Hi guys, I would like to share my knowledge and finding in the area of Cyber Security/Ethical Hacking, in this article I will be sharing an offensive approach to find or execute Cross Site Scripting i.e, XSS vulnerability in any web application.
1. Some Basics WHAT is XSS? Cross Site Scripting is a vulnerability is a type of bad code injection attack in which malicious code is injected into any browser side script.
TYPES of XSS: Reflected Stored DOM based Not going into details for Stored and DOM based XSS this article approach will be giving a broader span on the Reflected type XSS attacks!
So let's get started!
2. Tools: Burp Suite & Firefox browser
3. Bring it on: Step 1: Make sure to connect your browser to Burp Suite proxy (I connected FireFox: As it does not block any XSS script execution like Chrome)
On FireFox end this should look like this:
Add alt text No alt text provided for this image Step 2: Load browser with the site URL, you will notice the traffic coming from that domain specifically. This will capture that request in the Burp Suite's Intercept tab:
Add alt text No alt text provided for this image Step 3: Locate your target (domain/URL) in the Target tab, click on it and it should display all the request type in Burp Suit Target tab's right column
Add alt text No alt text provided for this image Step 4: Now we have to sort all the requests by "Params". This is where things get interesting, the majority of XSS are executed from the params
Add alt text No alt text provided for this image Step 5: Here we have to bit creative and sort the requests which are caring same params, after sorting we have to send that request into the Repeater tab:
Add alt text No alt text provided for this image Step 6: Added request in Repeater tab will contain some of the parameters (single or multiple), We are currently operating on the GET methods but I am sure POST will be similar to approach with this methodology.
Add alt text No alt text provided for this image Step 7: We have to add custom text to each parameter, here we have two parameters: name & submit, we will add any random text to it, just to see how this is getting reflected in the page source code.
Add alt text No alt text provided for this image Step 8: We'll find out which of the parameter is reflecting directly in the Response code, here "batman1" is reflected back in the response. However, there is a catch, this is enclosed in a HTML tag i.e, "<center>":
Add alt text No alt text provided for this image Step 9: Now parameter name is ready to take our XSS payload as it is being reflected in the source code, we have to close the <center> HTML tag then put our JS script there.
Step 10: Enter the payload and observe the source code, if the source code is not filtering out the payload and reflecting as it is, then there an XSS vulnerability (reflected type):
Add alt text No alt text provided for this image Step 11: For this step, we just need to run this request on our browser, for that we can right click and select the Response in Browser option from the Repeater tab's Request section
Add alt text No alt text provided for this image Copy the URL and run it within the FireFox browser, make sure to turn Intercept off from Burp Suite!
This will result in a reflected XSS attack, which many of you are familiar with:
Add alt text No alt text provided for this image So, what happened here?
It is simple, the parameter was not filtered properly which caused it to deploy the parameter value as it is in the source code, which then further took a malicious payload from us and deployed in to the source code.
Scripts that will capture user inputs, save screenshots, take snapshots, etc. Any way to retrieve information related to the user or its behavior.
Perform network and system operations from the browser executing the script. From system fingerprinting to network DDoS via portscans and network info collection.
Anything that can be used to alter users browsing experience, or take over the injected browser. Shells, local storage leaks and corruption, forced downloads, CSRF, token theft and more.
And much more! (Read more about how vulnerable XSS is here)
Thanks for reading!
Note: (*) A legal permission from the target is MUST required before pen testing that target. If you don't have one you can try this one for the practice purpose!