<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/">
  <channel>
    <title>XSS on Raghunath Gopinath</title>
    <link>https://raghu.io/tags/xss/</link>
    <description>Recent content in XSS on Raghunath Gopinath</description>
    <generator>Hugo</generator>
    <language>en</language>
    <lastBuildDate>Mon, 02 Feb 2026 22:47:55 +0530</lastBuildDate>
    <atom:link href="https://raghu.io/tags/xss/index.xml" rel="self" type="application/rss+xml" />
    <item>
      <title>XSS Explained - Learn cross-site scripting with examples</title>
      <link>https://raghu.io/xss-explained-learn-cross-site-scripting-with-examples/</link>
      <pubDate>Fri, 25 Nov 2022 11:35:43 +0000</pubDate>
      <guid>https://raghu.io/xss-explained-learn-cross-site-scripting-with-examples/</guid>
      <description>Kurukshetra is an intentionally designed XSS-vulnerable application. XSS is explained with examples, and it&amp;#39;s an open-source lab for practicing and learning cross-site scripting vulnerabilities.</description>
      <content:encoded><![CDATA[<p>You would like to learn more about what a cross-site scripting
vulnerability is and how it can be exploited with examples. This is the
right place for you. I have compiled short lessons on cross-site
scripting (XSS) vulnerability with trial testing scenarios close to
real-time, which can help you get started with real-world applications.</p>
<p>Let&rsquo;s start by setting up the lab environment needed for practicing XSS,
and upcoming articles will cover the theory and step-by-step approach
for identifying the vulnerability.</p>
<figure>
    <img loading="lazy" src="/icons/tool-box.png"/> 
</figure>

<h2 id="kurukshetra--an-xss-vulnerable-app-by-design">Kurukshetra- An XSS-vulnerable app by design</h2>
<p>In the author&rsquo;s own words, &ldquo;<strong>Kurukshetra is a vulnerable lab geared
towards practicing XSS challenges.</strong>&rdquo;</p>
<p>The app&rsquo;s motto is to give you hands-on experience in identifying the
XSS vulnerability in different ways and also keep you updated about the
theory and basics needed.</p>
<p>Check out the <a href="https://github.com/D4rk36/Kurukshetra/?ref=securityarray.net">GitHub -
D4rk36/Kurukshetra</a>
for more info.</p>
<figure>
    <img loading="lazy" src="/icons/caution.png"/> 
</figure>

<blockquote>
<p>All the content here provided is only for the educational purposes.
Authors, Application Creators or Web Site Owners are not responsible
for misuse of your knowledge. You are responsible for your own
actions!.</p>
</blockquote>
<!--quoteend-->
<blockquote>
<p>Kurukshetra app isn&rsquo;t for production use! Only for testing and
learning on a host machine.</p>
</blockquote>
<h2 id="preparing-environment">Preparing Environment</h2>
<p>A couple of things must be done to start working on the
&ldquo;<strong>Kurukshetra</strong>&rdquo; XSS vulnerable application.</p>
<ol>
<li><strong>Docker &amp; Docker Compose</strong> must be installed and working</li>
<li>A working <strong>OS(Linux/Windows/Mac)</strong> with network connectivity</li>
<li><strong>Git</strong> installed</li>
</ol>
<p>Feel free to skip to the next section if all the required tools are
pre-installed.</p>
<p>For users whose Docker is not installed, please visit the <a href="https://docs.docker.com/get-docker/?ref=securityarray.net">Get
Docker</a> page
and follow the instructions as specified.</p>
<p>Once installed, make sure the Docker is working. The output of the
command should be something similar to the below output.</p>
<h3 id="docker-check">Docker check:</h3>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">docker --version
</span></span></code></pre></div><p><strong>Output</strong>:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-text" data-lang="text"><span class="line"><span class="cl">Docker version 20.10.17, build 100c701
</span></span></code></pre></div><p>After installing the Docker, you can set up the
<a href="https://docs.docker.com/compose/install/?ref=securityarray.net">docker-compose</a>
by referring to the given link. It is needed to build up the environment
on the go.</p>
<p>Make sure the docker-compose is working by verifying the version
information.</p>
<h3 id="docker-compose-check">Docker Compose check:</h3>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">docker compose version
</span></span></code></pre></div><p><strong>Output</strong>:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-text" data-lang="text"><span class="line"><span class="cl">Docker Compose version v2.12.2
</span></span></code></pre></div><p>Hopefully, &ldquo;<strong>git</strong>&rdquo; is installed on most of them. If you think you
don&rsquo;t have one, just go ahead and install it from your package manager
or the link given below.</p>
<p><a href="https://git-scm.com/downloads?ref=securityarray.net">Git - Download</a></p>
<figure>
    <img loading="lazy" src="/icons/application.png"/> 
</figure>

<h2 id="lab-setup---kurukshetra-application-">Lab-Setup - &ldquo;Kurukshetra&rdquo; Application 💻</h2>
<p>Let&rsquo;s clone the application from the GitHub repository and copy it onto
your system.</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">git clone https://github.com/D4rk36/Kurukshetra.git
</span></span></code></pre></div><p>Navigate to the downloaded directory.</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="nb">cd</span> ./Kurukshetra
</span></span></code></pre></div><p>Inside the directory, you will find a &ldquo;<strong>docker-compose.yml</strong>&rdquo; file,
which contains the instructions for running the application. You have to
run &ldquo;<code>docker compose up</code>&rdquo; to bring up the environment.</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">docker compose up
</span></span></code></pre></div><p>Once the environment is up, let&rsquo;s verify by accessing the app
environment by clicking on the following URL: <a href="http://localhost:8066/">http://localhost:8066/</a>
or paste it into your browser.</p>
<blockquote>
<p>💡In case you are facing any errors. Please re-verify all the steps
from the docker installation.</p>
</blockquote>
<p>The page will be displayed below.</p>
<figure class="mx-auto block text-center">
    <img loading="lazy" src="Challenge-Page.png"
         alt="Figure 1: Kurukshetra - XSS Challenges Page"/> <figcaption>
            <p>Figure 1: Kurukshetra - XSS Challenges Page</p>
        </figcaption>
</figure>

<p>Bringing up the Docker instance might take a couple of minutes, based on
your network speeds. You should also be able to see the log as displayed
below while starting up.</p>
<figure class="mx-auto block text-center">
    <img loading="lazy" src="Kurukshetra-Running.png"
         alt="Figure 2: Kurukshetra Running"/> <figcaption>
            <p>Figure 2: Kurukshetra Running</p>
        </figcaption>
</figure>

<p>During any time in the lab, you can run &ldquo;<strong>Ctrl - c</strong>&rdquo; to stop the
running environment.</p>
<p>Additionally, to completely remove the &ldquo;Kurukshetra&rdquo; containers running
from your system, run the remove command from the same directory where
the <strong>docker-compose.yml</strong> file is present.</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">docker compose rm
</span></span></code></pre></div><p>Now that our lab environment is up and working, you are good to proceed
to the next step of identifying the XSS vulnerabilities.</p>
<figure>
    <img loading="lazy" src="/icons/report.png"/> 
</figure>

<h2 id="summary">Summary</h2>
<p>The setup is straightforward for users who are familiar with Docker. For
other users who are new to docker, you might need to get adapted to
using it. Most of the tools are now being containerized to avoid the
installation process. Just download and run with docker.</p>
<p>Ensure your lab environment is working to jump-start learning about
cross-site scripting vulnerability. The next articles will cover types
of cross-site scripting vulnerabilities and techniques used to identify
them. 😃</p>
<h2 id="additional-references-for-xss-practice">Additional References for XSS Practice:</h2>
<ul>
<li>XSSy Labs</li>
</ul>
]]></content:encoded>
    </item>
    <item>
      <title>Mitigating XSS Vulnerability</title>
      <link>https://raghu.io/mitigating-xss-vulnerability/</link>
      <pubDate>Sat, 20 Aug 2022 04:30:12 +0000</pubDate>
      <guid>https://raghu.io/mitigating-xss-vulnerability/</guid>
      <description>Mitigation recommendations for Cross-Site Scripting Vulnerability</description>
      <content:encoded><![CDATA[<p>Cross-Site Scripting(XSS) is a serious security vulnerability. In short,
Attackers use this for a wide range of security attacks like stealing
user session cookies, redirecting all the users to a malicious website,
logging keystrokes of the victim&rsquo;s activity, defacing an organization&rsquo;s
website, even can use the victim system as a bots for malicious
activity, etc.</p>
<p>A single technique cannot mitigate XSS vulnerability completely. Using
the right defenses can help in preventing XSS attacks.</p>
<p>One of the best practices is &ldquo;<strong>Defense-In-Depth</strong>&rdquo;, Enabling multiple
layers of defense so even if a layer fails, other layers of protection
can minimize the impact of an XSS attack.</p>
<figure>
    <img loading="lazy" src="/icons/framework.png"/> 
</figure>

<h2 id="use-frameworks">Use Frameworks</h2>
<p>In modern development practices, developers like to code faster and
avoid recreating the wheel.</p>
<p>Rather than building applications from scratch, using the frameworks can
protect the application from lots of vulnerabilities. As security
features are in-built into frameworks and just need to enable.</p>
<p>For example input validation checks, XSS prevention, preventing access
control issues, etc. (Some PHP frameworks include laravel,
CodeIgniter,etc.)</p>
<p>Additionally, these frameworks do address the security vulnerabilities
when discovered, all you need to ensure is that you are using the latest
version of the application framework.</p>
<figure>
    <img loading="lazy" src="/icons/quality-control.png"/> 
</figure>

<h2 id="validate-client-data">Validate Client Data</h2>
<p>One of the most crucial steps is to validate each and every input
received from the client.</p>
<p>As we have demonstrated throughout our articles, any data coming from
the client side can be modified with the help of intercepting proxies.</p>
<p>For the same reason, each and every piece of data coming from the client
must be validated then must follow through next steps of verification.
<img loading="lazy" src="/icons/decode.png"></p>
<h2 id="output-encoding">Output Encoding</h2>
<p>Output encoding is one of the techniques used to take user-controlled
data and safely display it without interpreting it as code, and
considering it as text.</p>
<p>Below is an example XSS payload.</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-text" data-lang="text"><span class="line"><span class="cl">&lt;script&gt;alert(document.domain);&lt;/script&gt;
</span></span></code></pre></div><p>HTML-encoded text of XSS payload will be displayed as shown below.</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-text" data-lang="text"><span class="line"><span class="cl">&amp;lt;script&amp;gt;alert(document.domain);&amp;lt;/script&amp;gt;
</span></span></code></pre></div><ul>
<li>&ldquo;&lt;&rdquo; changed to &ldquo;&lt;&rdquo;</li>
<li>&ldquo;&gt;&rdquo; changed to &ldquo;&gt;&rdquo;</li>
</ul>
<p>As the browser parses HTML, JavaScript, CSS, and URL differently. Each
much be encoded depending on the requirements.</p>
<p>Another good example in PHP, the &ldquo;<strong>htmlspecialchars</strong>&rdquo; function will
convert the &ldquo;<strong>&lt;</strong>&rdquo; less than, &ldquo;<strong>&gt;</strong>&rdquo; greater than symbols to HTML
entities such as &ldquo;<strong><code>&amp;lt;</code></strong>&rdquo; for less than, &ldquo;<strong><code>&amp;gt;</code></strong>&rdquo; for greater
than respectively. This again makes the application treat all as text
without breaking the syntax.</p>
<p>URL, HTML, JavaScript, and CSS can be encoded.</p>
<figure>
    <img loading="lazy" src="/icons/input.png"/> 
</figure>

<h2 id="sanitization">Sanitization</h2>
<p>In some cases, the users need to retain HTML code as it is. In this
case, the output encoding will break the document structure.</p>
<p>To retain the data as it is, the sanitization technique is used.</p>
<p>As part of the sanitization, it produced a new HTML document that
contains only the &ldquo;safe&rdquo; or allowed HTML tags. This prevents XSS, this
is performed in combination with the whitelist and blacklist approach.</p>
<p>Example, In PHP we used a
&ldquo;<a href="https://www.php.net/manual/en/function.strip-tags.php?ref=securityarray.net">strip_tags</a>&rdquo;
function is used to filter out all the HTML tags, the
&ldquo;<a href="https://www.php.net/manual/en/function.addslashes?ref=securityarray.net">addslashes</a>&rdquo;
function escapes the special chars like a quote, and a double quote with
backward slashes to retain it as text without breaking code syntax.</p>
<figure>
    <img loading="lazy" src="/icons/headers.png"/> 
</figure>

<h2 id="xss-header">XSS Header</h2>
<p>The <strong>X-XSS-Protection</strong> response header is one of the features used to
prevent the reflected XSS from executing.</p>
<p>Below is an example of enabling the XSS protection header by completely
blocking script execution.</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-http" data-lang="http"><span class="line"><span class="cl"><span class="err">X-XSS-Protection: 1; mode=block
</span></span></span></code></pre></div><p>The following can be ignored if the strongly protected
&ldquo;<strong>Content-Security-Policy</strong>&rdquo; is being used.</p>
<h3 id="httponly---cookie-attribute">HTTPOnly - Cookie Attribute</h3>
<p>This is another cookie flag that helps in reducing the XSS impact.
Enabling the &ldquo;<strong>HTTPOnly</strong>&rdquo; flag for session cookies can prevent the
javascript code from accessing it.</p>
<h3 id="content-type">Content-Type</h3>
<p><strong>Content-Type</strong> is one of the response headers which specifies the type
of content delivered. It is recommended to set the script content to
&ldquo;<strong>application/json</strong>&rdquo; than &ldquo;text/html&rdquo;</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-http" data-lang="http"><span class="line"><span class="cl"><span class="err">Content-Type: application/json
</span></span></span></code></pre></div><p>Setting the content type to &ldquo;<strong>application/json</strong>&rdquo; prevents the
execution of script tags. <img loading="lazy" src="/icons/compliant.png"></p>
<h2 id="content-security-policy-csp">Content Security Policy (CSP)</h2>
<p>Content Security Policy is an added layer of security protection. This
helps in detecting and mitigating the XSS and other code injection
attacks.</p>
<p>CSP instructs the browser on how to deal with the content. On
CSP-enabled websites, it becomes very hard to exploit the XSS
vulnerability.</p>
<p>A <strong>Content-Security-Policy</strong> header is appended by the server with
policy configuration.</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-text" data-lang="text"><span class="line"><span class="cl">Content-Security-Policy: default-src &#39;self&#39;; img-src *; script-src userscripts.example.com
</span></span></code></pre></div><p>Above is an
<a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP?ref=securityarray.net">example</a>
of CSP, instructing the browser to permit only content from the same
site, images from anywhere, and execute scripts only from
&ldquo;userscripts.example.com&rdquo; <img loading="lazy" src="/icons/regulation.png"></p>
<h2 id="whitelisting-rather-blacklisting">Whitelisting rather Blacklisting</h2>
<p>Whitelisting or allowing a known good is an approach of letting only
what you trust and rejecting all the rest.</p>
<p>Whitelist is one of the supporting steps adding to all the above defense
layers. Even in the case of unknown payloads as well whitelist defends
well.</p>
<p>Let&rsquo;s say allowing the trusted characters upper case, small case
letters, numerics, and some special characters based on need.</p>
<p>Limit usage of the blacklist only for reasonable business requirements.</p>
<figure>
    <img loading="lazy" src="/icons/firewall.png"/> 
</figure>

<h2 id="use-web-application-firewalls-wafs">Use Web Application Firewalls (WAFs)</h2>
<p>Configuring and using Web Application Firewalls, protects web
applications from a wide range of attacks like XSS, Brute Force attacks,
Denial of Service attacks, Malicious input filtering, etc. a lot more.</p>
<p>Say AWS WAF, Cloudflare WAF, etc.</p>
<h2 id="additional-references">Additional References:</h2>
<p>More information on mitigating XSS attacks can be found on the OWASP
site.</p>
<ul>
<li><a href="https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html?ref=securityarray.net">Cross Site Scripting Prevention - OWASP Cheat
Sheet</a></li>
<li><a href="https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html?ref=securityarray.net">DOM based XSS Prevention - OWASP Cheat
Sheet</a></li>
</ul>
]]></content:encoded>
    </item>
    <item>
      <title>Challenge 1 - Stored cross-site scripting attack</title>
      <link>https://raghu.io/challenge-1-stored-cross-site-scripting-attack/</link>
      <pubDate>Tue, 13 Dec 2022 05:43:59 +0000</pubDate>
      <guid>https://raghu.io/challenge-1-stored-cross-site-scripting-attack/</guid>
      <description>You will learn about what cross-site scripting vulnerability is, the types of cross-site scripting vulnerabilities, and how to identify a stored XSS</description>
      <content:encoded><![CDATA[<p>Welcome back to learning Cross-Site Scripting (XSS) vulnerability with
the Kurukshetra app built by
<a href="https://github.com/D4rk36/Kurukshetra?ref=securityarray.net">d4rk36</a>.</p>
<p>This post will start with what an XSS vulnerability is and then will try
to analyze the XSS challenges on the vulnerable app.</p>
<p>Ensure your lab is up and running if you have not set up your lab yet.</p>
<figure>
    <img loading="lazy" src="/icons/javascript.png"/> 
</figure>

