XSS (Reflected)
ObjectiveOne way or another, steal the cookie of a logged in user.
Security Level: Low
Low level will not check the requested input, before including it to be used in the output text. Spoiler: ?name=alert("XSS");.

Let's prove
john
as the input.

We can see that our input is being reflected back to us.
Let's provide the following input:
<script>alert(document.cookie)</script>

Security Level: Medium
The developer has tried to add a simple pattern matching to remove any references to "", to disable any JavaScript. Spoiler: Its cAse sENSiTiVE.
Let's check out the source code.

The
<script>
tag is being replaced with empty space using thestr_replace
function.The problem with this function is that it is case sensitive i.e. it will not replace a
<SCRIPT>
tag.This allows us to craft our payload as follows:
<SCRIPT>alert(document.cookie)</SCRIPT>

Security Level: High
The developer now believes they can disable all JavaScript by removing the pattern "<scrip*t". Spoiler: HTML events.
In this level the
<script
pattern itself is removed.Let's check the source code to see how this has been implemented.

The developer has used the
preg_replace
function.However, we can still use HTML events in order to trigger the alert.
For our payload we can use the
<img onerror>
attribute as follows:
<img src=1 onerror=alert(document.cookie)>

Last updated
Was this helpful?