top of page

Cross Site Scripting

There is a client side attack known as Cross Site Scripting. It is performed to exploit the web browser of the clients or the users. While performing the XSS attacks, hacker takes the advantage of flaws in validation and scripting of the web application.

XSS can be performed in many ways. In Stored XSS, hacker executes functions under <script> tag in the target browser and can even hijack user’s session as well as defaces or redirects the website. An automated tool like BeEF i.e. Browser Exploitation Framework can be used to perform stored XSS attack.



Deliverable:


Lab Set up

  • Virtualization using Oracle Virtual box

  • Attacker’s System: Kali Linux

  • Target System : Metasploitable 2


1. In Kali Linux --> browser --> Visit Target Website.

Ex. DVWA (Damn Vulnerable Web Application). It is integrated in Metasploitable 2. Just put target's ip address in Kali Linux browser. Now click on DVWA. Put Username as 'admin' and Password as 'password'. Now go to DVWA security --> Make the security as 'low' and submit. This is done to let the attack work.



2. Click on the XSS Reflected tag.



3. Input anything (or your name) in the textbox under 'what's your name?' and submit. You will get a response as follows:


Hello [the text you have entered]


It means it is accepting the text that is entered by you.



4. Now we will try to enter some code in that textbox.


As you know, webpages can not have a function directly. To use any function in webpage, you must code it under <script> tag.


Now we just try to code alert box in that webpage without programming the code of webpage by simply inputting


<script>alert("XSS")</script>


Here, alert() function is just making an alert box. Thus we can get the session id or cookie of logged in session as follows:


<script>alert(document.cookie)</script>


This session id can be used by an attacker to get logged in as that user without even knowing the credentials of that user.


Thus funcions can be executed into the webpages from the front end by doing cross site scripting.


This is known as Reflected Cross Site Scripting. As you try to inject some code from front end and get the result as a reflection.


bottom of page