the server. The attacker who is also a user of a certain webpage will execute this cross site scripting technique. The way the attacker approach the website is in a random manner.
There is no selective target from attacker’s point of view. The xss injection mainly focuses the unhealthy java script with which the attacker can execute the malicious script in the users browser. These malicious scripts are called payloads.

Requirements for xss injection:

1. An input field such as a submission, contact form or a login column.
2.common xss payloads with xmlhttp request or plain java or html codes in it.
3.A browser with no xss filters, better to go with firefox and chrome is not recommendable as it contains some default xss filters which is also not fully secured.

Guidance for injection procedure:

Get the commonly usable xss payloads from Github. Look for an input column in the website you search for xss vulnerability. And inject your payload in the input field , if the payload has some malicious script related to the javascript or html code of the website and it does not get filtered the response will be given with a pop up embedded with your payload. This is called reflected xss.

Is end users deal any problem with reflected xss?

Obviously, the answer is yes. Because if the payload got executed perfectly with no interruption then it is easy to execute those payloads in the users browser and so we can capture their cookies such as user name and passwords. And it is not users responsibility to stay away from the xss attack and the problem is actually on the webpage and the browser side.

What if the random payload is not executed successfully…?

In most cases these random payloads will only give chance of reflected xss. But you can manipulate your script in order to make it as a successful injection.

This scenario includes the analyzation of the html response. First, inject the payload in the field and wait for the response, if the xss doesn’t got triggered move on with the html response for the payload that you have inserted. For example, in this case i am entering a normal payload

“><img src=x onerror=prompt(document.domain)>

And the html response was:

<input type=”text” id=”*” name=”*” value=””>&lt;img img” class=”form-control” rel=”gp” data-size=”20″ data-character-set=”a-z,A-Z,0-9″>

From this we can understand that some of the specific characters such as < and ” are not filtered properly and they got reflected in the response. So, to carry over this advantage.
xss can also be done with adding some HTML attributes ….so if i execute this payload,

“ OnMouseOver=prompt(1)

The HTML response was:

<input type=”text” id=”*” name=”*” value=”” OnMouseOver=prompt&#40;” class=”form-control” rel=”gp” data-size=”20″ data-character-set=”a-z,A-Z,0-9″>

In this response the brackets () are getting filtered… So after removing the bracket in the payload the response will be….

<input type=”text” id=”*” name=”*” value=”” OnMouseOver=prompt`1`” class=”form-control” rel=”gp” data-size=”20″ data-character-set=”a-z,A-Z,0-9″>

And adding a double quote after equal to the response will be:

<input type=”text” id=”ipn_secret_keygen” name=”ipn_secret_keygen” value=””OnMouseOver=”alert`1`” class=”form-control” rel=”gp” data-size=”20″ data-character-set=”a-z,A-Z,0-9″>

Looks good . And now i click on the webpage and finally a pop up is appeared as a result of stored xss.

Payload and response credits : Medium

XSS bruteforce:

It is an alternative method for checking for xss with your payloads  one by one. you can check for xss with more number of payloads at the same time. Get your burpsuite started and capture the request of the web page , then detect the input field . Add the field to the interceptor . select your payload and load it. and then forward the request. The tool will execute the injection and show the response on the attacking interface. find the payload with more length and inject in to the webpage and analyse the result.

1 COMMENT

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.