<h2 id="what-is-cross-site-scripting">What is Cross-Site Scripting?</h2>
<p>Cross-site scripting is also referred to as &ldquo;<strong>XSS</strong>.&rdquo;</p>
<p>Cross-site scripting is an application flaw that takes a malformed input
from the client (i.e., Browser or Proxy) and the server without
verifying appends, then sends the input as it is back in an HTTP
response without proper validation.</p>
<blockquote>
<p>If you are not familiar with what HTTP is, check out the following
HTTP Basics Tutorial to help you get started.</p>
</blockquote>
<p>The malformed input lets an attacker inject malicious code(like HTML or
JavaScript ) into the server&rsquo;s HTTP response and can change the
application&rsquo;s behavior.</p>
<p>XSS vulnerability can be used to deface the landing pages of websites,
which is called defacement. Stealing user sessions and gaining access to
user accounts. Secretly log and monitor the victim&rsquo;s keystrokes, Control
the victim&rsquo;s web browser, retrieve user-saved passwords from the
browser, Or even redirect victims to a malicious page, and much more.</p>
<p>Additionally, XSS, combined with other security vulnerabilities, makes
the attack more severe.</p>
<p>In total, there are three types of XSS vulnerabilities, as detailed
below.</p>
<figure class="mx-auto block text-center">
    <img loading="lazy" src="Types-Of-XSS.png"
         alt="Figure 1: Types of Cross-Site Scripting Vulnerabilities"/> <figcaption>
            <p>Figure 1: Types of Cross-Site Scripting Vulnerabilities</p>
        </figcaption>
</figure>

<figure>
    <img loading="lazy" src="/icons/lab.png"/> 
</figure>

<h2 id="stored-xss---walkthrough">Stored XSS - Walkthrough</h2>
<p>After setting up the lab, Visit <a href="http://localhost:8066">http://localhost:8066</a>. The vulnerable
Kurukshetra application should be loaded as shown below.</p>
<figure class="mx-auto block text-center">
    <img loading="lazy" src="Challenge-1-Page.png"
         alt="Figure 2: XSS Vulnerable Kurukshetra App - Challenge 1"/> <figcaption>
            <p>Figure 2: XSS Vulnerable Kurukshetra App - Challenge 1</p>
        </figcaption>
</figure>

<p>Take some time to understand how the application functionality works
before we start assessing.</p>
<p>Try adding a simple &ldquo;<strong>HelloWorld</strong>&rdquo; string, and check how the input is
appended to the below comments.</p>
<figure class="mx-auto block text-center">
    <img loading="lazy" src="Key-In-Input.png"
         alt="Figure 3: Understaing how the application behaves with user input"/> <figcaption>
            <p>Figure 3: Understaing how the application behaves with user input</p>
        </figcaption>
</figure>

<p>From the above behavior, we can understand that the given input is
stored and displayed back.</p>
<p>💡 This is one of the signs where you can check if it can accept any
malformed input as well. Let&rsquo;s go ahead and try out the classic XSS
payload.</p>
<figure class="mx-auto block text-center">
    <img loading="lazy" src="Classic-XSS-String.png"
         alt="Figure 4: Class XSS Snippet"/> <figcaption>
            <p>Figure 4: Class XSS Snippet</p>
        </figcaption>
</figure>

<p><code>*&lt;script&gt;*</code> tag in HTML is used to extend the page capabilities and
include interactivity, which will be used to test if it is possible to
inject the code snippets.</p>
<p><code>alert()</code> function in JavaScript is used to display the popup window.</p>
<p>I will insert the script code to make things visually appealing, as
displayed in the image below. When we see the popup window, it means our
script code got injected and executed successfully.</p>
<figure class="mx-auto block text-center">
    <img loading="lazy" src="Trying-XSS-Payload.png"
         alt="Figure 5: Inserting XSS Payload"/> <figcaption>
            <p>Figure 5: Inserting XSS Payload</p>
        </figcaption>
</figure>

<p>Inject the script code in the input field and click the &ldquo;<strong>Submit</strong>&rdquo;
button.</p>
<p>Immediately, a popup message will be displayed, as shown below, to
confirm our script execution.</p>
<figure class="mx-auto block text-center">
    <img loading="lazy" src="XSS-Alert.png"
         alt="Figure 6: XSS alert pop-up"/> <figcaption>
            <p>Figure 6: XSS alert pop-up</p>
        </figcaption>
</figure>

<p>Click the &ldquo;<strong>OK</strong>&rdquo; button, and the application usually loads the page.</p>
<p>To further understand our script injection, Right-click, select &ldquo;<strong>View
Page Source</strong>,&rdquo; and then search for the above-injected script code.</p>
<figure class="mx-auto block text-center">
    <img loading="lazy" src="XSS-Alert-HTML-Source.png"
         alt="Figure 7: XSS Script Code in HTML Response"/> <figcaption>
            <p>Figure 7: XSS Script Code in HTML Response</p>
        </figcaption>
</figure>

<p>The script code was injected as it was given. This confirms we could
inject the malformed script code in the user input field.</p>
<p>Revisit the following page: <a href="http://localhost:8066/ch01.php">http://localhost:8066/ch01.php</a>. Observe
the popup message will be displayed again.</p>
<p>This is what a stored cross-site scripting vulnerability is. Once the
malformed input is injected, it will be executed every time the page is
loaded. If multiple users are using the same application, then the
script code will also be executed for each and every individual victim
as well.</p>
<p>Attackers can use the above type of functionality to deface the page and
completely change it based on malicious intent using JavaScript and HTML
code. Similarly, write a malicious piece of code to steal all the
authenticated users&rsquo; session tokens and reuse it for accessing the
user&rsquo;s account without passwords. Or even redirect victims to a
malicious page, etc.</p>
<p>🎉 This type of behavior is called Stored Cross-Site Scripting
vulnerability. Yay! We found a stored cross-site scripting vulnerability
and solved XSS Challenge 1.</p>
<h2 id="about-xss-payloads">About XSS Payloads</h2>
<p>The above example demonstrates a simple XSS code snippet.</p>
<p>You might be wondering how I would ever be able to create those script
payloads, and I am not even familiar with JavaScript and that stuff.</p>
<p>Well, lots of security researchers have already done most of the work
related to payloads for you. You all need to know when to use it and
what needs to be changed based on your scenario. As the experience
grows, you will be able to write your own custom payloads for yourself.</p>
<p>Here is a repository of
&ldquo;<a href="https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20Injection?ref=securityarray.net">PayloadsAllThings</a>&rdquo;
that you might need to bookmark it.</p>
<p>You will find a lot of information on different vulnerabilities and
their payloads. Just search for &ldquo;XSS Injection&rdquo;.</p>
<p>Go ahead and try out with a wide range of XSS payloads and see how the
application behaves.</p>
<blockquote>
<p>💡Practice Makes perfect.</p>
</blockquote>
<h2 id="clean-up---xss-data">Clean up - XSS Data</h2>
<p>It might become annoying if we keep getting too many popups, which can
even impact usability.</p>
<p>Click on the &ldquo;<strong>Purge Database</strong>&rdquo; button to eliminate the annoying
popups and start fresh.</p>
<figure class="mx-auto block text-center">
    <img loading="lazy" src="Purge-Database.png"
         alt="Figure 8: Clean up all annoying warnings with - Purge Database"/> <figcaption>
            <p>Figure 8: Clean up all annoying warnings with - Purge Database</p>
        </figcaption>
</figure>

<figure>
    <img loading="lazy" src="/icons/report.png"/> 
</figure>

<h2 id="conclusion">Conclusion</h2>
<p>I hope you learned about the different types of cross-site scripting
vulnerabilities. Organizations are using the most secure coding
frameworks and best practices, but they might still miss out due to
complex application ecosystems, which can give way to XSS
vulnerabilities. The above example demonstrates how improper coding
practices can be used to exploit stored XSS vulnerabilities, and fixing
them as soon as possible as part of security assessments can reduce the
huge impact on production systems.</p>
]]></content:encoded>
    </item>
    <item>
      <title>Challenge 2 - Reflected cross-site scripting attack</title>
      <link>https://raghu.io/challenge-2-reflected-cross-site-scripting-attack/</link>
      <pubDate>Wed, 04 Jan 2023 15:29:55 +0000</pubDate>
      <guid>https://raghu.io/challenge-2-reflected-cross-site-scripting-attack/</guid>
      <description>You will learn about a reflected XSS and how it differs from the stored XSS. Also, I will walk you through exploiting reflected XSS.</description>
      <content:encoded><![CDATA[<p>Welcome back to learning Cross-Site Scripting(XSS) vulnerability with
the Kurukshetra app built by
<a href="https://github.com/D4rk36/Kurukshetra?ref=securityarray.net">d4rk36</a>.</p>
<p>In this article, we shall learn about the reflected XSS and how it
differs from the stored XSS.</p>
<p>Before we start, ensure the lab is running if you have not set up your
lab yet.</p>
<h2 id="types-of-cross-site-scripting-xss">Types of Cross-Site-Scripting (XSS)</h2>
<figure>
    <img loading="lazy" src="Types-Of-XSS.png"/> 
</figure>

<figure>
    <img loading="lazy" src="/icons/application.png"/> 
</figure>

<h2 id="how-reflected-xss-work">How Reflected XSS Work?</h2>
<p>The server processes the malicious input code supplied from the client
side, and the same malicious code is injected and then returned to the
client in an HTTP response without proper validations.</p>
<p>The browser renders the response content, assuming it was supplied by
the application server, which can be trusted, and the injected malicious
code also gets executed.</p>
<p>The significant difference that can be observed when compared to stored
cross-site scripting is, in reflected XSS, the malicious code is just
appended back in the HTTP response and executed immediately. It is not
stored anywhere in the database.</p>
<p>For the same reason, the impact of reflected XSS is reduced compared to
the stored cross-site scripting vulnerability.</p>
<figure>
    <img loading="lazy" src="/icons/lab.png"/> 
</figure>

<h2 id="practicals---reflected-xss">Practicals - Reflected XSS</h2>
<p>Post setting up the lab, visit <a href="http://localhost:8066">http://localhost:8066</a>. The application
should be loaded as shown below and Navigate to &ldquo;<a href="http://localhost:8066/ch02.php">XSS Challenge
2</a>.&rdquo;</p>
<figure class="mx-auto block text-center">
    <img loading="lazy" src="XSS-Challenge-2-Page.png"
         alt="Figure 1: Kurukshetra XSS Challenge 2 Page"/> <figcaption>
            <p>Figure 1: Kurukshetra XSS Challenge 2 Page</p>
        </figcaption>
</figure>

<p>Before you start assessing, take some time to understand how the
application functionality works.</p>
<p>Let&rsquo;s go ahead and give it a try with the similar payload used in the
stored XSS.</p>
<figure class="mx-auto block text-center">
    <img loading="lazy" src="xss-payload.png"
         alt="Figure 2: XSS Payload"/> <figcaption>
            <p>Figure 2: XSS Payload</p>
        </figcaption>
</figure>

<p>Once appending the payload, click the &ldquo;<strong>Submit</strong>&rdquo; button, as shown in
the screenshot below.</p>
<figure class="mx-auto block text-center">
    <img loading="lazy" src="CH2-XSS-Payload-Injection.png"
         alt="Figure 3: XSS Payload Injection"/> <figcaption>
            <p>Figure 3: XSS Payload Injection</p>
        </figcaption>
</figure>

<p>Immediately observe the alert pop-up message, which will be displayed
below.</p>
<figure class="mx-auto block text-center">
    <img loading="lazy" src="CH2-XSS-Payload-Injection-Alert.png"
         alt="Figure 4: XSS Payload Alert Message"/> <figcaption>
            <p>Figure 4: XSS Payload Alert Message</p>
        </figcaption>
</figure>

<p>Click &ldquo;<strong>OK</strong>&rdquo; and observe the page loads normally.</p>
<p>To verify and confirm the vulnerability, right-click and select &ldquo;<strong>view
page source</strong>&rdquo; and search for the above-injected payload.</p>
<figure class="mx-auto block text-center">
    <img loading="lazy" src="CH2-XSS-Payload-Injection-HTML-Source.png"
         alt="Figure 5: XSS Payload HTML Code Verify"/> <figcaption>
            <p>Figure 5: XSS Payload HTML Code Verify</p>
        </figcaption>
</figure>

<p>The proof-of-concept script code aligns correctly with the HTML response
received, and all the characters are displayed back as given in the
input field.</p>
<p><strong>Yay!!</strong> Now, we can confirm we have successfully exploited the
reflected XSS.</p>
<p>Now, a point to remember here is that as this is not stored in the
database, it gets executed only when the malicious code is injected. At
all other times, the application usually behaves as expected.</p>
<p>In Stored XSS, the malicious payload gets executed whenever any user
visits the injected application functionality.</p>
<figure>
    <img loading="lazy" src="/icons/report.png"/> 
</figure>

<h2 id="summary">Summary</h2>
<p>This article covered how to identify reflected XSS and how it works,
including reusing the same XSS payload without much tweaking.</p>
<p>Keep learning!! :D</p>
]]></content:encoded>
    </item>
    <item>
      <title>Challenge 3 - XSS bypass blacklist HTML tags</title>
      <link>https://raghu.io/challenge-3-xss-bypass-blacklist-html-tags/</link>
      <pubDate>Fri, 13 Jan 2023 05:21:34 +0000</pubDate>
      <guid>https://raghu.io/challenge-3-xss-bypass-blacklist-html-tags/</guid>
      <description>Using the XSS fundamentals learned will look at how poorly implemented input validations can be bypassed with a custom-crafted xss payload.</description>
      <content:encoded><![CDATA[<p>Welcome back to learning Cross-Site Scripting(XSS) with the Kurukshetra.
An app built by
<a href="https://github.com/D4rk36/Kurukshetra?ref=securityarray.net">d4rk36</a>.</p>
<p>Before we start, ensure the Kurukshetra lab is up and running if you
have not set up your lab yet. Feel free to refer back to the below link.</p>
<p>We walked through stored and reflected XSS in a previous couple of
articles. In today&rsquo;s article with those foundations, let&rsquo;s dive into the
practical labs and start learning.</p>
<figure>
    <img loading="lazy" src="Types-Of-XSS.png"/> 
</figure>

<figure>
    <img loading="lazy" src="/icons/lab.png"/> 
</figure>

<h2 id="practicals---reflected-xss">Practicals - Reflected XSS</h2>
<p>Post setting up the lab, visit <a href="http://localhost:8066">http://localhost:8066</a> and ensure it&rsquo;s
accessible, then navigate to &ldquo;XSS Challenge 3&rdquo;.</p>
<figure class="mx-auto block text-center">
    <img loading="lazy" src="Kurukshetra-XSS-Challenge-3-Page.png"
         alt="Figure 1: Kurukshetra XSS Challenge Page 3"/> <figcaption>
            <p>Figure 1: Kurukshetra XSS Challenge Page 3</p>
        </figcaption>
</figure>

<p>Let&rsquo;s try it with the XSS payload used in our previous articles and
observe how the application behaves.</p>
<h3 id="payload-try-1-classic">Payload Try 1: Classic</h3>
<figure class="mx-auto block text-center">
    <img loading="lazy" src="Classic-XSS-String.png"
         alt="Figure 2: Classic XSS Payload"/> <figcaption>
            <p>Figure 2: Classic XSS Payload</p>
        </figcaption>
</figure>

<p><strong>Output</strong>:</p>
<figure class="mx-auto block text-center">
    <img loading="lazy" src="XSS-Challenge-3-Initial-Payload-Result.png"
         alt="Figure 3: Initial XSS Payload Result"/> <figcaption>
            <p>Figure 3: Initial XSS Payload Result</p>
        </figcaption>
</figure>

<p>From the above observations, the application no longer gives pop-up
messages but instead prints out the partial string from our given
payload. Which indicates that our XSS payload is no longer working.</p>
<p>To evaluate further, click &ldquo;<strong>View page source</strong>&rdquo; to understand how our
injected payload string is loaded in the HTML response body.</p>
<figure>
    <img loading="lazy" src="Page-Source-Code.png"/> 
</figure>

<p>I can see that there is some kind of filter kept in place by the
application that removes the word &ldquo;<strong>script</strong>,&rdquo; which breaks the HTML
syntax, and the browser treats the following data as just text and
displays back the partial string.</p>
<p>Can we assume that the vulnerability is fixed? <strong>No</strong></p>
<p>The developer leveraged a technique called
&ldquo;<a href="https://en.wikipedia.org/wiki/Blacklist_%28computing%29?ref=securityarray.net">Blacklisting</a>&rdquo;
to secure the application from exploiting the XSS vulnerability.
However, this approach has limitations, and it can still be bypassed.</p>
<figure>
    <img loading="lazy" src="/icons/info.png"/> 
</figure>

