Learn Web Hacking 2.02 Reflected XSS attacks!

pierlave (38) in hack • 6 years ago

Hi everyone,

In this article, I want to show you some XSS attacks. I hope your lab is ready! If not, just go to this article (https://steemit.com/hack/@pierlave/learn-web-hacking-2-01-xss-lab) and get ready to learn!

For XSS detection, a typical payload would be:
<script>alert(document.cookie);</script>

The alert function will show us a popup box and document.cookie will show us the actual cookie. If the box appears, you know it's vulnerable to XSS attacks.

First demonstration, Reflected XSS

For this demonstration, we will use Mutilidae to show you reflected XSS. In Mutilidae you have difficulty levels. Level 0 is the easiest and it goes up in challenge.

Reflected XSS level 0

Go to Mutilidae in the OWASP 2017 / XSS / reflected / DNS lookup.

xss reflected dns.png

In this situation, we have a field where we can input an IP address and see the results of a DNS lookup. You can enter an IP and see the application functioning normally. The goal is to insert some JavaScript code to change the behavior of the application.

To try it, just insert your payload in the field then press Enter. You see the popup box! This page is vulnerable.

You can go and see the source code by pressing right click, view page source.

We see our code was interpreted by the browser, there is no encoding of characters.

Reflected XSS level 1

Now we can ramp up the difficulty to level 1! We can try the same payload. This time we see there is a character limit so we can't send our payload! To bypass this, we can start burp and intercept the request.

You can insert your payload in burp then press forward!

You have now bypassed the character limitation of this application!

Reflected XSS level 5

Time to ramp up again!
This time we can intercept the request with Burp and send the payload again!

The results is Error: Invalid input! This is a good example of filtering/encoding special characters.

This was a quick view of reflected XSS, in the next article we will see stored XSS!

Keep learning!

The information provided on hacking is to be used for educational purpose only. The creator is in no way responsible for any misuse of the information provided. All the information provided is meant to help the reader develop a hacker defense attitude in order to prevent the attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. The word "Hacking" should be regarded as "Ethical hacking". You implement the information given at your own risk

@pierlave

hack hacking howto programming security

6 years ago by pierlave (38)

$0.03

5 votes

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!

Sort Order:

Trending

[-]

steemitboard (66) · 6 years ago

Congratulations @pierlave! You have completed the following achievement on the Steem blockchain and have been rewarded with new badge(s) :

Award for the number of upvotes

_{Click on the badge to view your Board of Honor.}
_{If you no longer want to receive notifications, reply to this comment with the word STOP}

Support SteemitBoard's project! Vote for its witness and get one more award!

$0.00

1 vote

[-]

jonmaim (63) · 6 years ago

Hey @pierlave this is some great content to bookmark.

Posted using Partiko Android

$0.00

1 vote

[-]

pierlave (38) · 6 years ago

Thanks, I'm thinking about posting more!

$0.00

[-]

steemitboard (66) · 6 years ago

Congratulations @pierlave! You have completed the following achievement on the Steem blockchain and have been rewarded with new badge(s) :

Award for the number of upvotes

_{Click on the badge to view your Board of Honor.}
_{If you no longer want to receive notifications, reply to this comment with the word STOP}

Do not miss the last post from @steemitboard:

SteemitBoard Ranking update - Resteem and Resteemed added

Support SteemitBoard's project! Vote for its witness and get one more award!

$0.00

[-]

steemitboard (66) · 6 years ago

Congratulations @pierlave! You have completed the following achievement on the Steem blockchain and have been rewarded with new badge(s) :

You made more than 10000 upvotes. Your next target is to reach 11000 upvotes.

_{Click here to view your Board of Honor}
_{If you no longer want to receive notifications, reply to this comment with the word STOP}

Do not miss the last post from @steemitboard:

Meet the Steemians Contest - Intermediate results

Support SteemitBoard's project! Vote for its witness and get one more award!

$0.00

[-]

steemitboard (66) · 6 years ago

Congratulations @pierlave! You have completed the following achievement on the Steem blockchain and have been rewarded with new badge(s) :

You made more than 11000 upvotes. Your next target is to reach 12000 upvotes.

_{Click here to view your Board of Honor}
_{If you no longer want to receive notifications, reply to this comment with the word STOP}

Support SteemitBoard's project! Vote for its witness and get one more award!

$0.00

[-]

partiko (66) · 6 years ago

Hello @pierlave! This is a friendly reminder that a Partiko user has just followed you! Congratulations!

To get realtime push notification on your phone about new followers in the future, download and login Partiko using the link below. You will also get 3000 Partiko Points for free, and Partiko Points can be converted into Steem token!

https://partiko.app/referral/partiko

$0.00

[-]

steemitboard (66) · 5 years ago

Congratulations @pierlave! You received a personal award!

Happy Birthday! - You are on the Steem blockchain for 2 years!

_{You can view your badges on your Steem Board and compare to others on the Steem Ranking}

Vote for @Steemitboard as a witness to get one more award and increased upvotes!

$0.00