You are currently viewing Cross-site scripting (XSS) from Basic to Advanced

Cross-site scripting (XSS) from Basic to Advanced

This article explores Cross-site scripting (XSS) from Basic to Advanced, including real-world web application pen-testing perspective and practical examples of All PortSwigger labs.
So will start discussing it from the very beginning.

What is Cross-site scripting (XSS)?

Cross-site scripting (XSS) is a web vulnerability that allows attackers to insert malicious scripts into web pages that other users are viewing. Typically written in JavaScript, the injected scripts can be used to steal sensitive information, modify site content, or execute other malicious operations.

Labs that we will solve

1- Reflected XSS into HTML context with nothing encoded
2- Stored XSS into HTML context with nothing encoded
3- DOM XSS in document.write sink using source location.search
4- DOM XSS in innerHTML sink using source location.search
5- DOM XSS in jQuery anchor href attribute sink using location.search source
6- DOM XSS in jQuery selector sink using a hashchange event
7- Reflected XSS into attribute with angle brackets HTML-encoded
8- Stored XSS into anchor href attribute with double quotes HTML-encoded
9- Reflected XSS into a JavaScript string with angle brackets HTML encoded
10- DOM XSS in document.write sink using source location.search inside a select element
11- DOM XSS in AngularJS expression with angle brackets and double quotes HTML-encoded
12- Reflected DOM XSS
13- Stored DOM XSS
14- Exploiting cross-site scripting to steal cookies
15- Exploiting cross-site scripting to capture passwords
16- Exploiting XSS to perform CSRF
17- Reflected XSS into HTML context with most tags and attributes blocked
18- Reflected XSS into HTML context with all tags blocked except custom ones
19- Reflected XSS with some SVG markup allowed
20- Reflected XSS in canonical link tag
21- Reflected XSS into a JavaScript string with single quote and backslash escaped
22- Reflected XSS into a JavaScript string with angle brackets and double quotes HTML-encoded and single quotes escaped
23- Stored XSS into onclick event with angle brackets and double quotes HTML-encoded and single quotes and backslash escaped
24- Reflected XSS into a template literal with angle brackets, single, double quotes, backslash, and backticks Unicode-escaped
25- Reflected XSS with event handlers and href attributes blocked
26- Reflected XSS in a JavaScript URL with some characters blocked
27- Reflected XSS with AngularJS sandbox escape without strings
28- Reflected XSS with AngularJS sandbox escape and CSP
29- Reflected XSS protected by very strict CSP, with dangling markup attack
30- Reflected XSS protected by CSP, with CSP bypass

Type Of Cross-site scripting (XSS) we gonna learn! [In the next Articles]

  • Reflected XSS (each of every lab with deep explanation and solutions).
  • DOM XSS (each of every lab with deep explanations and solutions).
  • Stored XSS (each of every lab with deep explanations and solutions).
  • Exploiting cross-site scripting to steal cookies (BONUS).
  • Exploiting cross-site scripting to capture passwords (BONUS).
  • Exploiting XSS to perform CSRF (BONUS).

NOTE:- This type of XSS here we’ve mentioned, will teach you in the next articles step-by-step with full definition and explanation. So stay tuned 🙂

Reflected XSS into HTML context with nothing encoded

So, we are starting to solve the PortSwigger labs, and the first lab we have is ‘Reflected XSS into HTML context with nothing encoded’.
Take a look at the description of what to do in this lab for a better understanding.

Here you can clearly see that for solving the lab you’ve to contain a sample of reflected cross-site scripting vulnerability in the search functionality an attack that calls the alert function.
Let’s ‘Acess the lab’ and see what next to do.

So take a look, guys you can see as the lab description mentioned we’ve search functionality (search box) to attack or to perform the cross-site scripting (XSS).
If you guys know about basic HTML then before performing XSS payload for ‘Reflected XSS’ can check by putting a simple h1 tag that it is applicable or not.

<h1> #novaexperience </h1>

So, write it manually or you can copy from here and paste it into the (search box) and press the ‘ENTER’ button.

Seems, it’s applicable for ‘Reflected XSS’. Right?
To confirm it you can see the ‘view-source’ and find where the h1 tag we’ve pushed.

Here we go, it’s applicable for ‘Reflected XSS’ to solve this lab.
So it’s time to push the payload.

<script>alert(1)</script>

Simply copy it or type manually and paste it to (search box) and press the ‘ENTER’ button.

BOOM! Here we’ve successfully solved the lab.
#To a better understanding, you can again check the ‘view-source’ and see why it’s ‘Reflected’.

Thank you for reading, if this article (Cross-site scripting (XSS) from Basic to Advanced. Be ready for its other parts) really helps you then do share it with your mates.
And follow @masaudsec on Twitter.

FAQS

What is web security?

Website security refers to protecting a website or web application from cyberattacks, unauthorized access, or other security threats.

What is web application security?

Web application security means protecting a website from cyberattacks. These attacks may include vulnerabilities such as SQL injection, XSS, file inclusion, and others.

Which of the following is a good security practice for web browsing?

It is always a good practice to use an up-to-date browser with timely updates. Keep your browser plugins up-to-date, avoid malicious websites and links, and always enable 2-factor authentication while avoiding clickjacking.

How to find someone’s social security number on the dark web

Searching for someone’s social security number or credit card information on the dark web is illegal and unethical. It is important to always avoid such activities and protect yourself and others from cyber threats.


Leave a Reply