<ol>
<li>
<p>TIP - 1</p>
<p>HTML is case-insensitive, which means we can try it by changing it
to upper case or small case letters or even combining small and
upper case letters together, as given below.</p>
<figure>
        <img loading="lazy" src="HTML-Case-Insensitive.png"/> 
    </figure>

</li>
</ol>
<h3 id="payload-try-2-case-insensitive">Payload Try 2: Case-Insensitive</h3>
<figure>
    <img loading="lazy" src="HTML-Case-Insensitve-Payload.png"/> 
</figure>

<p><strong>Output</strong>:</p>
<figure class="mx-auto block text-center">
    <img loading="lazy" src="XSS-Challenge-3-Initial-Payload-Result2.png"
         alt="Figure 4: Second XSS Payload Result"/> <figcaption>
            <p>Figure 4: Second XSS Payload Result</p>
        </figcaption>
</figure>

<p>It looks like this technique also failed. The application seems to be
filtering out the lowercase and uppercase script tags that were
inserted.</p>
<figure>
    <img loading="lazy" src="/icons/thinking.png"/> 
</figure>

<ol>
<li>
<p>TIP - 2</p>
<p>Javascript functions can be triggered for execution in multiple
different ways, not necessarily that only the HTML script tag is
needed all the time.</p>
<p>One of the ways to execute the javascript &ldquo;<strong>alert()</strong>&rdquo; function is
using the HTML SVG tag, which is generally used for loading the
vector graphics file on the HTML pages.</p>
<p><strong>Example:</strong></p>
<figure>
        <img loading="lazy" src="xss-payload-3.png"/> 
    </figure>

<p>The HTML Attribute &ldquo;<strong>onload</strong>&rdquo; is one of the special words used to
control the behavior.</p>
<p>In the above example, the HTML attribute &ldquo;<strong>onload</strong>&rdquo; is assigned to
a javascript function &ldquo;<strong>alert()</strong>&rdquo; which runs immediately when the
HTML SVG tag is loaded.</p>
<p>Let&rsquo;s go ahead and check out the things in action.</p>
</li>
</ol>
<h3 id="payload-try-3-html5-tags">Payload Try 3: HTML5 Tags</h3>
<figure>
    <img loading="lazy" src="xss-payload-3.png"/> 
</figure>

<p><strong>Output</strong>:</p>
<figure>
    <img loading="lazy" src="XSS-Challenge-3-Second-Payload-Result.png"/> 
</figure>

<p>This attempt also failed, as the application filters out multiple HTML
tag strings. i.e., svg, script, img, etc.</p>
<p>From the above example, we can see that the HTML attribute &ldquo;<strong>onload</strong>&rdquo;
is being loaded without any filters and displayed back as keyed in.</p>
<figure>
    <img loading="lazy" src="/icons/lost.png"/> 
</figure>

<ol>
<li>
<p>TIP - 3</p>
<p>Not all HTML tag strings can be blacklisted. Some might break the
entire HTML page itself and application functionality.</p>
<p>For example, the HTML Body tag is needed most to load the page&rsquo;s
content. HTML Style tag, which is used to beautify the page, etc.</p>
<p>We shall improvise the previously used payload with the HTML Body
tag.</p>
</li>
</ol>
<h3 id="payload-try-4-html5-tags">Payload Try 4: HTML5 Tags</h3>
<figure>
    <img loading="lazy" src="xss-payload-four.png"/> 
</figure>

<p><strong>Output: pop-up message</strong></p>
<figure class="mx-auto block text-center">
    <img loading="lazy" src="XSS-Challenge-3-Fourth-Payload-Alert.png"
         alt="Figure 5: Fourth XSS Payload Alert"/> <figcaption>
            <p>Figure 5: Fourth XSS Payload Alert</p>
        </figcaption>
</figure>

<p><strong>yay!!!</strong> 🎉 This time, our XSS payload worked, and the application
displayed the pop-up message.</p>
<p>To further confirm, Click &ldquo;<strong>OK</strong>,&rdquo; then right-click and select the
&ldquo;<strong>View page source</strong>&rdquo; code to see how our payload was injected and
aligned with the HTML response code.</p>
<figure class="mx-auto block text-center">
    <img loading="lazy" src="XSS-Challenge-3-Fourth-Payload-Source.png"
         alt="Figure 6: Fourth XSS Payload HTML Page Source"/> <figcaption>
            <p>Figure 6: Fourth XSS Payload HTML Page Source</p>
        </figcaption>
</figure>

<p>You should be able to find out that our injected payload is rightly
aligned, HTML attribute onload event is triggered immediately. Therefore
it indeed executed the javascript code.</p>
<p>Through this, we have successfully solved the XSS challenge 3.</p>
<figure>
    <img loading="lazy" src="/icons/report.png"/> 
</figure>

<h2 id="summary">Summary</h2>
<p>In this article, we learned how poorly implemented validations can still
be bypassed by improving the payload and trying different possible
combinations. The blacklisting approach is helpful for a quick fix but
is not foolproof, which must be updated whenever a new payload has been
reported. Additionally, we covered many tips and techniques that can
help you improvise your XSS identification skillset.</p>
<p>Keep learning!! :D</p>
]]></content:encoded>
    </item>
    <item>
      <title>Challenge 14: XSS bypass blacklisted JS function</title>
      <link>https://raghu.io/xss-bypass-blacklisted-js-function-challenge-14/</link>
      <pubDate>Tue, 21 Mar 2023 06:30:20 +0000</pubDate>
      <guid>https://raghu.io/xss-bypass-blacklisted-js-function-challenge-14/</guid>
      <description>This article goes into depth discussing an alternative JavaScript function, namely &amp;#34;confirm()&amp;#34;. It serves as an alternative for the JavaScript &amp;#34;alert()&amp;#34; function when the latter is unavailable.</description>
      <content:encoded><![CDATA[<p>Welcome back! In this article, you will learn about one more tip that
can be used while exploiting cross-site scripting.</p>
<p>Before getting started, ensure your Kurukshetra lab is up and running.
Feel free to refer back to the below link.</p>
<p><a href="/xss-explained-learn-cross-site-scripting-with-examples/">XSS Explained - Learn Cross-Site Scripting with
Examples</a></p>
<hr>
<img loading="lazy" src="/xss-bypass-blacklisted-js-function-challenge-14/image-49.png"><h2 id="xss-challenge-walkthrough">XSS Challenge Walkthrough</h2>
<p>Once your Kurukshetra XSS lab environment is up and running, Visit
<a href="http://localhost:8066/"><a href="http://localhost:8066">http://localhost:8066</a></a> and navigate to “<a href="http://localhost:8066/ch14.php">XSS
Challenge 14</a>“.</p>
<figure>
<img src="Kurukshetra-XSS-Challenge-Page-14-fs8.png" />
<figcaption>XSS Challenge Page 14 with payload</figcaption>
</figure>
<p>The above input field labeled “<strong>Try your XSS payload here?</strong>” is
displayed.</p>
<p>Key info is in the classic XSS payload, which has been used throughout
while testing for XSS, and click on the “<strong>Submit</strong>” button.</p>
<p><strong>XSS Payload</strong></p>
<img loading="lazy" src="/xss-bypass-blacklisted-js-function-challenge-14/image-51.png"><p><strong><u>Output:</u></strong></p>
<figure>
<img src="CH14-Input-Result-fs8.png" />
<figcaption>XSS Payload Input Result</figcaption>
</figure>
<p><br>
The application doesn&rsquo;t display any info on the page. Right-click and
select “<strong>View page source</strong>” to analyze how the appended payload got
reflected in the HTML response.</p>
<p><strong>Viewing HTML Source</strong></p>
<figure>
<img src="image-53.png" />
<figcaption>XSS Payload in HTML Source Code</figcaption>
</figure>
<p>In the above output, the javascript “<code>alert()</code>” function is missing.</p>
<p>Let&rsquo;s go ahead and give it a try with an HTML body tag-based XSS payload
to confirm if the “<code>alert()</code>” function is being filtered in the script
tag itself or from all inputs.</p>
<p><strong>XSS Payload 2</strong></p>
<img loading="lazy" src="/xss-bypass-blacklisted-js-function-challenge-14/image-54.png"><p><strong><u>HTML Source Output:</u></strong></p>
<figure>
<img src="image-55.png" />
<figcaption>XSS Payload in HTML Page Source</figcaption>
</figure>
<p>From the above output, it can be confirmed that the JavaScript
“<code>alert()</code>” is being filtered out in all the inputs given.</p>
<p>In the current scenario, the JavaScript function “<code>alert()</code>” is
commonly used by attackers to execute arbitrary code. This type of
blacklisting approach used to prevent XSS attacks involves identifying
and blocking specific strings or functions that could be used by
attackers to inject malicious code into a web application.</p>
<p>The major drawback of this approach is the developers need to update the
impactful functions/commands to the blacklist continuously.</p>
<figure>
<img src="image-56.png" />
<figcaption>Any other JavaScript function to try?</figcaption>
</figure>
<p>By removing or disabling these functions, web developers hope to prevent
attackers from exploiting XSS vulnerabilities in their applications.
However, this approach is often ineffective, as attackers can simply use
alternative methods to execute their payloads, such as using
&ldquo;<strong>confirm()&rdquo;</strong>, &ldquo;<strong>prompt()&rdquo;</strong>, &ldquo;<strong>console.log()&rdquo;</strong> or constructing
their own functions.</p>
<img loading="lazy" src="/xss-bypass-blacklisted-js-function-challenge-14/image-57.png"><h2 id="demo--xss-challenge-14">Demo – XSS Challenge 14</h2>
<p>For the following demo, we will be using the JavaScript “<code>confirm()</code>”
function.</p>
<p>The “<code>confirm()</code>” function in JavaScript is a built-in method that
displays a dialog box with a message and two buttons: “<strong>OK</strong>” and
“<code>Cancel</code>”. It is often used to prompt the user for confirmation
before performing a potentially destructive action, such as deleting
data or navigating away from a page.</p>
<p>I will go ahead and replace the “<code>alert()</code>” function with the
“<code>confirm()</code>” function and update our XSS payload accordingly.</p>
<p><strong>Confirm XSS Payload</strong></p>
<img loading="lazy" src="/xss-bypass-blacklisted-js-function-challenge-14/image-58.png"><p>Now, let&rsquo;s go ahead and input the above XSS payload in the “<strong>XSS Challenge 14</strong>” page.</p>
<figure>
<img src="CH14-XSS-Payload-Input-fs8.png" />
<figcaption>XSS Payload Input with confirm JS function</figcaption>
</figure>
<p>Immediately after clicking on the “<strong>Submit</strong>” button, a pop-up message
will be displayed, as shown below.</p>
<figure>
<img src="CH14-XSS-Payload-Result-fs8.png" />
<figcaption>XSS pop-up message</figcaption>
</figure>
<p>The above screenshot demonstrates the javascript “<code>confirm()</code>” prompt.
Which looks very similar to the “<code>alert()</code>” dialog box with the added
button “<code>Cancel</code>” as a difference.</p>
<p>This also confirms that the application is vulnerable to cross-site
scripting vulnerability.</p>
<p>To verify further, click on the “<strong>OK</strong>” button in the dialog prompt,
right-click, and select “View page source”.</p>
<p><strong><u>Viewing HTML Source</u></strong></p>
<figure>
<img src="image-61.png" />
<figcaption>XSS Payloads HTML Page Source</figcaption>
</figure>
<p>Observe the injected XSS payload is reflected in the HTML source and
executed perfectly.</p>
<p>By this, we can confirm that XSS challenge 14 is successfully solved.</p>
<hr>
<img loading="lazy" src="/xss-bypass-blacklisted-js-function-challenge-14/image-62.png"><h3 id="summary">Summary</h3>
<p>In this article, we demonstrated one of the impacts of the blacklisting
approach where the “<code>confirm()</code>” or other alternative javascript
functions can be abused by attackers in XSS attacks, as they can use it
to trick users into executing arbitrary code or disclosing sensitive
information.</p>
<p>To prevent XSS vulnerabilities in web applications, it&rsquo;s important to
validate and sanitize all user input and implement appropriate content
security policies.</p>
<hr>
<img loading="lazy" src="/xss-bypass-blacklisted-js-function-challenge-14/thank-you.png"><p>Congratulations to all our readers who completed the learning XSS with
the Kurukshetra series! I hope that you enjoyed our vulnerability series
and learned a lot in the process. If you&rsquo;d like to learn more or have
any feedback or suggestions, please don&rsquo;t hesitate to reach out. We&rsquo;d
love to hear from you!</p>
]]></content:encoded>
    </item>
    <item>
      <title>Challenge 13: XSS  in HTML Anchor Tag</title>
      <link>https://raghu.io/xss-in-html-anchor-tag/</link>
      <pubDate>Thu, 16 Mar 2023 06:52:55 +0000</pubDate>
      <guid>https://raghu.io/xss-in-html-anchor-tag/</guid>
      <description>Check out how a security risk can arise from an improperly configured dynamic link generation tag and which can result in XSS exploitation.</description>
      <content:encoded><![CDATA[<p>Welcome back! I hope by now you are familiar with what a CSP is and how
a misconfigured CSP can lead to potential security vulnerabilities like
cross-site scripting.</p>
<p>Before getting started, ensure your Kurukshetra lab is up and running.
Feel free to refer back to the below link.</p>
<p><a href="/xss-explained-learn-cross-site-scripting-with-examples/">XSS Explained - Learn Cross-Site Scripting with
Examples</a></p>
<hr>
<img loading="lazy" src="/xss-in-html-anchor-tag/image-35.png"><h2 id="xss-challenge-walkthrough">XSS Challenge Walkthrough</h2>
<p>Once your Kurukshetra XSS lab environment is up and running, Visit
<a href="http://localhost:8066/"><a href="http://localhost:8066">http://localhost:8066</a></a> and navigate to &ldquo;<a href="http://localhost:8066/ch13.php">XSS
Challenge 13</a>&rdquo;.</p>
<figure>
<img src="Kurukshetra-XSS-Challenge-13-Page-fs8.png" />
<figcaption>XSS Challenge Page 13</figcaption>
</figure>
<p>An input field labeled “<strong>create a link?</strong>” is displayed.</p>
<figure>
<img src="CH13-User-Input-fs8-1.png" />
<figcaption>Input URL</figcaption>
</figure>
<ol>
<li>
<p>In the above input field, give a URL (say
“<a href="http://localhost:8066/ch13.php">http://localhost:8066/ch13.php</a>“) to which you want the
application to create a link for us.</p>
</li>
<li>
<p>Click on the “<strong>Submit</strong>” button.</p>
</li>
</ol>
<figure>
<img src="CH13-Input-Display-Back-fs8-1.png" />
<figcaption>Input Reflected Back</figcaption>
</figure>
<p><br>
Observe the application generated an HTML link for the given URL
displayed above.</p>
<p>From the above application, we can understand that with any given input
text, the application generates a clickable HTML link.</p>
<p>Feel free to try out all the XSS techniques learned so far. You should
be able to solve this challenge right away. 😃</p>
<img loading="lazy" src="/xss-in-html-anchor-tag/image-39.png"><h3 id="xss-in-anchor-tag">XSS in Anchor Tag</h3>
<p>Going ahead, we will cover how the HTML anchor tag can be used to craft
a customized XSS payload.</p>
<p>From the above HTML link generated, right-click and select “<strong>View page source</strong>“, then search for the appended text in the HTML response.</p>
<img loading="lazy" src="/xss-in-html-anchor-tag/image-40.png"><p>From the above screenshot, we can see the given input text is placed
between the “<code>href</code>” in an anchor tag, and the same text is placed
again as the name of the anchor tag.</p>
<p><strong><u>Output:</u></strong></p>
<figure>
<img src="CH13-Input-Display-Back-fs8-2.png" />
<figcaption>Reflected Link</figcaption>
</figure>
<p>I will go ahead and create a crafted XSS payload which is generally
attackers used to trick victims into a trap.</p>
<h3 id="xss-anchor-payload">XSS Anchor Payload</h3>
<img loading="lazy" src="/xss-in-html-anchor-tag/image-42.png"><p>Breaking down the above XSS payload in detail:</p>
<ol>
<li>Leaving the “<code>href</code>” tag empty without a link and closing it with
another pair of double quotes to ensure HTML syntax is maintained.</li>
<li>The “<code>onclick</code>” is an HTML5 attribute used within HTML tags that
specifies a JavaScript function to be executed when the user clicks
on the element. In this case, the function being executed is
“<code>alert(‘xss')</code>“, which displays the alert dialog with the message
“<code>xss</code>“.</li>
<li>&ldquo;<strong>Click for XSS POC&rdquo;</strong> a text message will be displayed for the
anchor tag.</li>
<li>Closing the HTML anchor tag with “<code>&lt;/a&gt;</code>“.</li>
<li>The start of the HTML comment with “<code>&lt;!–</code>” then comments out all
the code after this is parsed as text with no special meaning.</li>
</ol>
<p>Overall the above XSS payload creates a clickable element that, when
clicked, will execute a JavaScript alert dialog with the message
“<code>xss</code>“.</p>
<img loading="lazy" src="/xss-in-html-anchor-tag/image-43.png"><h3 id="xss-demo">XSS Demo</h3>
<p>Go ahead and give it a try with the above-crafted XSS payload.</p>
<figure>
<img src="CH13-XSS-Payload-fs8.png" />
<figcaption>XSS Payload Input</figcaption>
</figure>
<p>In the above screenshot, key in the XSS payload and click on the
&ldquo;<strong>Submit&rdquo;</strong> button.</p>
<figure>
<img src="CH13-XSS-Payload-Link-Reflect-fs8.png" />
<figcaption>XSS Payload Link Reflected Back on Page</figcaption>
</figure>
<p>From the given payload, the application generates an HTML link and
displays it, as shown above. Now click on the “<strong>Click for XSS POC</strong>“.</p>
<figure>
<img src="CH13-XSS-Payload-Link-Alert-fs8.png" />
<figcaption>XSS Alert Message</figcaption>
</figure>
<p>Immediately, a pop-up box is loaded, and a message named “xss” is
displayed. Thus, we have solved XSS challenge 13.</p>
<blockquote>
<p><strong>Note:</strong>
One of the many techniques is covered here. The XSS payload can be
crated in multiple other ways as well.</p>
</blockquote>
<p>Lastly, right-click and select “View page source” to understand how it&rsquo;s
reflected back in the HTML response.</p>
<img loading="lazy" src="/xss-in-html-anchor-tag/image-47.png"><p><br>
From the source code, the XSS payload is appended inside the anchor tag,
and all the HTML code is commented out after the anchor tag.</p>
<p>As mentioned above, the XSS payload allows the attacker to execute
arbitrary JavaScript code on the victim&rsquo;s browser when the element is
clicked. This can result in the theft of sensitive information, such as
session cookies or user credentials, or the takeover of the victim&rsquo;s
account.</p>
<p>By this, we have successfully solved the XSS challenge 13.</p>
<hr>
<img loading="lazy" src="/xss-in-html-anchor-tag/image-48.png"><h2 id="summary"><strong>Summary</strong></h2>
<p>The following article demonstrates how the customized XSS payload allows
an attacker to execute arbitrary JavaScript code.</p>
<p>The code also includes an HTML comment &ldquo;<code>&lt;!--</code>&rdquo;, an attempt to prevent
the malicious code from being easily detected. This technique is known
as “comment hiding”, and attackers often use it to obfuscate their
payloads and evade detection.</p>
<p>To prevent XSS attacks, input validation and output encoding should be
applied, and a Content Security Policy can also be used to mitigate the
risk of the above XSS vulnerability.</p>
]]></content:encoded>
    </item>
    <item>
      <title>Challenge 12: XSS CSP bypass through remote payload</title>
      <link>https://raghu.io/xss-csp-bypass-remote-payload-challenge-12/</link>
      <pubDate>Sat, 11 Mar 2023 06:30:06 +0000</pubDate>
      <guid>https://raghu.io/xss-csp-bypass-remote-payload-challenge-12/</guid>
      <description>Learn how to bypass a misconfigured CSP policy and how it can lead to the successful exploitation of cross-site scripting vulnerability.</description>
      <content:encoded><![CDATA[<p>Welcome back! In an earlier post, we covered how a misconfigured CSP
policy can be bypassed and can lead to XSS vulnerability.</p>
<p>Before getting started, ensure your Kurukshetra lab is up and running.
Feel free to refer back to the below link.</p>
<p><a href="/xss-explained-learn-cross-site-scripting-with-examples/">XSS Explained - Learn Cross-Site Scripting with
Examples</a></p>
<hr>
<img loading="lazy" src="/xss-csp-bypass-remote-payload-challenge-12/image-17.png"><h2 id="xss-challenge-walk-through"><strong>‌XSS Challenge Walk-Through</strong></h2>
<p>Once your Kurukshetra XSS lab environment is up and running, Visit
<a href="http://localhost:8066/"><a href="http://localhost:8066">http://localhost:8066</a></a> and navigate to “<a href="http://localhost:8066/ch12.php">XSS
Challenge 12</a>“.</p>
<figure>
<img src="XSS-Challenge-Page-12-fs8.png" />
<figcaption>XSS Challenge Page 12 with payload</figcaption>
</figure>
<ol>
<li>Click on <a href="http://localhost:8066/ch12.php">“XSS Challenge 12</a>” on the
left side menu.</li>
<li>Input the XSS CSP bypass payload which was used in the previous
demonstration and will observe how the application behaves.</li>
</ol>
<img loading="lazy" src="/xss-csp-bypass-remote-payload-challenge-12/image-19.png"><ol>
<li>Click on the “<strong>Submit</strong>” button.</li>
</ol>
<p><strong><u>Application Output:</u></strong></p>
<figure>
<img src="CH12-Payload-Result-fs8.png" />
<figcaption>XSS Payload Result</figcaption>
</figure>
<ol>
<li>
<p>The application loads normally and displays a text message, &ldquo;<strong>Your
XSS Payload</strong>&rdquo;, without any pop-ups.</p>
</li>
<li>
<p>Right-click and select “<strong>View page source</strong>“, then search for the
injected XSS payload. The HTML response code will be displayed
below.</p>
</li>
</ol>
<img loading="lazy" src="/xss-csp-bypass-remote-payload-challenge-12/image-21.png"><ol>
<li>
<p>At the bottom of the HTML response, the XSS payload was injected as
provided and also aligned rightly with the HTML syntax. But the
javascript code wasn&rsquo;t executed.</p>
</li>
<li>
<p>You might have guessed right! The application&rsquo;s <a href="https://content-security-policy.com/">Content Security
Policy</a> might be blocking our
payload. Let&rsquo;s go ahead and review the current CSP policy set.</p>
</li>
</ol>
<img loading="lazy" src="/xss-csp-bypass-remote-payload-challenge-12/image-22.png"><h3 id="analyzing-the-csp-policy"><strong>Analyzing the CSP policy</strong></h3>
<p>On the following XSS challenge page, Press the “<strong>F12</strong>” button on your
keyboard and a new browser debugger window will be launched.</p>
<p>In browser debugger mode navigate to “<strong>Console</strong>” and observe the CSP
violation messages will be displayed as shown below.</p>
<figure>
<img src="CH12-CSP-Policy-Errors-fs8.png" />
<figcaption>CSP Policy Errors</figcaption>
</figure>
<p>As expected, the browser blocks script code due to CSP violations and
prevents execution.</p>
<p>Will try to understand the application CSP policies, In debugger mode
switch to “<strong>Network</strong>” and reload the challenge page.</p>
<figure>
<img src="CH12-CSP-Policy-View.png" />
<figcaption>Content-Security-Policy View</figcaption>
</figure>
<p>Select the “<strong>ch12.php</strong>” page and scroll to the “<strong>Response Headers</strong>”
section. Observe, the <strong>Content-Security-Policy</strong> header which was set
by the application server.</p>
<img loading="lazy" src="/xss-csp-bypass-remote-payload-challenge-12/image-25.png"><h3 id="understanding-the-csp-policy-implemented"><strong>Understanding the CSP Policy Implemented</strong></h3>
<img loading="lazy" src="/xss-csp-bypass-remote-payload-challenge-12/image-26.png"><p>Breaking down the CSP rules:</p>
<ol>
<li>“<code>script-src</code>“: This directive restricts the sources from which
scripts can be loaded. In our case, it allows scripts to be loaded
only from the <strong>same origin</strong> as the page (i.e. “<code>self</code>“),</li>
<li>Secondly, the scripts can be loaded from <strong><a href="https://facebook.com">https://facebook.com</a></strong>,
<strong><a href="https://google.com">https://google.com</a></strong>, any HTTPS sources (“<code>https</code>“), the
“<code>data</code>” scheme, and any source (<code>*</code>).</li>
<li><strong>child-src</strong>: This directive restricts the nested frame contents
from loading.</li>
<li><strong>report-uri</strong>: This directive specifies a URL to which policy
violation reports should be sent.</li>
</ol>
<p>Overall, CSP policy allows scripts to be loaded only from trusted
sources, including the same origin as the page and specific external
sources like Facebook, Google, and other HTTPS domains.</p>
<img loading="lazy" src="/xss-csp-bypass-remote-payload-challenge-12/image-27.png"><h3 id="why-is-data-directive-based-xss-not-working">Why is &ldquo;data:&rdquo; directive-based XSS not working?</h3>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-HTTP" data-lang="HTTP"><span class="line"><span class="cl"><span class="err">Content-Security-Policy: script-src &#39;self&#39; https://facebook.com https://google.com https: data *; child-src &#39;none&#39;; report-uri /Report-parsing-url;
</span></span></span></code></pre></div><p>This is because the CSP policy explicitly disallows scripts to be loaded
from the “<code>data:</code>” scheme, except for the page&rsquo;s own origin (i.e.,
‘<code>self</code>‘ same domain).</p>
<p>In the <strong>script-src</strong> directive, the &ldquo;<strong>data</strong>&rdquo; scheme is listed as a
source along with the wildcard <code>*</code>. However, the wildcard “<code>*</code>”
here does not override the previous &lsquo;<strong>self&rsquo;</strong> directive, meaning that
scripts can only be loaded from the page&rsquo;s own origin via the
“<code>data:</code>” scheme but not from the user-injected external scripts.</p>
<p>Therefore, the “<code>data:</code>” scheme tries to load an external script,
which was blocked by the CSP policy, and the “<code>alert(‘XSS')</code>” payload
doesn&rsquo;t execute.</p>
<p>Is it possible to bypass the limitations set?</p>
<img loading="lazy" src="/xss-csp-bypass-remote-payload-challenge-12/image-28.png"><p>Well, the more you get familiar with the technologies, the more options
you will be able to find.</p>
<p>Closely observe there is another directive named “<code>https:</code>” in
<strong>script-src</strong>. It is configured in such a way that scripts can be
loaded from any of the HTTPS sources.</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-HTTP" data-lang="HTTP"><span class="line"><span class="cl"><span class="err">Content-Security-Policy: script-src &#39;self&#39; https://facebook.com https://google.com https: data *; child-src &#39;none&#39;; report-uri /Report-parsing-url;
</span></span></span></code></pre></div><p>Yes, one option is setting up your own HTTPS site and pushing an XSS
javascript file onto the server and using it for testing purposes.</p>
<p>It&rsquo;s a long process, but I will be using the publicly available one for
the proof of concept.</p>
<p>Security researchers from <a href="https://github.com/cure53/H5SC">Cure53</a> have
provided the needed resources that can be directly used for security
assessment. The reference link can be found below:</p>
<p><a href="https://github.com/cure53/H5SC">https://github.com/cure53/H5SC</a></p>
<hr>
<img loading="lazy" src="/xss-csp-bypass-remote-payload-challenge-12/image-29.png"><h2 id="demo--csp-bypass">Demo – CSP Bypass</h2>
<p>Let&rsquo;s use the remote “<code>https</code>” javascript payload taken from the H5SC
report, the payload URL is given below.</p>
<p><a href="https://html5sec.org/test.js">https://html5sec.org/test.js</a></p>
<p>Javascript source code in the “<code>test.js</code>” file contains only the
alert() function as given below. If worked, will display a pop-up
message “<code>1</code>“.</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-JavaScript" data-lang="JavaScript"><span class="line"><span class="cl"><span class="nx">alert</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span>
</span></span></code></pre></div><p>Will append the above URL to the script code so we can key it into the
input field.</p>
<img loading="lazy" src="/xss-csp-bypass-remote-payload-challenge-12/image-30.png"><p>Visit the <a href="http://localhost:8066/ch12.php">XSS Challenge 12</a>, paste the
above payload in the input form field, and click on the &ldquo;Submit&rdquo; button.</p>
<figure>
<img src="CH12-XSS-Payload-Input-fs8.png" />
<figcaption>XSS Payload Input</figcaption>
</figure>
<p>Immediately observe a pop-up box will be loaded with the message
displaying &ldquo;<strong>1&rdquo;</strong>. By this we can confirm we have successfully
exploited the misconfigured CSP.</p>
<figure>
<img src="CH12-XSS-Payload-Alert-fs8-1.png" />
<figcaption>XSS Payload Alert Message</figcaption>
</figure>
<p>In all XSS payloads, we used “<code>alert(‘XSS')</code>“, an <strong>alert()</strong> function
to display text message ‘<code>xss</code>‘ so far, in the above case, the same
alert function was used to display the numeric digit in a pop-up window.</p>
<p>Click “<strong>OK</strong>“, then Right-click and select “<strong>View page source</strong>” to
verify the injected payload.</p>
<img loading="lazy" src="/xss-csp-bypass-remote-payload-challenge-12/image-33.png"><p>Post review can confirm that the XSS payload reflected as given and
executed successfully.</p>
<p>By this, I can say that XSS Challenge 12 has been successfully solved.
<strong>Yayy!!! 🎉.</strong></p>
<p>Use of the “<code>https</code>” sources from any domain can be problematic from a
security perspective, as it allows arbitrary javascript code to be
loaded from any external source and executed directly on the page, which
is generally abused by attackers to perform cross-site scripting (XSS)
attacks.</p>
<hr>
<img loading="lazy" src="/xss-csp-bypass-remote-payload-challenge-12/image-34.png"><h3 id="heading">\</h3>
<p>Summary</p>
<p>A Content Security Policy (CSP) can prevent cross-site scripting (XSS)
attacks by limiting the sources from which scripts can be loaded.</p>
<p>However, if a CSP policy is misconfigured, it can potentially allow XSS
attacks to occur. In the above case, allowing the javascript code to
load from any remote &ldquo;<strong>https&rdquo;</strong> resources can enable attackers to
inject malicious scripts directly into a web page, potentially leading
to XSS attacks.</p>
<p>Therefore, a well-configured CSP policy can block all XSS attacks, and
it is important to ensure that CSP policies are correctly configured and
free from insecure directives.</p>
]]></content:encoded>
    </item>
    <item>
      <title>Challenge 11: XSS CSP bypass through an inline script</title>
      <link>https://raghu.io/xss-csp-bypass-through-inline-script-challenge-11/</link>
      <pubDate>Sat, 04 Mar 2023 06:30:48 +0000</pubDate>
      <guid>https://raghu.io/xss-csp-bypass-through-inline-script-challenge-11/</guid>
      <description>Learn how a misconfigured CSP can be bypassed, potentially leading to the successful exploitation of cross-site scripting vulnerability.</description>
      <content:encoded><![CDATA[<p>Welcome to learning XSS with the Kurukshetra Series.</p>
<p>Before getting started, ensure your Kurukshetra lab is up and running.
Feel free to refer back to the below link.</p>
<p><a href="/xss-explained-learn-cross-site-scripting-with-examples/">XSS Explained - Learn Cross-Site Scripting with
Examples</a></p>
<hr>
<img loading="lazy" src="/xss-csp-bypass-through-inline-script-challenge-11/image.png"><h2 id="xss-challenge-walk-through">‌XSS Challenge Walk-Through</h2>
<p>Once your Kurukshetra XSS lab environment is up and running, Visit
<a href="http://localhost:8066/"><a href="http://localhost:8066">http://localhost:8066</a></a> and navigate to “<a href="http://localhost:8066/ch11.php">XSS
Challenge 11</a>“.</p>
<figure>
<img src="Kurukshetra-XSS-Challenge-11-Page-fs8.png" />
<figcaption>XSS Challenge 11 page with payload</figcaption>
</figure>
<ol>
<li>Click and select the <a href="http://localhost:8066/ch11.php">XSS Challenge
11</a> from the Kurukshetra app.</li>
<li>Fill out our classic XSS payload in the given input field.</li>
<li>Click on the “<strong>Submit</strong>” button.</li>
</ol>
<p><strong>Output:</strong></p>
<figure>
<img src="CH11-XSS-Payload-Output-fs8.png" />
<figcaption>XSS Payload Output</figcaption>
</figure>
<ol>
<li>
<p>The application loads the page as usual and displays a text message,
&ldquo;<strong>Your XSS Payload&rdquo;</strong> without any pop-ups.</p>
</li>
<li>
<p>Right-click and select “<strong>View page source</strong>“, then search for the
injected XSS payload. The HTML response code will be displayed
below.</p>
</li>
</ol>
<figure>
<img src="CH11-XSS-Payload-HTML-Source-fs8.png" />
<figcaption>XSS Payload Result's HTML Page Source</figcaption>
</figure>
<ol>
<li>At the bottom of the HTML response, the payload was injected as
provided and also aligned rightly with the HTML syntax. But our
javascript didn&rsquo;t execute.</li>
</ol>
<p>What might be happening in the background?</p>
<img loading="lazy" src="/xss-csp-bypass-through-inline-script-challenge-11/image-4.png"><p>In the above screenshot, if the HTML output encoding is used, then the
output must be displayed as “<code>&amp;lt;</code>” or “<code>&amp;gt;</code>” etc. Doesn&rsquo;t look
so. Also, if slash-escape is being used, then the prefix slashes must be
displayed. Even that is not present.</p>
<p>Seems like our XSS payload is injected rightly but unable to execute. A
possible guess is there is some sort of other XSS defense in place.</p>
<p>The web application might have enabled the <a href="https://content-security-policy.com/">Content Security
Policy</a> or other XSS protection
headers. Let&rsquo;s verify and understand what&rsquo;s happening in the background.</p>
<img loading="lazy" src="/xss-csp-bypass-through-inline-script-challenge-11/image-5.png"><p>On the following XSS challenge page, Press the “<strong>F12</strong>” button on your
keyboard and a new browser debugger window will be launched.</p>
<p>In browser debugger mode navigate to “<strong>Console</strong>” and observe the CSP
violation messages will be displayed as shown below.</p>
<figure>
<img src="CH11-CSP-Errors-fs8.png" />
<figcaption>Observe Content-Security-Policy Errors</figcaption>
</figure>
<p>Web Browser clearly indicates some script code tried to execute but it&rsquo;s
not compliant with the CSP policy set. Therefore it was blocked by the
browser from executing.</p>
<p>In debugger mode, switch to &ldquo;<strong>Network</strong>&rdquo; and reload the challenge page.</p>
<figure>
<img src="CH11-CSP-Policy-View-fs8.png" />
<figcaption>Viewing Content-Security-Policy</figcaption>
</figure>
<p>Select the &ldquo;<strong>ch11.php</strong>&rdquo; page and observe on the right side in
&ldquo;<strong>Response Headers</strong>&rdquo; the <strong>Content-Security-Policy</strong> header, which was
set by the web application.</p>
<img loading="lazy" src="/xss-csp-bypass-through-inline-script-challenge-11/image-8.png"><h3 id="understanding-the-csp-implementation">Understanding the CSP implementation</h3>
<img loading="lazy" src="/xss-csp-bypass-through-inline-script-challenge-11/image-9.png"><p>Breaking down the CSP policy defined by the web application</p>
<ol>
<li><strong>script-src</strong>: specifies the sources from which scripts can be
loaded.</li>
</ol>
<ul>
<li><strong><a href="https://facebook.com">https://facebook.com</a></strong>: allows scripts to be loaded from the
domain facebook.com.</li>
<li><strong><a href="https://google.com">https://google.com</a></strong>: allows scripts to be loaded from the domain
google.com.</li>
<li><strong>unsafe-eval</strong>: This allows the <strong>eval()</strong> javascript function and
the Function() constructor to execute dynamically created script code.</li>
<li><strong>&ldquo;data:</strong>&rdquo;: allows the execution of inline scripts (one which is
directly embedded in the HTML) with data URIs.</li>
<li>&ldquo;<code>http://*</code>&rdquo;: Wildcard &ldquo;<code>*</code>&rdquo; means allows scripts to be loaded
from any HTTP sources (poses a security risk).</li>
</ul>
<p><strong>2. child-src</strong>: specifies the sources from which nested browsing
contexts (such as iframes or embedded objects) can be loaded. In this
case, &rsquo;none&rsquo; specifies that no sources are allowed.</p>
<p><strong>3. report-uri</strong>: specifies the URL where a browser should send
violation reports if the policy is breached.</p>
<p>Overall, this CSP allows scripts to be loaded from trusted domains
(facebook.com and google.com), as well as inline scripts and HTTP
sources (which are generally not recommended due to security risks). It
also allows the use of <code>eval()</code> and <code>Function()</code>, which can be used to
exploit XSS attacks. Additionally, it prohibits the loading of nested
browsing contexts and specifies a URL to which violation reports should
be sent.</p>
<img loading="lazy" src="/xss-csp-bypass-through-inline-script-challenge-11/image-10.png"><p>The above CSP policy clearly has some limitations and is not foolproof.
That said, &ldquo;<strong>data:</strong>&rdquo; provided an entryway for us to try creating XSS
inline scripts or load the XSS script code from any of the HTTP domains,
tricking the application by loading from Google, etc.</p>
<img loading="lazy" src="/xss-csp-bypass-through-inline-script-challenge-11/image-11.png"><h2 id="exploiting-xss-using-inline-scripts">Exploiting XSS using Inline scripts</h2>
<p>(i.e., using data directive)</p>
<p>Let&rsquo;s go ahead and find a way to bypass the misconfigured CSP defenses.
For the following demonstrations, we will be using the script-src&rsquo;s
&ldquo;<strong>data:</strong>&rdquo; attribute to craft an XSS payload.</p>
<p>From the documentation script source &ldquo;<strong>data:</strong>&rdquo; can be used for
inserting inline scripts directly into HTML documents.</p>
<p>The &ldquo;<strong>data:</strong>&rdquo; URI scheme allows data to be embedded directly in a URL
or document, using a specific syntax that includes the &ldquo;data:&rdquo; prefix
followed by the MIME type of the data, and the data itself.</p>
<p>Below is an XSS inline script using the &ldquo;data:&rdquo; URI scheme, which can be
included directly, with the MIME type set to &ldquo;text/javascript&rdquo; and an
&ldquo;alert(&lsquo;xss&rsquo;)&rdquo; data.</p>
<figure>
<img src="image-12.png" />
<figcaption>POC for XSS inline script</figcaption>
</figure>
<p>Above code will pop up with an &ldquo;XSS&rdquo; message when the javascript code is
loaded and executed directly on the page.</p>
<p>Visit the &ldquo;<a href="http://localhost:8066/ch11.php">XSS challenge 11</a>&rdquo; page.</p>
<figure>
<img src="CH11-CSP-XSS-Payload-fs8.png" />
<figcaption>CSP-based XSS Payload Input</figcaption>
</figure>
<p>Enter the XSS inline script code in the input field and click on the
&ldquo;<strong>Submit</strong>&rdquo; button.</p>
<p><strong><u>Output:</u></strong></p>
<figure>
<img src="CH11-XSS-Result-fs8.png" />
<figcaption>XSS Alert Message</figcaption>
</figure>
<p>Immediately, we can see a pop-up message displayed on the web page. By
this, we can confirm that we have successfully exploited the XSS
vulnerability. :D</p>
<p>To further confirm, click on the &ldquo;<strong>OK</strong>&rdquo; message, then right-click and
select &ldquo;<strong>View page source</strong>&rdquo;. Search for the injected XSS inline script
code.</p>
<p><strong>HTML Page Source:</strong></p>
<figure>
<img src="image-15.png" />
<figcaption>XSS Payload HTML Page Source</figcaption>
</figure>
<p>Observe this time, our injected script code is reflected back as given
without any output being filtered.</p>
<p>The execution script code confirms we have successfully solved the <a href="http://localhost:8066/ch11.php">XSS
challenge 11</a>. <strong>Yayy!!!.</strong></p>
<p>Use of the &ldquo;<strong>data:</strong>&rdquo; URI scheme for inline scripts can be problematic
from a security perspective, as it allows arbitrary code to be executed
directly on the page, which is generally abused by attackers to perform
cross-site scripting (XSS) attacks.</p>
<hr>
<img loading="lazy" src="/xss-csp-bypass-through-inline-script-challenge-11/image-16.png"><h3 id="summary">Summary</h3>
<p>A Content Security Policy (CSP) policy restricts the types of content
that can be loaded by a web page. When implemented correctly, a CSP can
prevent cross-site scripting (XSS) attacks by limiting the sources from
which scripts can be loaded.</p>
<p>However, if a CSP policy is misconfigured or contains errors, it can
potentially allow XSS attacks to occur. For example, if a policy
includes insecure sources, such as &ldquo;unsafe-inline&rdquo; or &ldquo;data:&rdquo;, it can
enable attackers to inject malicious scripts directly into a web page,
potentially leading to XSS attacks.</p>
<p>Therefore, a well-configured CSP policy can block all XSS attacks, and
it is important to ensure that CSP policies are correctly configured and
free from insecure directives.</p>
]]></content:encoded>
    </item>
    <item>
      <title>Challenge 10: XSS bypass backslash escape</title>
      <link>https://raghu.io/xss-bypass-backslash-escape-challenge-10/</link>
      <pubDate>Tue, 28 Feb 2023 06:30:15 +0000</pubDate>
      <guid>https://raghu.io/xss-bypass-backslash-escape-challenge-10/</guid>
      <description>Check out how the XSS can be exploited in the HTML &amp;lt;div&amp;gt; tags and learn more about &amp;lt;img&amp;gt; tag-based XSS payload.</description>
      <content:encoded><![CDATA[<p>Today&rsquo;s article should be somewhat similar and like a recap. Will look
at how the XSS can be exploited in the HTML <strong>&lt;div&gt;</strong> tags and explore
<strong>&lt;img&gt;</strong> tag-based XSS payload</p>
<p>Before getting started, ensure your Kurukshetra lab is up and running.
Feel free to refer back to the below link.</p>
<p><a href="/xss-explained-learn-cross-site-scripting-with-examples/">XSS Explained - Learn Cross-Site Scripting with
Examples</a></p>
<hr>
<img loading="lazy" src="/xss-bypass-backslash-escape-challenge-10/image-56.png"><h2 id="xss-challenge">‌XSS Challenge</h2>
<p>You reached &ldquo;<a href="http://localhost:8066/ch10.php"><strong>XSS Challenge 10</strong></a>&rdquo;.
