Lab: Reflected XSS into HTML context with nothing encoded
Last updated
Last updated
This lab contains a simple reflected cross-site scripting vulnerability in the search functionality.
To solve the lab, perform a cross-site scripting attack that calls the alert function.
XSS / Cross-Site Scripting: One another way of exploiting malicious script into a web. Might be in a form of comment under any particular blog that looks like a normal text but actually contains malicious script. If any other users clicked it, it will run the script as it was written, leads to exploiting.
In this lab, It could be in a form of request url that contains malicious script in it.
As you can see here, the web provided by the lab contains a search box for users, let's try it out.
I searched with a prompt "test", and this is what I got. The interesting part is in the url.
You can see that it's in the template of:
We're going to exploit an alert script by putting a script in the request url. I'm going to do it using burp suite.
This is the typical request GET to the server, notice the part ?search=test we talked about earlier, we're going to sneaky putting an alert script there. And here's a beneficial stackoverflow post about creating a basic alert javascript script:
I'm going to exploit this alert script into the request url, then forward it:
As you can see above, our script worked. If any other user clicked, or send this request url to the server, it will run the script we wrote to alert the browser: EXPLOITED. Noted that: This is only an example, the real world script could be more crucial to your credential and privacy.
And that's how we can finish this lab. Alternative ways:
You may not use burp suite. You may just type the script in the url box by yourself:
You may type the script in the search box.
