© 2018 Caendra Inc.

| Hera for WAPTv3 | Cross Site Scripting 1

In these XSS labs, the student can practice attacks techniques to discover and exploit Cross
Site Scripting vulnerabilities: DOM, Stored, Reflected and more.

Once you are connected in VPN to the lab environment, all the web applications will be
available at the following URL: http://info.xss.site/.

There are three main sections for each type of lab: Video, Lab, Challenges.

• Video section contains web applications used during video lessons. Therefore, if
you need any information about the scenario, the attacks and so on, please refer to
the corresponding video.
• Labs section contains web application where you can practice the techniques of the
specific module and have solutions. You can find them later in this manual
• Challenges labs do not have solutions; otherwise, why call them challenges? If you
study the course and think like a penetration tester, you will achieve the goal!

The best tool is, as usual, your brain. Then you may need of:

• Web Browser
• Burp Suite

Once you have your virtual network ready, configure the following IP address as default
DNS: 10.100.13.37

• WINDOWS: change the property of the TAP network device, adding as first DNS
server of the IP of the server.
• LINUX: add an entry into /etc/resolv.conf file with the IP address of the server

© 2018 Caendra Inc. | Hera for WAPTv3 | Cross Site Scripting 2

Your lucky number is an incredible web application used to determine a lucky number from
a person’s name. Thousands of people use it every day. Unfortunately, it is vulnerable to
XSS injections.

In this lab, you will find the vulnerable parameter and perform an XSS injection attack.

Find the vulnerable parameters, build a malicious link and show an alert window to anyone
who clicks on it.

• The methodology to follow in order to find XSS vulnerabilities

• How to detect the injection type
• How to find and exploit DOM XSS
• How to use Burp suite to detect a DOM XSS

© 2018 Caendra Inc. | Hera for WAPTv3 | Cross Site Scripting 3

Online guestbook is a free web application used by users to share their opinions. Thousands
of people use it every day. Unfortunately, it is vulnerable to XSS injections.

You will find a vulnerable parameter and perform an XSS injection attack.

• Finding the vulnerable parameter(s)

• Performing a persistent XSS attack that will show a dialog window with the message
“I don’t like your fake opinions” to everyone visiting the guestbook.

• How to find and exploit Persistent XSS

• How to use Burp suite to detect XSS

© 2018 Caendra Inc. | Hera for WAPTv3 | Cross Site Scripting 4

Your lucky number is an incredible web application used to determine a lucky number from
a person’s name. Thousands of people use it every day. Unfortunately, it is vulnerable to
XSS injections.

In this lab, you will find the vulnerable parameter and perform an XSS injection attack.

Find the vulnerable parameters, build a malicious link, and show an alert window to
anyone who clicks on it.

• The methodology to follow in order to find XSS vulnerabilities

• How to detect the injection type
• How to find and exploit Reflected XSS
• How to use Burp suite to detect Reflected XSS

© 2018 Caendra Inc. | Hera for WAPTv3 | Cross Site Scripting 5

Poema is a small club of people that love books, poetry, and spiritualism. They do not drink
alcohol and do not party. They read and think.

They have put up a website where they can share with the world their reading
preferences, preferred authors, and photos.

The club has a Vice President of Bookshelf and a Club President. They are the sagest and
blessed members and live a life of books, introspection, and asceticism.

You want to check out if any of the website features is poorly coded and presents any
cross-site scripting.

Since XSS is an input validation attack, you should first determine which pages accept user
input. Not all of these are subject to XSS, but it is a good subset to begin with.

Then, try to insert HTML tags as probes to verify if any XSS is present. Make sure to
understand what kind of code you can inject, if HTML or also JavaScript.

• How to find basic XSS

• How XSS an affect a web page
• How to make the most basic exploitation of an XSS vulnerability

© 2018 Caendra Inc. | Hera for WAPTv3 | Cross Site Scripting 6

Poema is a small club of people that love books, poetry, and spiritualism. They do not drink
alcohol and do not party. They read and think.

They have put up a website where they can share with the world their reading preferences,
preferred authors, and photos.

The club has a Vice President of Bookshelf and a Club President. They are the sagest and
blessed members and live a life of books, introspection, and asceticism.

You want to find out if the latest improvements in security that Poema reading club has put
in place are effective.

You should prove them wrong and demonstrate how you can still run JavaScript code in
one of the vulnerable user input channels.

• How to bypass simple client-side input validation

• How to perform basic XSS exploitation

© 2018 Caendra Inc. | Hera for WAPTv3 | Cross Site Scripting 7

Poema is a small club of people that love books, poetry, and spiritualism. They do not drink
alcohol and do not party. They read and think.

They have put up a website where they can share with the world their reading
preferences, preferred authors, and photos.

The club has a Vice President of Bookshelf and a Club President. They are the sagest and
blessed members and live a life of books, introspection, and asceticism.

The reading club webmaster is proud to announce a secure commenting feature. You
should find two different persistent XSS in the commenting pages.

As a proof of concept of the hack, you want to change the web page tag line from “Reading
club for introspective people with social issues” to “Reading club for introspective people
with social and XSS issues.”

Please refer to this page to know how to manipulate an HTML page with DOM for superb
XSS defacements:

• http://www.w3schools.com/js/js_htmldom.asp

You can achieve the above exploiting any of the two vulnerabilities.

• How to find XSS vulnerabilities

• How to bypass simple XSS protections
• How to exploit persistent XSS
• How to change the appearance of a web page through DOM manipulation

© 2018 Caendra Inc. | Hera for WAPTv3 | Cross Site Scripting 8

Please go ahead, only if you are really stuck or if you have
completed the labs.

© 2018 Caendra Inc. | Hera for WAPTv3 | Cross Site Scripting 9

A DOM XSS occurs when an attacker inserts malicious input into a page of a web
application (through a form, or within the URL). The input is processed by DOM functions
and only after that is it rendered by the browser.

This type of vulnerability is different from reflected XSS because the user input is
processed by DOM functions before being printed out in the response HTML. In reflected
XSS, the input is immediately reflected on the page.

The tasks you will perform are:

• Detecting the input vectors

• Analyzing the insertion point
• Checking filters
• Exploiting

Start Burp proxy and set the target scope. From now on, all of the HTTP requests made by
your browser to that target will appear in the Site map tab.

© 2018 Caendra Inc. | Hera for WAPTv3 | Cross Site Scripting 10

With your browser, explore the web application that asks for your lucky number.

You will type in your name:

© 2018 Caendra Inc. | Hera for WAPTv3 | Cross Site Scripting 11

After asking for your lucky number, you will get the answer from the oracle:

Come back to Burp proxy and go to the Site Map tab to analyze the requests made by your
browser; your parameters will appear here. The web application performs a GET HTTP
request to the page getLuckyNumber.php with the parameter name. This is the
parameter you will follow up on in the next steps.

In the next task, you will analyze the HTTP response message to study the insertion point
of the input data.

© 2018 Caendra Inc. | Hera for WAPTv3 | Cross Site Scripting 12

You must pay critical attention to where your input data is placed in the response.

In your browser, your input data appears between the word Hello and the words ‘your
lucky number is.’

Let us analyze the HTTP response message using Burp.

The input data (James in our case) does not appear between the words. In fact, they do not
appear in any part of the response message. You can conclude from this that your input is
not reflected in the response message.

© 2018 Caendra Inc. | Hera for WAPTv3 | Cross Site Scripting 13

You could be asked: “How is the input data printed to the page?”

The answer is simple: it is printed via the DOM API. If you inspect the response message,
you will find the following JavaScript code:

window.onload = function() {
var site=document.location.href;
var index = site.indexOf("=", 0);
name="";
if(index != -1) {
name=site.substr(index+1);
}
name=decodeURIComponent(name);
document.getElementById('name').innerHTML=name;
}

The code above performs the following actions:

• Reads the current location from the location object and stores it in the site
variable. In our case site is:

http://1.lab.xss.site/getLuckyNumber.php?name=James

• Extracts the name parameter from the current location and stores it into the
variable name. In our case name is:

James

• Replaces each escape sequence in the name with the character that it represents (by
calling the DOM API decodeURIComponent()). This code has most likely been
inserted by the developer to correctly display non- alphanumerical characters (like
the space or some other characters). But, this is a security issue because it will even
decode encoded characters (for example the html reserved chars < > )
• Inserts the name as content of the html tag <span name=”name”>. This is the
insertion point.

The third action ensures that your input will be stored into the name variable without any
changes or filtering.

The fourth action ensures that your input will be interpreted as HTML code.

You can conclude that the input is handled completely on the client- side. Your input will be
processed via JavaScript and will be handled without any filtering or encoding.

© 2018 Caendra Inc. | Hera for WAPTv3 | Cross Site Scripting 14

In fact, it will be handled simply as HTML code.