Great to see your consistent progress. In the past article, we covered
how the XSS vulnerability does not always need to be exploited using the
same parameter. XSS can also be looked at in other parameters, which
might depend on the param, or it can also be an appending parameter.</p>
<p>Let&rsquo;s get started with XSS Challenge 10. Visit:
<a href="http://localhost:8066/"><a href="http://localhost:8066">http://localhost:8066</a></a> and ensure it&rsquo;s
accessible, then navigate to “<a href="http://localhost:8066/ch10.php">XSS Challenge
10</a>“.</p>
<figure>
<img src="Kurukshetra-XSS-Challenge-Page-10-fs8.png" />
<figcaption>Kurukshetra XSS Challenge Page 10</figcaption>
</figure>
<ol>
<li>Click and select the <a href="https://localhost:8806/ch10.php">XSS Challenge
10</a> from the Kurukshetra app.</li>
<li>Will fill out some random string saying “ABC” in the input field
provided.</li>
<li>Click on the “<strong>Submit</strong>” button.</li>
</ol>
<p><strong><u>Output:</u></strong></p>
<figure>
<img src="CH10-Input-Trail-1-fs8.png" />
<figcaption>Reflection of user input</figcaption>
</figure>
<p>Feel free to experiment with your XSS ideas before going ahead with the
next steps.</p>
<p>Hope you have partially or successfully exploited it.</p>
<hr>
<h3 id="viewing-the-page-source"><strong>Viewing the Page Source</strong></h3>
<p>In the above screenshot, I have keyed the text &ldquo;<strong>ABC&rdquo;</strong> in the input
field. Let&rsquo;s verify how the text is being reflected back in the HTTP
response code.</p>
<p>To do that, &ldquo;Right-click&rdquo; and select “<strong>View Page Source</strong>”, then search
for the inserted string “<strong>ABC</strong>”.</p>
<img loading="lazy" src="/xss-bypass-backslash-escape-challenge-10/image-81.png"><p>Injected text is being reflected back at the bottom of the page, and
this time, it&rsquo;s inserted between the HTML <strong>div</strong> tags with double
quotes appended.</p>
<p>Remember from the previous lessons, we can keep trying out the different
XSS payloads, but at the same time need to gather the list of allowed
characters as well which can help in crafting an XSS payload.</p>
<p>Going ahead, will be trying out all the payloads and narrow down to the
allowed characters.</p>
<p><strong>Payload 1 – Simple XSS</strong></p>
<img loading="lazy" src="/xss-bypass-backslash-escape-challenge-10/image-82.png"><p><strong><u>Browser Output:</u></strong></p>
<figure>
<img src="CH10-XSS-Payload-Result-fs8.png" />
<figcaption>Only a combination of single quotes is
displayed</figcaption>
</figure>
<p><strong><u>Page Source – Output:</u></strong></p>
<figure>
<img src="CH10-Broken-Syntax-fs8.png" />
<figcaption>Broken HTML Syntax</figcaption>
</figure>
<p>Closely observing the closing <code>&lt;/script&gt;</code>, a “<code>\</code>” backslash
is appended and turned the closing script to <code>&lt;\/script&gt;</code>. This breaks
the HTML syntax, as it&rsquo;s expecting the closing script tag.</p>
<h3 id="about-slash-escape">About Slash-Escape</h3>
<p>The backslash escape is a technique used to prevent special characters
from being interpreted as code in web applications. Currently, this
application is using the same to block XSS attacks.</p>
<p>The above technique is good when used in combination with multiple XSS
prevention techniques. (i.e., Defense in Depth).</p>
<p>Also, note that in the above case, the backslash “<code>\</code>” is only
being appended to the slash in the closing script tag, not for any other
special characters, which is an indication of poor XSS mitigation.</p>
<hr>
<img loading="lazy" src="/xss-bypass-backslash-escape-challenge-10/image-85.png"><blockquote>
<p><strong>TIP – 10 Try HTML tags that work without closing tags</strong></p>
<p>Yes, as mentioned in the heading. Not all HTML tags need to have a
compulsory closing tag, and there are some HTML tags that work even if
the closing tag is not provided. (say &lt;IMG&gt;, &lt;SVG&gt; etc.)</p>
</blockquote>
<hr>
<p>This time for a change will go ahead and try the HTML image tag payload
than using the same routine one.</p>
<h2 id="xss-payload--html-image-tag"><strong>XSS Payload – HTML Image Tag</strong></h2>
<figure>
<img src="XSS-Payload-Code-fs8.png" />
<figcaption>Image Tag based XSS Payload</figcaption>
</figure>
<p>Breaking down the above payload into detailed steps.</p>
<ul>
<li>“<code>&lt;img&gt;</code>” is an HTML tag used for embedding images on a web page.</li>
<li>“<code>src</code>” is an attribute of the HTML “<code>&lt;img&gt;</code>” tag that specifies
the URL of the image file from where it needs to be loaded.</li>
<li>“<code>x</code>” is a random value assigned to the “<code>src</code>” attribute
forcibly. As there is no image file named “<code>x</code>“, the browser will
fail to display/load the image.</li>
<li>“<code>onerror</code>” is another attribute of the “<code>&lt;img&gt;</code>” tag that is
called if an error occurs while loading the image.</li>
<li>“<code>alert(‘XSS')</code>” is a JavaScript function that displays an alert
dialog box with the message “XSS”.</li>
</ul>
<p>Putting it all together, when the web page containing this XSS payload
is loaded in the browser, the browser will try to load the image file
“x”. As the image file cannot be loaded due to non-existent, the onerror
attribute is triggered and the JavaScript code <strong>alert(‘XSS&rsquo;)</strong> is
executed, which displays a pop-up message “XSS”.</p>
<hr>
<figure>
<img src="image-86.png" />
<figcaption>Demo</figcaption>
</figure>
<p><strong>Demo – HTML Image Tag XSS Payload</strong>
I will go ahead and insert the “&lt;img&gt;” tag-based payload and verify
how the application behaves.</p>
<figure>
<img src="CH10-XSS-Payload-Input-fs8.png" />
<figcaption>XSS Payload Input</figcaption>
</figure>
<p><strong><u>Output:</u></strong></p>
<figure>
<img src="CH10-XSS-Alert-Message-fs8.png" />
<figcaption>XSS Alert Message</figcaption>
</figure>
<p><strong>Wow!! 🎉</strong> an XSS pop-up message. This confirms that our payload
worked.</p>
<p>Lastly, let us go ahead and further verify by viewing the page source.
Click “OK”,</p>
<p>Right-click on the page and select “<strong>View Page Source</strong>“. Then, search
for the injected string.</p>
<p><strong>HTML Response</strong></p>
<img loading="lazy" src="/xss-bypass-backslash-escape-challenge-10/image-89.png"><p>Observe, the payload is rightly aligned between the div tag and
backslash and is no longer breaking the HTML syntax. By this, we have
successfully solved the <a href="http://localhost:8066/ch10.php">XSS challenge
10</a>.</p>
<hr>
<img loading="lazy" src="/xss-bypass-backslash-escape-challenge-10/image-90.png"><h3 id="summary">Summary</h3>
<p>The following article covered one of the poorly implemented XSS fixes of
escaping using backslash for special characters. That, too, only escapes
the closing script tag. These limitations can be bypassed using HTML
image tags and other ways. Therefore a &ldquo;Defense-in-Depth&rdquo; approach is
needed to mitigate XSS vulnerability at multiple layers.</p>
]]></content:encoded>
    </item>
    <item>
      <title>Challenge 9: XSS in the hidden input field</title>
      <link>https://raghu.io/xss-in-hidden-input-field-challenge-9/</link>
      <pubDate>Fri, 24 Feb 2023 06:42:44 +0000</pubDate>
      <guid>https://raghu.io/xss-in-hidden-input-field-challenge-9/</guid>
      <description>Check out how the XSS can also be exploited in hidden input parameter fields with examples.</description>
      <content:encoded><![CDATA[<p>Welcome Back!! 😃</p>
<p>In today&rsquo;s article, let&rsquo;s check out how the XSS can also be exploited in
hidden input parameter fields.</p>
<p>Before getting started, ensure your Kurukshetra lab is up and running.
Feel free to refer back to the below link.</p>
<p><a href="/xss-explained-learn-cross-site-scripting-with-examples/">XSS Explained - Learn Cross-Site Scripting with
Examples</a></p>
<hr>
<p>The previous article covered how the limited character set can be
leveraged to exploit the XSS vulnerability and why the single defense
mechanism might not fully mitigate XSS vulnerability.</p>
<img loading="lazy" src="/xss-in-hidden-input-field-challenge-9/image-72.png"><h2 id="practicals"><strong>Practicals</strong></h2>
<p>Visit <a href="http://localhost:8066/"><a href="http://localhost:8066">http://localhost:8066</a></a> and ensure it&rsquo;s
accessible, then navigate to “<a href="http://localhost:8066/ch09.php">XSS Challenge
9</a>“.</p>
<figure>
<img src="Kurukshetra-XSS-Challenge-9-Page-fs8.png" />
<figcaption>Kurukshetra XSS Challenge 9 Page</figcaption>
</figure>
<p>The above page looks similar to the challenges we solved earlier.</p>
<p>Take some time and give it a try with all the XSS skills acquired so far
before going any further.</p>
<p>As you guessed, I will go ahead and try out the classic XSS payload to
verify how the application responds.</p>
<p><strong><u>Payload Try 1: Classic</u></strong></p>
<img loading="lazy" src="/xss-in-hidden-input-field-challenge-9/image-74.png"><p><strong><u>Output:</u></strong></p>
<figure>
<img src="CH9-XSS-Payload-Trail-1-fs8.png" />
<figcaption>XSS Payload Trail 1</figcaption>
</figure>
<p>Input the XSS payload and click on the “<strong>Submit</strong>” button. Immediately,
the application echoes out the output as given, and there are no pop-up
messages this time.</p>
<p>This confirms that our payload didn&rsquo;t work. Right-click and select
&ldquo;<strong>View page source</strong>&rdquo; to understand how our payload is being reflected
back in the HTML response.</p>
<p><strong><u>HTML Page Source:</u></strong></p>
<figure>
<img src="CH9-XSS-Payload-Trail-1-Source-fs8.png" />
<figcaption>XSS Payload Trail 1 HTML Page Source View</figcaption>
</figure>
<p>Referring to the above screenshot, an HTML input tag named &ldquo;<strong>xss&rdquo;</strong>
accepts the value and echoes out at the bottom of the code after
encoding the special chars.</p>
<img loading="lazy" src="/xss-in-hidden-input-field-challenge-9/image-77.png"><p>You might be thinking from the previous article that we used the
built-in &ldquo;<strong>HTML attributes&rdquo;</strong> to bypass the encoding and execute the
XSS payload. The same logic can be applied here.</p>
<p>A big <strong>No.</strong> Why?</p>
<p><strong>Challenge 8 – HTML Output:</strong></p>
<figure>
<img src="xss-challenge-8-kurukshetra-fs8-1.png" />
<figcaption>XSS Challenge 8 - Page Source Output</figcaption>
</figure>
<p><strong>Challenge 9 – HTML Output:</strong></p>
<figure>
<img src="xss-challenge-9-kurukshetra-fs8.png" />
<figcaption>XSS Challenge 9 - Page Source Output</figcaption>
</figure>
<p>The major difference between XSS Challenge 8 and Challenge 9 is that in
Challenge 8, the encoded output was injected inside the HTML input tag,
while in Challenge 9, the encoded output is displayed outside of form
HTML tags.</p>
<p>As shown in the above challenge 9 screenshots, even though the HTML
attributes can be injected, as they fall outside the HTML tags, the web
browser would just consider it as text without any special flags.</p>
<p>Therefore, the XSS payload will not work here.</p>
<hr>
<img loading="lazy" src="/xss-in-hidden-input-field-challenge-9/image-78.png"><blockquote>
<p><strong>TIP – 9 Try other params or check for appending values</strong></p>
<p>Yes, the XSS need not always need to be exploited in the same param
value location, it could be checked on the other supporting param
which may use the same value for processing. Also, it can be located
in param values where input values are appended or depended on.</p>
</blockquote>
<hr>
<p><strong>Challenge 9 – HTML source Output</strong></p>
<figure>
<img src="xss-challenge-9-kurukshetra-fs8-1.png" />
<figcaption>XSS Challenge 9 - Page Source Output</figcaption>
</figure>
<p>Paying a bit more attention to our Challenge 9 HTML response, we can see
there is another HTML input tag used of type &ldquo;<strong>hidden&rdquo;</strong>.</p>
<p>In HTML, the hidden input type stores pieces of user data without
displaying it to the user on the frontend. Web browsers generally hide
it, and you can find this data by <strong>viewing page sources</strong> or by using
intercepting proxies like BurpSuite or OWASP ZAP.</p>
<img loading="lazy" src="/xss-in-hidden-input-field-challenge-9/bug.png"><p>Let&rsquo;s go ahead and try the XSS payloads in the hidden fields.</p>
<p>It can be done in multiple ways, as covered in previous articles, such
as using a browser debugger or using intercepting proxies. I will be
using the BurpSuite proxy for usability.</p>
<h2 id="execution-steps"><strong>Execution Steps</strong></h2>
<ol>
<li>Configure and Launch the Burpsuite tool.</li>
<li>Navigate to the &ldquo;<a href="http://localhost:8066/ch09.php">XSS Challenge 9</a>&rdquo;
page.</li>
<li>Enable the BurpSuite interception proxy to intercept the request
before it is sent to the server. To do that, Navigate to BurpSuite
&ldquo;<strong>Proxy&rdquo;</strong> -&gt; &ldquo;<strong>Intercept&rdquo;</strong> -&gt; Toggle the &ldquo;<strong>Intercept is
off&rdquo;</strong> button to enable &ldquo;<strong>Intercept on</strong>&rdquo;.</li>
<li>On the <a href="http://localhost:8066/ch09.php">Challenge 9</a> page, key in
the random input value(say &ldquo;<strong>Test XSS&rdquo;</strong>) and click on the
&ldquo;<strong>submit&rdquo;</strong> button.</li>
<li>The intercepted request will be displayed as shown below:</li>
</ol>
<figure>
<img src="Intercept-Request-fs8.png" />
<figcaption>Intercepted request with hidden tag being
passed</figcaption>
</figure>
<ol>
<li>
<p>Observe that in line 22, the input param and its values are being
passed in the request body section.</p>
</li>
<li>
<p>Replace the &ldquo;<strong>hidden&rdquo;</strong> param value from &ldquo;<strong>Is that it&rdquo;</strong> with
classic XSS payload.</p>
</li>
</ol>
<img loading="lazy" src="/xss-in-hidden-input-field-challenge-9/image-82.png"><p>The modified request will be displayed below.</p>
<figure>
<img src="Modified-Intercept-Request-fs8.png" />
<figcaption>Modified Intercept Request with XSS Payload</figcaption>
</figure>
<ol>
<li>
<p>Toggle off the “<strong>Intercept is on</strong>” button to disable the request
interceptions for now and forward the modified request to the
server. Then, switch back to the web browser.</p>
</li>
<li>
<p>Immediately observe an XSS pop-up message, which will be displayed
as shown below. then click on the “<strong>OK</strong>” button.</p>
</li>
</ol>
<figure>
<img src="XSS-Output-fs8.png" />
<figcaption>XSS Output</figcaption>
</figure>
<ol>
<li><strong>Wow!!</strong> It worked out, and we were able to successfully exploit
XSS challenge 9. 😄</li>
</ol>
<p>Lastly, always verify the HTML response code. Right-click and select
&ldquo;<strong>View page source</strong>&rdquo; to verify how the injected XSS payload is
appended.</p>
<figure>
<img src="XSS-Output-Verify-fs8.png" />
<figcaption>HTML Page Source Code</figcaption>
</figure>
<p>I can confirm that the injected XSS payload in the hidden parameter
value field has been passed to the server and reflected back in the
response without any encodings this time.</p>
<p>Hence, our payload was executed. ☺️</p>
<hr>
<img loading="lazy" src="/xss-in-hidden-input-field-challenge-9/report.png"><h3 id="summary"><strong>Summary</strong></h3>
<p>In this article, we&rsquo;ve seen how other parameters can be utilized to
exploit XSS – it doesn&rsquo;t always have to be done within the same param
field.</p>
]]></content:encoded>
    </item>
    <item>
      <title>Challenge 8: XSS bypass improper output encoding</title>
      <link>https://raghu.io/xss-bypass-improper-output-encoding-challenge-8/</link>
      <pubDate>Mon, 20 Feb 2023 04:45:53 +0000</pubDate>
      <guid>https://raghu.io/xss-bypass-improper-output-encoding-challenge-8/</guid>
      <description>Learn how the partially implemented HTML output encoding can be bypassed for exploiting XSS vulnerability using the HTML5 attributes</description>
      <content:encoded><![CDATA[<p>Welcome back to learning Cross-Site Scripting(XSS) with the Kurukshetra
series. An app built by <a href="https://github.com/D4rk36/Kurukshetra">d4rk36</a>.</p>
<p>Before we start, ensure the lab is up and running. If you have not set
up your lab yet. Feel free to refer back to the below link.</p>
<p><a href="/xss-explained-learn-cross-site-scripting-with-examples/">XSS Explained - Learn Cross-Site Scripting with
Examples</a></p>
<hr>
<img loading="lazy" src="/xss-bypass-improper-output-encoding-challenge-8/image-56.png"><h3 id="practicals">Practicals</h3>
<p>Hope by now you are familiar with what an XSS is and how it can be
identified. In this article, you will be learning about how to exploit
XSS when limited characters are allowed.</p>
<p>Post setting up the lab visit <a href="http://localhost:8066">http://localhost:8066</a> and ensure it&rsquo;s
accessible, then navigate to &ldquo;<a href="http://localhost:8066/ch08.php"><strong>XSS Challenge
8</strong></a>&rdquo;.</p>
<figure>
<img src="Kurukshetra-XSS-Challenge-8-Page-fs8.png" />
<figcaption>Kurukshetra XSS Challenge 8 page</figcaption>
</figure>
<p>From the above screenshot, I can see that the application is requesting
the input value in the &ldquo;Try Your XSS payload?&rdquo; field.</p>
<p>Feel free to try and experiment with different payloads.</p>
<p>Initially, I will go ahead and try out our classic XSS payload, which
has been used throughout our series.</p>
<p><strong><u>Payload Try 1: Classic</u></strong></p>
<img loading="lazy" src="/xss-bypass-improper-output-encoding-challenge-8/image-45.png"><p><strong><u>Output:</u></strong></p>
<figure>
<img src="CH8-XSS-Payload-Trail-1-fs8.png" />
<figcaption>XSS Payload Trail 1</figcaption>
</figure>
<p>After keying in the payload value and clicking on the &ldquo;<strong>Submit</strong>&rdquo;
button. Looks like nothing happened.</p>
<p>No pop-ups and no partial or filtered messages. Interesting!</p>
<p>Let&rsquo;s go ahead and view the HTML source code received from the server to
understand what is happening in the background.</p>
<p>Right-click and select &ldquo;<strong>View page source</strong>&rdquo;, then search for the
injected payload string.</p>
<figure>
<img src="image-59.png" />
<figcaption>HTTP Response</figcaption>
</figure>
<p>From the above screenshot, it could be understood that output encoding
has been applied to injected XSS payload which prevents execution of the
script tag.</p>
<p>Try out and verify all the XSS payloads which have been discussed
throughout the series. Using IMG tag XSS, SVG tag-based XSS, etc.</p>
<hr>
<img loading="lazy" src="/xss-bypass-improper-output-encoding-challenge-8/image-60.png"><blockquote>
<p><strong>Tip 8 - Use allowed characters to build XSS payload</strong></p>
<p>As the heading says, you can keep on trying out any number of HTML
tags and verify which XSS payload works. Or another better option
could be to find out the list of allowed characters with multiple
trials and errors and craft one using the allowed list of characters.</p>
</blockquote>
<hr>
<img loading="lazy" src="/xss-bypass-improper-output-encoding-challenge-8/image-61.png"><h3 id="identifying-allowed-characters">Identifying Allowed Characters</h3>
<p>Using previous XSS payload output can confirm the javascript <strong>alert()</strong>
function is allowed, next single quotes &ldquo;<strong>&rsquo;</strong>&rdquo; are allowed, &ldquo;<strong>/</strong>&rdquo;
slash is allowed, and lastly alphabets are allowed too.</p>
<p>Now need to find out, how the allowed list of characters can be used and
make the XSS payload work.</p>
<img loading="lazy" src="/xss-bypass-improper-output-encoding-challenge-8/image-62.png"><p>Remember the XSS payload used in &ldquo;<a href="/xss-using-html-attribute-challenge-4/">Challenge
4</a>&rdquo;, Using HTML5
Attribute.</p>
<img loading="lazy" src="/xss-bypass-improper-output-encoding-challenge-8/image-63.png"><p>In the above XSS payload, can see that most of the characters are
allowed, but we haven&rsquo;t verified double quotes &ldquo;&rdquo;.</p>
<p>Quickly will go ahead and verify if the double quotes are allowed in the
input field. By injecting and viewing the page source code.</p>
<p><u>Output 2:</u></p>
<img loading="lazy" src="/xss-bypass-improper-output-encoding-challenge-8/image-64.png"><p>Now, can confirm that double quotes are also allowed as injected without
any encoding or escaping. Nice!</p>
<p>Let&rsquo;s understand the XSS payload before trying it out.</p>
<figure>
<img src="image-65.png" />
<figcaption>XSS HTML Attribute Payload</figcaption>
</figure>
<p>Our motto is to rightly align the XSS payload in HTML response code and
make it executable.</p>
<p>All the injected payload characters are inserted within the HTML input
tag within the value field.</p>
<p>If the input is keyed in like <strong>onmouseover=alert(&lsquo;xss&rsquo;)</strong> without
quotes, it would be treated as text, and all the HTML attributes will
not be of much help here. For the same reason, we use the extra quotes
to properly align inside the input value field.</p>
<ol>
<li>A double quote for closing the value section</li>
<li><strong>onmouseover</strong> is one of the HTML attributes that can be used with
HTML tags. The moment the mouse hovers over the code, the given
javascript <strong>alert()</strong> function gets triggered.</li>
<li>Another double quote to make sure the remaining double quote of the
value field is aligned with HTML syntax.</li>
</ol>
<p>Enter the above-improvised payload in the input field and click on the
&ldquo;<strong>Submit</strong>&rdquo; button.</p>
<p><strong>Output 3:</strong></p>
<figure>
<img src="CH8-Page-fs8.png" />
<figcaption>XSS Challenge Page 8</figcaption>
</figure>
<p>For a moment, things seemed like nothing had happened, and the
application behaved normally as expected. As seen before.</p>
<p>Hover over your mouse onto the input field and observe, immediately a
pop-up message is prompted as shown below.</p>
<figure>
<img src="CH8-XSS-Alert-fs8.png" />
<figcaption>XSS Alert Message</figcaption>
</figure>
<p><strong>Waah!! 🎉</strong> Our XSS payload worked. Let&rsquo;s verify the HTML response
code to confirm how the XSS payload is aligned further.</p>
<p>Right-click on the &ldquo;<strong>View page source</strong>&rdquo; and search for the injected
XSS payload string.</p>
<img loading="lazy" src="/xss-bypass-improper-output-encoding-challenge-8/image-69.png"><p>The given payload got rightly aligned and only the allowed list of
characters and HTML attributes have been used to exploit it.</p>
<p>We have successfully solved the XSS challenge 8.</p>
<hr>
<img loading="lazy" src="/xss-bypass-improper-output-encoding-challenge-8/image-70.png"><h3 id="summary"><strong>Summary</strong></h3>
<p>This post demonstrates how generally output encoding is used to prevent
XSS, but that itself is not enough to prevent the XSS vulnerability. The
input HTML attributes and allowed characters can be carefully used to
craft a working payload. To prevent the XSS vulnerability a
Defense-In-Depth approach needs to be leveraged. Like performing output
encoding, sanitizing, using CSP, etc. Which would be covered later.</p>
<p>Keep learning! 😃</p>
]]></content:encoded>
    </item>
    <item>
      <title>Challenge 7: XSS in a dropdown list</title>
      <link>https://raghu.io/xss-in-dropdown-list-challenge-7/</link>
      <pubDate>Fri, 10 Feb 2023 05:40:27 +0000</pubDate>
      <guid>https://raghu.io/xss-in-dropdown-list-challenge-7/</guid>
      <description>Learn how the XSS vulnerability can be found in other params even though it is not editable by the browser using the BurpSuite Proxy tool</description>
      <content:encoded><![CDATA[<p>Welcome back to learning Cross-Site Scripting(XSS) with the Kurukshetra
series. An app built by <a href="https://github.com/D4rk36/Kurukshetra">d4rk36</a>.</p>
<p>Before we start, ensure the lab is up and running, If you have not set
up your lab yet. Feel free to refer back to the below link.</p>
<p><a href="/xss-explained-learn-cross-site-scripting-with-examples/">XSS Explained - Learn Cross-Site Scripting with
Examples</a></p>
<hr>
<img loading="lazy" src="/xss-in-dropdown-list-challenge-7/image-42.png"><h3 id="recap">Recap</h3>
<p>The previous article covered reflected cross-site scripting scenarios
where poor input validation checks can be exploited further.</p>
<p>Also, it demonstrated the impact of missing input validation checks on
the server side. Therefore the input validations must be implemented
well on both the client &amp; server sides.</p>
<hr>
<img loading="lazy" src="/xss-in-dropdown-list-challenge-7/image-43.png"><h3 id="practicals">Practicals</h3>
<p>Post setting up the lab visit <a href="http://localhost:8066">http://localhost:8066</a> and ensure it&rsquo;s
accessible, then navigate to &ldquo;<a href="http://localhost:8066/ch07.php"><strong>XSS Challenge
7</strong></a>&rdquo;.</p>
<figure>
<img src="Kurukshetra-XSS-Challenge-7-Page-fs8.png" />
<figcaption>Kurukshetra XSS Challenge 7 Page</figcaption>
</figure>
<p>Coming to XSS Challenge 7, an input field is given to key in the text
and a drop-down menu option needs to be selected before clicking on the
&ldquo;<strong>Submit</strong>&rdquo; button.</p>
<p>Will try out all the things techniques learned so far about identifying
the XSS vulnerability.</p>
<p><strong><u>Payload Try 1: Classic</u></strong></p>
<img loading="lazy" src="/xss-in-dropdown-list-challenge-7/image-45.png"><p><strong>Output:</strong></p>
<figure>
<img src="CH7-XSS-Payload-Trail-1-fs8.png" />
<figcaption>XSS Payload Trail 1</figcaption>
</figure>
<p>Using our classic payload, select the default option in the drop-down
menu &ldquo;<strong>India</strong>&rdquo;, then click on the &ldquo;<strong>Submit</strong>&rdquo; button.</p>
<p>Immediately, observe that the payload keyed in is displayed as it is.
Right-click and select &ldquo;<strong>View page source</strong>&rdquo; to understand how the
payload is being embedded in the HTML response.</p>
<img loading="lazy" src="/xss-in-dropdown-list-challenge-7/image-47.png"><p>Scrolling to the bottom of the page, I can see that our tags like
&lsquo;<strong>&lt;</strong>&rsquo;, &lsquo;<strong>&gt;</strong>&rsquo; etc.. have been replaced. This changes the meaning of
the HTML format, and the browser considers it as text and displays it
back without executing it as a script.</p>
<hr>
<img loading="lazy" src="/xss-in-dropdown-list-challenge-7/fixed.png"><ol>
<li>
<p>HTML Output Encoding</p>
<p>The above output that we are seeing is called HTML output encoding.</p>
<p>Output encoding is one of the mitigation techniques used to take
user-controlled data and safely display it without interpreting it
as code and considering it as text.</p>
<p>Below is an example XSS payload.</p>
<pre><code>&lt;script&gt;alert(document.domain);&lt;/script&gt;
</code></pre>
<p>HTML-encoded text of the XSS payload will be displayed below.</p>
<pre><code>&amp;lt;script&amp;gt;alert(document.domain);&amp;lt;/script&amp;gt;
</code></pre>
<ul>
<li>&ldquo;&lt;&rdquo; changed to &ldquo;&amp;lt;&rdquo;</li>
<li>&ldquo;&gt;&rdquo; changed to &ldquo;&amp;gt;&rdquo;</li>
</ul>
<p>As the browser parses HTML, JavaScript, CSS, and URL differently.
Each must be encoded depending on the requirements.</p>
<p>URL, HTML, JavaScript, and CSS can be encoded.</p>
<p>The input text field in the application seems to be handled
properly, but we need to find another way to exploit it.</p>
<hr>
<img loading="lazy" src="/xss-in-dropdown-list-challenge-7/image-48.png"><blockquote>
<p><strong>Tip 7 - Try exploring other param values</strong></p>
<p>XSS need not be present all the time in the input text fields, it
can be found in other parameters as well which are parsed and used
by the server.</p>
</blockquote>
<hr>
<img loading="lazy" src="/xss-in-dropdown-list-challenge-7/image-49.png"></li>
<li>
<p>Trying XSS in the &ldquo;location&rdquo; param</p>
<p>I will be using the &ldquo;<strong>BurpSuite</strong>&rdquo; proxy tool going ahead with the
demo. Please make sure your browser is preconfigured with the
BurpSuite and working as expected.</p>
<p>Visit the <a href="http://localhost:8066/ch07.php">Challenge 7</a> page.</p>
<p>Enable the BurpSuite interception proxy to intercept the request
before it is sent to the server. To do that, Navigate to BurpSuite
&ldquo;<strong>Proxy</strong>&rdquo; -&gt; &ldquo;<strong>Intercept</strong>&rdquo; -&gt; Toggle the &ldquo;<strong>Intercept is
off</strong>&rdquo; button.</p>
<figure>
<img src="Intercept-On-fs8.png" />
<figcaption>Toggle BurpSuite Intercept On</figcaption>
</figure>
<p>Fill up the input field value with &ldquo;<strong>Test XSS</strong>&rdquo; and then click on
the &ldquo;<strong>Submit</strong>&rdquo; button.</p>
<figure>
<img src="CH7-User-Input-fs8.png" />
<figcaption>Key in User Input</figcaption>
</figure>
<p>Now in the &ldquo;<strong>BurpSuite</strong>&rdquo; proxy tool, observe the request being
transmitted to the server, is intercepted, and displayed as shown
below.</p>
<figure>
<img src="BurpSuite-Intercepted-Request-fs8-1.png" />
<figcaption>BurpSuite Intercepted Request</figcaption>
</figure>
<p>Observe at the bottom of the request the &ldquo;<strong>xss</strong>&rdquo;, &ldquo;<strong>location</strong>&rdquo;
and &ldquo;<strong>submit</strong>&rdquo; params are being passed to the server.</p>
<p>Remember, in the previous article <a href="/xss-bypass-client-side-blacklist-validation-challenge-6/">Challenge
6</a>,
we sent the modified XSS payload to the server.</p>
<p>In a similar way, this time in the &ldquo;<strong>location</strong>&rdquo; param value append
our classic XSS payload, which will be displayed as shown below.</p>
<figure>
<img src="CH7-Burpsuite-Modified-Request-fs8.png" />
<figcaption>Modified Request with XSS Payload</figcaption>
</figure>
<p>Next, toggle off the &ldquo;<strong>Intercept is on</strong>&rdquo; button to disable the
request interception for now. Immediately switch back to the web
browser.</p>
<figure>
<img src="CH7-BurpSutie-Intercept-Off-fs8.png" />
<figcaption>Intercept Toggle Off</figcaption>
</figure>
<p>Immediately observe that an XSS pop-up message will be displayed, as
shown below.</p>
<figure>
<img src="CH7-XSS-Alert-fs8.png" />
<figcaption>XSS Alert Message</figcaption>
</figure>
<p><strong>YAY!! 🎉</strong> by this, we can confirm the application is still
vulnerable to the cross-site scripting vulnerability.</p>
<p>Click the &ldquo;<strong>OK</strong>&rdquo; button to continue, then right-click and select
&ldquo;<strong>View page source</strong>&rdquo; to very our payload injection. Search for the
payload inserted.</p>
<img loading="lazy" src="/xss-in-dropdown-list-challenge-7/image-54.png"><p>You can find the inserted payload at the bottom of the page. This
time, you can see that our payload is displayed as given without any
output encoding.</p>
<p>By this, we have successfully exploited the XSS challenge 7.</p>
<hr>
<img loading="lazy" src="/xss-in-dropdown-list-challenge-7/image-55.png"></li>
</ol>
<h3 id="summary"><strong>Summary</strong></h3>
<p>The key takeaway from this article is XSS need not necessarily be
exploited from the user input form fields, the XSS vulnerability can be
tested in any param header and value fields that are parsed by the
server.</p>
<p>Keep learning! 😃</p>
]]></content:encoded>
    </item>
    <item>
      <title>Challenge 6: XSS Bypass Client-Side Blacklist Validation</title>
      <link>https://raghu.io/xss-bypass-client-side-blacklist-validation-challenge-6/</link>
      <pubDate>Mon, 06 Feb 2023 11:22:01 +0000</pubDate>
      <guid>https://raghu.io/xss-bypass-client-side-blacklist-validation-challenge-6/</guid>
      <description>Learn why client-side validation cannot be trusted all the time and how it can be tampered with by using BurpSuite as a proxy for exploiting XSS</description>
      <content:encoded><![CDATA[<p>Welcome back to learning Cross-Site Scripting(XSS) with the Kurukshetra
series. An app built by <a href="https://github.com/D4rk36/Kurukshetra">d4rk36</a>.</p>
<p>Before we start, ensure the lab is up and running. If you have not set
up your lab yet. Feel free to refer back to the below link.</p>
<p><a href="/xss-explained-learn-cross-site-scripting-with-examples/">XSS Explained - Learn Cross-Site Scripting with
Examples</a></p>
<hr>
<img loading="lazy" src="/xss-bypass-client-side-blacklist-validation-challenge-6/image.png"><h3 id="practicals">Practicals</h3>
<p>Post setting up the lab visit <a href="http://localhost:8066">http://localhost:8066</a> and ensure it&rsquo;s
accessible, then navigate to &ldquo;<a href="http://localhost:8066/ch06.php"><strong>XSS Challenge
6</strong></a>&rdquo;.</p>
<figure>
<img src="Kurukshetra-XSS-Challenge-6-Page-fs8.png" />
<figcaption>Kurukshetra XSS Challenge Page 6</figcaption>
</figure>
<p>I hope by now you are familiar with what an XSS is and how it can be
exploited. In this article, we shall learn more about identifying XSS
vulnerabilities.</p>
<p>Without much waiting, let&rsquo;s try our classic XSS payload on &ldquo;<a href="http://localhost:8066/ch06.php"><strong>Challenge
6</strong></a>&rdquo; and understand what the result we
are getting.</p>
<p><strong><u>Payload Try 1: Classic</u></strong></p>
<img loading="lazy" src="/xss-bypass-client-side-blacklist-validation-challenge-6/image-2.png"><p><strong>Output:</strong></p>
<figure>
<img src="CH6-XSS-Payload-Trail1-fs8.png" />
<figcaption>XSS Payload Trail 1</figcaption>
</figure>
<p>The output seems to be something familiar. We have seen this type of
output earlier as well.</p>
<p><strong>Yes</strong>, we have seen this type of output when learning about the
reflected cross-site scripting vulnerability in <a href="/challenge-3-xss-bypass-blacklist-html-tags/">Challenge
3</a>. We. Almost the
same, with a slight change.<br>
<br>
Let&rsquo;s explore it.</p>
<hr>
<img loading="lazy" src="/xss-bypass-client-side-blacklist-validation-challenge-6/image-28.png"><h3 id="understanding-application-behaviour">Understanding Application Behaviour</h3>
<p>Below is the output that we received when trying to use a classic XSS
payload.</p>
<figure>
<img src="CH6-XSS-Payload-Trail1-fs8-1.png" />
<figcaption>XSS Payload Trail 1 Result</figcaption>
</figure>
<p>Right-click and select &ldquo;<strong>View page source</strong>&rdquo; to view the HTML source
code. I search and scroll down through the HTML code to understand what
is happening with our input field. You will be able to find the code
snippet as shown below.</p>
<img loading="lazy" src="/xss-bypass-client-side-blacklist-validation-challenge-6/image-24.png"><p>The HTML input tag seems very similar as seen in previous challenges.</p>
<img loading="lazy" src="/xss-bypass-client-side-blacklist-validation-challenge-6/image-22.png"><p>Taking a closer look, whenever we click on the &ldquo;submit&rdquo; button, the HTML
form is running a &ldquo;<strong>filter()&rdquo;</strong> javascript function.</p>
<p>JavaScript is used for adding dynamic capabilities to the page making it
user-friendly.</p>
<p>In the same HTML code, will search for the javascript code.</p>
<img loading="lazy" src="/xss-bypass-client-side-blacklist-validation-challenge-6/image-25.png"><p>Scrolling through the top of the page, I can see a javascript file named
&ldquo;<strong>ch06.js</strong>&rdquo; has been included. Clicking on the file, the javascript
code opens, as shown below.</p>
<img loading="lazy" src="/xss-bypass-client-side-blacklist-validation-challenge-6/image-26.png"><p>We found the &ldquo;<strong>filter()</strong>&rdquo; function javascript code. A blacklisting
approach of input filtering is being used.</p>
<p>You can see the <strong>script, svg,</strong> and <strong>img</strong> HTML tags being stripped
out on the client side by the javascript <strong>filter()</strong> function.</p>
<p>The above code is an example that demonstrates that the client-side
validation check is in place. Remember from the previous article</p>
<blockquote>
<p>Input validation checks need to be applied on both the client and the
server side.</p>
</blockquote>
<hr>
<img loading="lazy" src="/xss-bypass-client-side-blacklist-validation-challenge-6/image-29.png"><blockquote>
<p><strong>Tip 6 - Client Side validations can be bypassed</strong></p>
<p><strong>Yes, you are hearing right.</strong> Every piece of instruction sent from
the client side browser can be tampered with or removed or new data
can also be added.</p>
<p>One way is through using browser addons like i.e. <a href="https://chrome.google.com/webstore/detail/tamper-chrome-extension/hifhgpdkfodlpnlmlnmhchnkepplebkb">Tamper Data for
Chrome</a>
etc. Available for firefox as well.</p>
<p>Another way is using the interceptor proxy tools like
<a href="https://portswigger.net/">BurpSuite</a> or <a href="https://www.zaproxy.org/">OWASP
ZAP</a>. Once configured with the web browser,
they can help to view/modify every request before it is sent to the
server.<br>
<br>
In our demonstrations going ahead, I will be using the &ldquo;<a href="https://portswigger.net/"><strong>BurpSuite
Community</strong></a>&rdquo;
edition. Please refer to the tool documentation which can help you in
getting started.</p>
</blockquote>
<hr>
<img loading="lazy" src="/xss-bypass-client-side-blacklist-validation-challenge-6/image-20.png"><ol>
<li>
<p>Bypassing Client Side validation</p>
<p>Hope by now your web browser is configured and ready to use with the
BurpSuite.</p>
<p>Step 1. Navigate to &ldquo;<a href="http://localhost:8066/ch06.php"><strong>XSS Challenge
6</strong></a>&rdquo;</p>
<figure>
<img src="Kurukshetra-XSS-Challenge-6-Page-fs8-1.png" />
