Exploring and Exploiting XSS Vulnerabilities

Introduction

Welcome to our interactive lab! Here, we'll dive into the world of web security by focusing on Cross-Site Scripting (XSS) - a common but crucial vulnerability in web applications. If a website isn't properly protected against XSS, it can become a playground for attackers.

But don't worry! We're going to help you understand and tackle this issue. We'll start by breaking down what XSS is, why it's important, and how it can be exploited. We'll then guide you through using a tool called 'hackbar', which will assist us in identifying potential XSS vulnerabilities.

In addition, we'll also explore various 'bypassing techniques'. These are clever methods that attackers can use to circumvent security measures, and by understanding them, we can better protect our websites.

Remember, the best way to learn is by doing - so we'll be conducting hands-on experiments throughout. By the end of this lab, you'll have a solid understanding of XSS vulnerabilities and how to prevent them. Let's get started!

Installing and Using hackbar

In this module, we're going to familiarize ourselves with a handy tool known as 'hackbar', which will be our primary aid in detecting XSS (Cross-Site Scripting) vulnerabilities.

First off, let's get the hackbar browser extension installed:

1. Navigate to the directory /home/labex/project.
2. Locate the file hackbar-2.3.1-fx.xpi, double-click it, and then click "Add" in the pop-up window to install the extension. Just like the following picture shows, as depicted in the image below.
   

Once the installation is complete, you can access hackbar by launching the developer tools in your browser. This is typically done by pressing the F12 key, or by navigating to Settings > Developer > Debugger.

Let's quickly walk through some of hackbar's key features:

• Load URL: This feature pulls the URL of the page you're currently on into hackbar.
• Split URL: This breaks down the URL parameters to make them easier to read and understand.
• Execute: This feature sends the modified URL back to the server.
• Post data: This allows you to send POST data to the server.

Additionally, hackbar comes with built-in payloads for a variety of vulnerabilities, including SQL injection, XSS, and XXE.

XSS Vulnerability Experiment 1

In this segment, we'll delve into a basic XSS (Cross-Site Scripting) vulnerability, and learn how we can exploit it using hackbar.

Firstly, execute the command below to prepare our lab environment:

docker run -d -p 82:80 --name pentesterlab-WebforPentest-1 -it jewel591/vulnbox:pentesterlab-WebforPentest-1 /bin/sh -c 'service apache2 start && tail -f /var/log/apache2/error.log' --registry-mirror='https://registry.docker-cn.com'

Next, launch your web browser and navigate to this URL:

http://127.0.0.1:82/xss/example1.php?name=hacker

Here are the steps to exploit the XSS vulnerability:

1. Press F12 to Launch hackbar and click on "Load URL" to pull in the current page URL.
2. Modify the name parameter value to 123 and then click "Execute". You should observe the page updating with this new value, as depicted in the image below.
   
3. Utilize the built-in XSS payload in hackbar (XSS > XSS Alert) and click "Execute". This should result in an XSS alert being triggered, as depicted in the image below.
   

XSS Vulnerability Experiment 2

In this part, we'll explore a basic technique to bypass XSS (Cross-Site Scripting) filters.

Start by navigating to the URL below in your web browser:

http://127.0.0.1:82/xss/example2.php?name=hacker

Here are the steps to bypass the XSS filter:

1. Attempt to inject a simple XSS payload using hackbar, for instance, <script>alert(1)</script>. You'll find that this doesn't yield the expected result, as depicted in the image below.
   
2. Inspect the source code of the page. You'll notice that the <script> and </script> tags are being filtered out, as depicted in the image below.
   
3. To circumvent this filter, try using a different case for the script tag, like <ScripT>alert(1)</ScripT>. This might allow you to bypass the filter and successfully inject the XSS payload, as depicted in the image below.
   

XSS Vulnerability Experiment 3

In this phase, we will learn how to employ various HTML tags and attributes to execute XSS (Cross-Site Scripting) attacks.

First, navigate to the URL below in your web browser:

http://127.0.0.1:82/xss/example4.php?name=hacker

Follow these steps to bypass the XSS filter and execute an attack:

1. Attempt to inject a simple XSS payload using hackbar. However, you'll observe that the server identifies and blocks the script keyword, as depicted in the image below.
   
2. To circumvent this filter, we'll use the <a> HTML tag in combination with the onclick attribute:

<a onclick="alert('xss')">xss</a>

This payload generates a clickable link on the webpage. When clicked, it triggers the alert('xss') JavaScript function.

3. Click on the "xss" link on the page. You should see the XSS alert being activated, as depicted in the image below.
   

There's a multitude of HTML tags and attributes that can be used in tandem to launch XSS attacks. For more sophisticated XSS payloads, refer to the following repository:

https://github.com/iSecurity-Club/Pentest-Methodologies/blob/master/web-exploit-exp/xss/payloads.txt

Summary

In this lab, we learned the fundamental techniques for discovering and exploiting XSS vulnerabilities. We explored how to use the hackbar tool to test for XSS vulnerabilities and employed various bypassing techniques, such as case manipulation and using different HTML tags and attributes. Through hands-on experiments, we gained practical experience in identifying and exploiting XSS vulnerabilities in web applications. This lab provided a solid foundation for further exploration of more advanced XSS techniques and web application security testing.