Cross-Site Scripting (XSS) vulnerabilities are one of the most common vulnerabilities in web applications. If your site does not have a fixed method to prevent XSS vulnerabilities, it is likely that XSS vulnerabilities exist. This lab will introduce the basic principles of XSS vulnerabilities and demonstrate the exploitation methods of XSS vulnerabilities through two hands-on experiments.
In this step, we will learn about Reflected XSS vulnerabilities and how to exploit them.
First, let's initialize the lab environment by running the following command in the terminal:
curl 'https://labfile.oss.aliyuncs.com/courses/3471/init_xss_1_1.sh' > ~/init_xss_1_1.sh;chmod +x ~/init_xss_1_1.sh;sudo ./init_xss_1_1.shThis command will create two PHP files in the /var/www/html/xss/ directory:
xss_reflect.phpxss_storage.phpAccess xss_reflect.php in your web browser using the following URL:
http://127.0.0.1/xss/xss_reflect.phpThis is a simple search functionality where the system will output the input string directly to the webpage.
Try entering hello World in the input field, and you will see hello World printed on the page.
Now, try entering a JavaScript code like <script>alert('xss')</script>:
<script>
alert("xss");
</script>You should see an alert box pop up on the page, executing the JavaScript code.
Note that the "alert" is not the goal of an XSS attack; it is just a test to determine if the JavaScript code can be executed. In an actual XSS exploit, you would replace the alert() function with other malicious JavaScript code.
Check the page source code, and you'll see that your input has been inserted into the HTML source, allowing the code to execute.
However, this XSS attack is non-persistent (reflected). If you refresh the page or access the URL again, the XSS attack will not be triggered because the JavaScript code has been cleared.
This is the principle of a Reflected XSS attack. Let's move on to understand Stored XSS in the next step.
In this step, we will learn about Stored XSS vulnerabilities and how to exploit them.
Access the following URL in your web browser:
http://127.0.0.1/xss/xss_storage.phpThis is a simplified message board functionality. Try submitting a message.
After submitting the message, it will be stored on the page, even after refreshing.
Like the Reflected XSS, try submitting <script>alert('xss')</script> as the message:
<script>
alert("xss");
</script>You should see an alert box pop up, triggering the XSS attack.
Unlike Reflected XSS, even if you close and reopen the browser, or access the URL again, the XSS attack will be triggered repeatedly.
This is the principle of a Stored XSS attack. The malicious JavaScript code is stored on the server and executed every time the page is accessed.
In this lab, we learned about the basics of XSS vulnerabilities, including the different types of XSS (Reflected and Stored), and how to exploit them through hands-on experiments. Understanding the principles and exploitation methods of XSS vulnerabilities is crucial for web application security. By completing this lab, you have gained practical experience in identifying and exploiting XSS vulnerabilities, which will help you in future web security assessments and pentesting engagements.