<figcaption>XSS Challenge Page 6</figcaption>
</figure>
<p>Step 2. Enable the BurpSuite interception proxy to intercept the
request before it is sent to the server. To do that, Navigate to
BurpSuite &ldquo;<strong>Proxy</strong>&rdquo; -&gt; &ldquo;<strong>Intercept</strong>&rdquo; -&gt; Toggle the
&ldquo;<strong>Intercept is off</strong>&rdquo; button.</p>
<figure>
<img src="BurpSuite-Intercept-fs8-1.png" />
<figcaption>Toggle BurpSuite Intercept On</figcaption>
</figure>
<p>Step 3. In the XSS challenge 6 page, key in with the classic XSS
Payload, then click on the <strong>submit</strong> button.</p>
<figure>
<img src="CH6-XSS-Payload-Trail-fs8.png" />
<figcaption>XSS Payload Trail</figcaption>
</figure>
<p>Step 4. Observe the intercepted request from your web browser, which
will be displayed below.</p>
<figure>
<img src="BurpSuite-Intercepted-Request-fs8.png" />
<figcaption>BurpSuite Intercepted Request</figcaption>
</figure>
<p>Don&rsquo;t worry about the overwhelming information. This is the RAW
format in which the web browser and server exchange HTTP messages.
The underlined text indicates our input text is being sent in a
URL-encoded format.</p>
<p>Decoded text is nothing but the filtered input value.</p>
<img loading="lazy" src="/xss-bypass-client-side-blacklist-validation-challenge-6/image-34.png"><p>This explains why JavaScript validations strip out our XSS payload
on the client side.</p>
<p>Step 5. Replace the underlined text with our classic XSS payload, as
shown below.</p>
<figure>
<img src="BurpSuite-Modified-Intercepted-Request-fs8.png" />
<figcaption>Modified the Intercepted Request</figcaption>
</figure>
<p>Step 6. Toggle off the &ldquo;<strong>Intercept is on</strong>&rdquo; button to disable the
request interceptions for now. Immediately switch back to the web
browser.</p>
<figure>
<img src="image-36.png" />
<figcaption>Toggle Intercept Off</figcaption>
</figure>
<p>Step 7. Immediately observe that an XSS pop-up message will be
displayed, as shown below. then click on the &ldquo;<strong>OK</strong>&rdquo; button to
continue loading.</p>
<figure>
<img src="image-37.png" />
<figcaption>XSS Alert pop-up</figcaption>
</figure>
<p>The application load back the challenge page normally. To further
confirm click on the &ldquo;<strong>View Page Source</strong>&rdquo; for our injected XSS
payload.</p>
<figure>
<img src="BurpSuite-Modified-Request-HTML-Source-fs8.png" />
<figcaption>Page Source of Modified HTML request</figcaption>
</figure>
<p><strong>YAY!! 🎉</strong> By this, we can confirm the application is still
vulnerable to cross-site scripting vulnerability.</p>
<hr>
<img loading="lazy" src="/xss-bypass-client-side-blacklist-validation-challenge-6/image-40.png"><p>The XSS payload still worked because the input field validation is
only implemented on the client side using JavaScript but not on the
server side.</p>
<p>As there were no filters on the server side, our XSS payload passed
through as an HTTP request to the server and reflected in the HTTP
response as keyed-in.</p>
<hr>
<img loading="lazy" src="/xss-bypass-client-side-blacklist-validation-challenge-6/image-41.png"></li>
</ol>
<h3 id="summary"><strong>Summary</strong></h3>
<p>The important lesson to take away from this article is that for the
developers, the input validations need to be implemented both on the
client side as well as on the server side. For security researchers,
make sure to verify the validation checks are equally implemented on the
server side as well.</p>
<p>Keep learning! 😃</p>
]]></content:encoded>
    </item>
    <item>
      <title>Challenge 5: XSS bypass Client-Side Length Limit</title>
      <link>https://raghu.io/xss-bypass-client-side-length-limit-challenge-5/</link>
      <pubDate>Thu, 02 Feb 2023 05:48:16 +0000</pubDate>
      <guid>https://raghu.io/xss-bypass-client-side-length-limit-challenge-5/</guid>
      <description>Learn why client-side validation cannot be trusted all the time and how it can be tampered with by browser debugging tools for exploiting XSS</description>
      <content:encoded><![CDATA[<p>Welcome back to learning Cross-Site Scripting(XSS) with the Kurukshetra.
An app built by <a href="https://github.com/D4rk36/Kurukshetra">d4rk36</a>.</p>
<p>Before we start, ensure the lab is up and running if you have not set up
your lab yet. Feel free to refer back to the below link.</p>
<p><a href="/xss-explained-learn-cross-site-scripting-with-examples/">XSS Explained - Learn Cross-Site Scripting with
Examples</a></p>
<hr>
<img loading="lazy" src="/xss-bypass-client-side-length-limit-challenge-5/image.png"><h3 id="practicals">Practicals</h3>
<p>Post setting up the lab visit <a href="http://localhost:8066">http://localhost:8066</a> and ensure it&rsquo;s
accessible, then navigate to &ldquo;<a href="http://localhost:8066/ch05.php"><strong>XSS Challenge
5</strong></a>&rdquo;.</p>
<figure>
<img src="Kurkukshetra-XSS-Challenge-5-Page-fs8.png" />
<figcaption>Kurukshetra XSS Challenge 5 page</figcaption>
</figure>
<p>Give it a try with all the payloads we have learned so far.</p>
<p>I will go ahead and give it a try with our classic XSS payload.</p>
<p><strong><u>Payload Try 1: Classic</u></strong></p>
<img loading="lazy" src="/xss-bypass-client-side-length-limit-challenge-5/image-2.png"><p><strong>Output:</strong></p>
<figure>
<img src="CH5-Unable-to-input-fs8.png" />
<figcaption>Unable to key in the input beyond 3 chars</figcaption>
</figure>
<p>Observe that we cannot enter any characters after &ldquo;<strong>&lt;sc</strong>&rdquo;. All the
characters typed after are no longer considered.</p>
<p><em>What might be happening in the background?</em></p>
<p>Let&rsquo;s go ahead and view the page&rsquo;s HTML source code to understand
further. Type &ldquo;<strong>Ctrl + u</strong>&rdquo; or right-click and select &ldquo;<strong>View page
source</strong>&rdquo;.</p>
<p>In the HTML source code, scroll down to the input field and you should
be able to see the code similar to the one below.</p>
<img loading="lazy" src="/xss-bypass-client-side-length-limit-challenge-5/image-4.png"><p>For the current input field where we are trying to enter the values, the
&ldquo;<strong>max length is set to 3</strong>&rdquo;. For the same, we are not able to enter
more than 3 characters in the input field.</p>
<hr>
<figure>
<img src="image-5.png" />
<figcaption>Thinking</figcaption>
</figure>
<p>Can we bypass the length limitations? <strong>Possible.</strong> let&rsquo;s give it a try.</p>
<hr>
<blockquote>
<p><strong>Tip 5 - Client/Server Side validation bypass</strong></p>
<p>In general, input validations for the applications will need to be
validated both on the client side and on the server side.</p>
<p>In some cases, the input validations might be missing on either side.</p>
</blockquote>
<hr>
<img loading="lazy" src="/xss-bypass-client-side-length-limit-challenge-5/image-7.png"><ol>
<li>
<p>Tampering Client Side validation</p>
<p>In our current scenario, we surely know that the length limitations
for the characters are set on the client side. (i.e.
<strong>maxlength=&ldquo;3&rdquo;</strong> )</p>
<p>There are many ways to do it, in this article we shall be using a
simple technique using the browser&rsquo;s inbuilt functionalities.</p>
<p><strong>Output:</strong></p>
<figure>
<img src="CH5-Unable-to-input-fs8-1.png" />
<figcaption>Unable to key in the input beyond 3 chars</figcaption>
</figure>
<p>On the current output page, right-click on the input field and
select &ldquo;<strong>inspect</strong>&rdquo;. (In some cases, you might need to right-click
on the input field and select &ldquo;inspect&rdquo; twice to narrow down to the
exact position of the input HTML code)</p>
<p>Output from the &ldquo;<strong>inspect</strong>&rdquo; will be displayed below.</p>
<figure>
<img src="CH5-Browser-Inspect-fs8.png" />
<figcaption>Open Browser Inspect</figcaption>
</figure>
<p>Double click on the <strong>maxlength=&ldquo;3&rdquo;</strong> value field and change it to
<strong>200</strong> or some bigger value.</p>
<figure>
<img src="CH5-Browser-Inspect-Value-fs8.png" />
<figcaption>In browser Inspect change max length</figcaption>
</figure>
<p>Observe, now the length limitations on the client side are updated
and then click on cross &ldquo;<strong>x</strong>&rdquo; to close the browser debugger.</p>
<p>Let&rsquo;s go ahead and re-try out the classic XSS payload.</p>
<figure>
<img src="CH5-XSS-Payload-fs8.png" />
<figcaption>XSS Payload Trail</figcaption>
</figure>
<p><strong>Output:</strong></p>
<figure>
<img src="CH5-XSS-Payload-Alert-fs8.png" />
<figcaption>XSS Payload Result</figcaption>
</figure>
<p><strong>Yay!!! 🎉 we got an XSS pop-up.</strong></p>
<p>Yes, We have successfully exploited the XSS vulnerability again by
tampering with client-side validation checks.</p>
<blockquote>
<p>One thing to take away from this article is all the validation
checks applied on the input field need to be applied on both
client side and on the server side.</p>
</blockquote>
<hr>
<img loading="lazy" src="/xss-bypass-client-side-length-limit-challenge-5/image-16.png"></li>
</ol>
<h3 id="summary"><strong>Summary</strong></h3>
<p>In this article, we learned how client-side validation can be tampered
with and bypassed to execute the XSS payload. Also, learned that the
input validations need to be equally applied both on the client/server
side.</p>
<p>Keep learning! 😃</p>
]]></content:encoded>
    </item>
    <item>
      <title>Challenge 4: XSS using HTML attribute</title>
      <link>https://raghu.io/xss-using-html-attribute-challenge-4/</link>
      <pubDate>Wed, 18 Jan 2023 07:29:22 +0000</pubDate>
      <guid>https://raghu.io/xss-using-html-attribute-challenge-4/</guid>
      <description>Learn how the XSS payload can be crafted using HTML5 event attributes rather than using the classic &amp;lt;script&amp;gt; tag</description>
      <content:encoded><![CDATA[<p>Welcome back to learning Cross-Site Scripting(XSS) with the Kurukshetra.
An app built by <a href="https://github.com/D4rk36/Kurukshetra">d4rk36</a>.</p>
<p>Before we start, ensure the lab is up and running. If you have not set
up your lab yet. Feel free to refer back to the below link.</p>
<p><a href="/xss-explained-learn-cross-site-scripting-with-examples/">XSS Explained - Learn Cross-Site Scripting with
Examples</a></p>
<hr>
<img loading="lazy" src="/xss-using-html-attribute-challenge-4/lab.png"><h3 id="practicals">Practicals</h3>
<p>After setting up the lab, visit <a href="http://localhost:8066">http://localhost:8066</a> and ensure it&rsquo;s
accessible, then navigate to &ldquo;<a href="http://localhost:8066/ch04.php"><strong>XSS Challenge
4</strong></a>&rdquo;.</p>
<figure>
<img src="Kurukshetra-XSS-Challenge-Page-4-fs8.png" />
<figcaption>Kurukshetra XSS Challenge 4 Page</figcaption>
</figure>
<p>Give it a try with all the payloads you have learned so far.</p>
<p>I will go ahead and give it a try with our classic XSS payload.</p>
<p><strong><u>Payload Try 1: Classic</u></strong></p>
<img loading="lazy" src="/xss-using-html-attribute-challenge-4/image-26.png"><p><strong>Output:</strong></p>
<figure>
<img src="CH4-XSS-Payload1-Trial-fs8.png" />
<figcaption>XSS Payload Trial 1</figcaption>
</figure>
<p>Enter the XSS payload in the input field and click on the &ldquo;<strong>Submit</strong>&rdquo;
button.</p>
<p>This time, we haven&rsquo;t gotten any pop-up messages indicating that our XSS
payload didn&rsquo;t work.</p>
<p>Right-click and select &ldquo;<strong>View page source</strong>&rdquo;, then search for the given
payload to understand what exactly is happing with injected payload.</p>
<img loading="lazy" src="/xss-using-html-attribute-challenge-4/image-28.png"><p>Observe, that our script code given as input, is reflected in the HTTP
response and is correctly placed in between the input value quotes.
Which is working as expected.</p>
<p>All the payload is being treated as a text value and is no longer able
to control the behavior of HTML code.</p>
<p>Can we assume that the vulnerability is fixed? <strong>May be</strong></p>
<img loading="lazy" src="/xss-using-html-attribute-challenge-4/thinking.png"><p>Closely observe that all the characters typed in the input payload are
being injected and reflected in the HTML response without much filtering
or encoding.</p>
<p>It is worth to give a try with other possible ways of exploiting XSS
before we can confirm whether it is fixed or not.</p>
<hr>
<img loading="lazy" src="/xss-using-html-attribute-challenge-4/info.png"><p><strong>TIP - 4</strong></p>
<p>The XSS payloads may not work as given all the time. We need to learn
and find what allowed characters are and a working payload needs to be
carefully crafted out from the allowed list of the character set.</p>
<hr>
<p><strong>Previous HTTP Response Screenshot:</strong></p>
<img loading="lazy" src="/xss-using-html-attribute-challenge-4/image-29.png"><p>In the above, all the given XSS payload is being placed inside the
double quotes. Let&rsquo;s improvise the payload by appending a double quote
before the script tag and see if it can control the HTML response
behavior.</p>
<p><strong>Improvised Payload 1:</strong></p>
<img loading="lazy" src="/xss-using-html-attribute-challenge-4/image-30.png"><p>Enter the above payload in the input field, then click on the
&ldquo;<strong>Submit</strong>&rdquo; button.</p>
<p><strong>Browser Output:</strong></p>
<figure>
<img src="CH4-XSS-Imrprovised-Payload-Trial-fs8.png" />
<figcaption>XSS Improvised Payload Trail Result</figcaption>
</figure>
<p>For the immediate response, click on the &ldquo;<strong>View page source</strong>&rdquo; and
search for the injected payload and how it&rsquo;s being reflected in the HTTP
response.</p>
<img loading="lazy" src="/xss-using-html-attribute-challenge-4/image-32.png"><p>Interestingly, the double quote gets injected and aligns well with the
HTML response code. As we can control the HTML response behavior, This
gives us hint that there is a possibility to exploit reflected XSS
further.</p>
<p>We now have most of the information to craft a working XSS payload.</p>
<hr>
<img loading="lazy" src="/xss-using-html-attribute-challenge-4/image-33.png"><p>The XSS payload here can be crafted in a couple of ways.</p>
<ol>
<li>Trying to use the available/allowed HTML5 event attributes to
execute the reflected XSS. As used in the previous article.</li>
<li>Closing the HTML input form tag, injecting our classic XSS payload,
and commenting out the rest of the code.</li>
</ol>
<p>One way to choose this type of scenario is based on the length
limitations set by the application.</p>
<hr>
<img loading="lazy" src="/xss-using-html-attribute-challenge-4/web-programming128.png"><p>Let&rsquo;s use the first way mentioned above to craft the XSS payload.</p>
<p><strong>Improvised Payload 2: Using HTML5 Attribute</strong></p>
<img loading="lazy" src="/xss-using-html-attribute-challenge-4/image-34.png"><p><strong>onmouseover</strong> is one of the HTML attributes that can be used with HTML
tags, the moment the mouse hovers over the code, the javascript
<strong>alert()</strong> function gets triggered.</p>
<p>Enter the above-improvised payload in the input field and click on the
&ldquo;Submit&rdquo; button.</p>
<p><strong>Output:</strong></p>
<figure>
<img src="CH4-XSS-Onmouseover-Trial-fs8.png" />
<figcaption>XSS Onmouseover Payload Trail</figcaption>
</figure>
<p>For a moment, things seemed like nothing happened, and the application
behaved normally as expected.</p>
<p>Take your mouse, hover over the input field, and observe. Immediately, a
pop-up message is prompted, as shown below.</p>
<figure>
<img src="CH4-XSS-Onmouseover-Alert-fs8.png" />
<figcaption>XSS Onmouseover Payload Result</figcaption>
</figure>
<p><strong>yay!!!</strong>, our XSS payload worked and the application displays the
pop-up message. This confirms that the application is still vulnerable
to the reflected cross-site scripting vulnerability.</p>
<p>Will view the page source code to check how our payload got injected and
changed HTTP response behavior. Right-click and select &ldquo;View page
source&rdquo;, then search for the injected payload string.</p>
<img loading="lazy" src="/xss-using-html-attribute-challenge-4/image-37.png"><p>Observe that the double quote has closed the value field, then appended
the HTML attribute element for the input tag with the &ldquo;<strong>onmouseover&rdquo;</strong>
event along with the javascript code, then closed the double quote to
further align with the HTML code.</p>
<p>We have successfully confirmed that the application is still vulnerable
to cross-site scripting vulnerability.</p>
<hr>
<img loading="lazy" src="/xss-using-html-attribute-challenge-4/web-programming128.png"><p>Let&rsquo;s continue and try out the second method mentioned above to craft
the XSS payload.</p>
<p><strong>Improvised XSS payload 3: Classic XSS with syntax correction</strong></p>
<img loading="lazy" src="/xss-using-html-attribute-challenge-4/image-38.png"><p>The above payload is the same as we used earlier but with minor
modifications.</p>
<p>In prefix, a double code followed by a greater than arrow mark to close
the input form field. Then at the end of the script code append the HTML
comment code, this will comment out all the next code after our HTML
script tag.</p>
<p>Enter the above payload in the input field and give it a try.</p>
<figure>
<img src="CH4-XSS-Second-Method-Payload-Trail-fs8.png" />
<figcaption>Second Method - XSS Payload with Syntax
correction</figcaption>
</figure>
<p><strong>Output:</strong></p>
<p>Immediately, a pop-up message is displayed confirming that the XSS
payload still works.</p>
<figure>
<img src="CH4-XSS-Second-Method-Payload-Alert-fs8.png" />
<figcaption>Second Method - XSS Payload Result</figcaption>
</figure>
<p>Click &ldquo;OK&rdquo;, then Right-click and select &ldquo;<strong>View page source</strong>&rdquo;, then
search for the injected payload string.</p>
<img loading="lazy" src="/xss-using-html-attribute-challenge-4/image-41.png"><p>As expected, observe the HTML input tag is closed, then injected with
our classic XSS payload and followed by commenting out all the rest of
the code after the HTML script tag.</p>
<p>By this, we have successfully exploited the cross-site scripting
vulnerability <strong>challenge 4</strong>.\</p>
<hr>
<figure>
<img src="script-2.png" />
<figcaption>Summary</figcaption>
</figure>
<h3 id="summary"><strong>Summary</strong></h3>
<p>In this article, we learned how poorly implemented validations can still
be bypassed by improving the XSS payload and trying different possible
combinations. Also, there is no need that the default XSS payload needs
to work out of the box, the payload needs to be tweaked based on the
scenarios to make it work.</p>
<p>Keep learning! :D</p>
]]></content:encoded>
    </item>
  </channel>
</rss>
