XSS (Reflected)

Objective

One way or another, steal the cookie of a logged in user.

Security Level: Low

Low level will not check the requested input, before including it to be used in the output text. Spoiler: ?name=alert("XSS");.

• Let's prove john as the input.

• We can see that our input is being reflected back to us.

• Let's provide the following input:

<script>alert(document.cookie)</script>

Security Level: Medium

The developer has tried to add a simple pattern matching to remove any references to "", to disable any JavaScript. Spoiler: Its cAse sENSiTiVE.

• Let's check out the source code.

• The <script> tag is being replaced with empty space using the str_replace function.

• The problem with this function is that it is case sensitive i.e. it will not replace a <SCRIPT> tag.

• This allows us to craft our payload as follows:

<SCRIPT>alert(document.cookie)</SCRIPT>

Security Level: High

The developer now believes they can disable all JavaScript by removing the pattern "<scrip*t". Spoiler: HTML events.

• In this level the <script pattern itself is removed.

• Let's check the source code to see how this has been implemented.

• The developer has used the preg_replace function.

• However, we can still use HTML events in order to trigger the alert.

• For our payload we can use the <img onerror> attribute as follows:

<img src=1 onerror=alert(document.cookie)>