# XSS (Reflected)

> #### Objective
>
> One way or another, steal the cookie of a logged in user.

##

## Security Level: Low

> Low level will not check the requested input, before including it to be used in the output text. Spoiler: ?name=alert("XSS");.

<figure><img src="https://1586847736-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtSZ40gLWhBDTzPEgHsVB%2Fuploads%2FWjP5VGDd6o8WnUf8R69Z%2F1.png?alt=media&#x26;token=14631f58-2c48-4072-a6a9-62c791898c01" alt=""><figcaption></figcaption></figure>

* Let's prove `john` as the input.&#x20;

<figure><img src="https://1586847736-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtSZ40gLWhBDTzPEgHsVB%2Fuploads%2FHO2y97Kmcsp0OPOFDztN%2F2.png?alt=media&#x26;token=39f39fc8-6877-4cfc-92e0-d4dc7b15e2b1" alt=""><figcaption></figcaption></figure>

* We can see that our input is being reflected back to us.
* Let's provide the following input:

```
<script>alert(document.cookie)</script>
```

<figure><img src="https://1586847736-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtSZ40gLWhBDTzPEgHsVB%2Fuploads%2F8PWeoJQ8EkV7MxhcbWO4%2F3.png?alt=media&#x26;token=3de9304c-4096-42e5-aac4-f31757e4fd62" alt=""><figcaption></figcaption></figure>

##

## Security Level: Medium

> The developer has tried to add a simple pattern matching to remove any references to "", to disable any JavaScript. Spoiler: Its cAse sENSiTiVE.

* Let's check out the source code.

<figure><img src="https://1586847736-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtSZ40gLWhBDTzPEgHsVB%2Fuploads%2FYnRSm7vLLaGctokgL9TR%2F4.png?alt=media&#x26;token=15614faf-fe06-45ad-8eb6-ab11e526fb4c" alt=""><figcaption></figcaption></figure>

* The `<script>` tag is being replaced with empty space using the `str_replace` function.
* The problem with this function is that it is case sensitive i.e. it will not replace a `<SCRIPT>` tag.
* This allows us to craft our payload as follows:

```
<SCRIPT>alert(document.cookie)</SCRIPT>
```

<figure><img src="https://1586847736-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtSZ40gLWhBDTzPEgHsVB%2Fuploads%2FmTETKrEDSlpXjy8XYmqD%2F5.png?alt=media&#x26;token=0ae21a75-aa19-4039-9dac-79e3e7958d50" alt=""><figcaption></figcaption></figure>

##

## Security Level: High

> The developer now believes they can disable all JavaScript by removing the pattern "\<s*c*r*i*p\*t". Spoiler: HTML events.

* In this level the `<script` pattern itself is removed.
* Let's check the source code to see how this has been implemented.&#x20;

<figure><img src="https://1586847736-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtSZ40gLWhBDTzPEgHsVB%2Fuploads%2FcUJR3YFUPcQyelRQiWAX%2F6.png?alt=media&#x26;token=057b680d-c397-45f0-af03-055a71305dc4" alt=""><figcaption></figcaption></figure>

* The developer has used the `preg_replace` function.
* However, we can still use HTML events in order to trigger the alert.
* For our payload we can use the `<img onerror>` attribute as follows:

```
<img src=1 onerror=alert(document.cookie)>
```

<figure><img src="https://1586847736-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtSZ40gLWhBDTzPEgHsVB%2Fuploads%2Fh4QjUurdHBnrjEVUeSXu%2F7.png?alt=media&#x26;token=ee0f87de-7989-4a37-ab02-6372e96be2ab" alt=""><figcaption></figcaption></figure>