XSS (Reflected)
Last updated
Last updated
ObjectiveOne way or another, steal the cookie of a logged in user.
Low level will not check the requested input, before including it to be used in the output text. Spoiler: ?name=alert("XSS");.
Let's prove john
as the input.
We can see that our input is being reflected back to us.
Let's provide the following input:
The developer has tried to add a simple pattern matching to remove any references to "", to disable any JavaScript. Spoiler: Its cAse sENSiTiVE.
Let's check out the source code.
The <script>
tag is being replaced with empty space using the str_replace
function.
The problem with this function is that it is case sensitive i.e. it will not replace a <SCRIPT>
tag.
This allows us to craft our payload as follows:
The developer now believes they can disable all JavaScript by removing the pattern "<scrip*t". Spoiler: HTML events.
In this level the <script
pattern itself is removed.
Let's check the source code to see how this has been implemented.
The developer has used the preg_replace
function.
However, we can still use HTML events in order to trigger the alert.
For our payload we can use the <img onerror>
attribute as follows: