Skip to main content

XSS (Reflected)

Objective

One way or another, steal the cookie of a logged in user.

Security Level: Low

Low level will not check the requested input, before including it to be used in the output text. Spoiler: ?name=.

1

Let's prove john as the input.

2

We can see that our input is being reflected back to us.

Let's provide the following input:

<script>alert(document.cookie)</script>

3

 

Security Level: Medium

Spoiler: Its cAse sENSiTiVE.

Let's check out the source code.

4

The <script> tag is being replaced with empty space using the str_replace function. The problem with this function is that it is case sensitive i.e. it will not replace a <SCRIPT> tag.

This allows us to craft our payload as follows:

<SCRIPT>alert(document.cookie)</SCRIPT>

5

 

Security Level: High

Spoiler: HTML events.

In this level the <script pattern itself is removed.

Let's check the source code to see how this has been implemented.

6

The developer has used the preg_replace function. However, we can still use HTML events in order to trigger the alert. For our payload we can use the <img onerror> attribute as follows:

<img src=1 onerror=alert(document.cookie)>

7