You can conclude from all of this that the web application is definitely vulnerable to XSS in
the parameter name and that the XSS is a DOM XSS.

As previously stated, the input is managed completely on the client-side. Moreover, there is
not any filtering or encoding; you can now start the exploitation process.

You can use the following html code as an input payload:

<img src='nevermind' onerror="alert('XSS');" />

This HTML code will try to insert an image into the current page. The image has been
intentionally inserted with an incorrect path for the sole reason of triggering the onError
event. The code related to the onError event contains the malicious code.

The link will be something like:

http://1.lab.xss.site/getLuckyNumber.php? name=<img
src='nevermind' onerror="alert('XSS');" />

When your victim opens the previous link, his browser will run your XSS code showing the
classic XSS alert window.

© 2018 Caendra Inc. | Hera for WAPTv3 | Cross Site Scripting 15

© 2018 Caendra Inc. | Hera for WAPTv3 | Cross Site Scripting 16
A persistent XSS occurs when the three following conditions are met:

1. The attacker inserts malicious input via a page of the web application (for
example, through a form or within the URL)
2. The input is not filtered or replaced and appears reflected in the response.
3. The input is stored (for example on a DBMS or server storage) and will be shown
to all viewers of that page from now on.

This type of attack is said to be persistent because the malicious user input will be put in
persistent storage and will be shown to each visitor of the page. There is no need to send a
malicious link to your victims.

The tasks you will perform are:

• Detecting the input vectors

• Analyzing the insertion point
• Checking filters
• Exploitation

Enable Burp proxy to intercept all HTTP requests from your browser and the responses
sent by the web server.

© 2018 Caendra Inc. | Hera for WAPTv3 | Cross Site Scripting 17

Write and send (by pressing the Share button) a test message. This will be used to capture
and detect the parameters of the sending operation - to analyze the HTTP request.

© 2018 Caendra Inc. | Hera for WAPTv3 | Cross Site Scripting 18

Burp proxy will intercept the following request:

© 2018 Caendra Inc. | Hera for WAPTv3 | Cross Site Scripting 19

You can conclude that three parameters are sent via a POST request. They will be
processed by the web application to store the message as below:

• name
• site
• message

Now you should note where in the HTML response input data is inserted. Forward the
intercepted request and wait for the response:

© 2018 Caendra Inc. | Hera for WAPTv3 | Cross Site Scripting 20

The inserted parameters are mapped into the HTML response like this:

• name
o as content of the HTML element a
o <a . . . >Polite user</a>
• site
o as content of the attribute href of the HTML element a
o <a href="http://yesiam.apoliteuser.com" >
• message
o As content of the HTML element span
o <span . . . >I'm a polite user and I don't want to
inject HTML/Javascript code</span>

First, try to inject your XSS payload via parameters name and message. So you need a
payload like this:

<script> [JS CODE] </script>

If filtering occurs, you will try injection through the other parameter. In the next step, you
will check whether the web application filters the user input in all the previous parameters.

To check if the parameters name, message, and site are filtered, you will send a test
payload and observe if and how they have been filtered or replaced by the web server.

For each input parameter, your test payload will be: < > / ;

These characters are special characters for HTML syntax. If the web application does not
filter them, they will be interpreted as HTML code and not as text.

To send the test payload, go to Burp suite, select the previous request (that performed the
sending operation) from the Site Map and send it to Burp Repeater. (Burp Repeater is a
simple tool for manually manipulating and then re-sending individual HTTP requests.)

© 2018 Caendra Inc. | Hera for WAPTv3 | Cross Site Scripting 21

Go to the Repeater tab, select the request and change the values of the parameters name,
site, message from the old value to the test payload above (< > / ; ).

© 2018 Caendra Inc. | Hera for WAPTv3 | Cross Site Scripting 22

Press the Go button and note how the input is processed by the web application:

© 2018 Caendra Inc. | Hera for WAPTv3 | Cross Site Scripting 23

All three parameters are neither filtered nor replaced and appear in the response message
as they have been inserted. In the next step, you will create your payload code.

As previously stated, the parameters message and name can be exploited by using a
payload like this:

<script> [JS CODE] </script>

You only need one of them to run your attack.

For example, you can fill in the web form with the following data:

• Name: anything you want, for example, Evil user

• Site: anything you want, for example, http://x.y.z
• Message: your attack payload; in this case a JavaScript payload showing an alert
window containing the message: I don’t like your fake opinions
o You need JavaScript code to do this:
o <script>alert('I don t like your fake
opinions')</script>

© 2018 Caendra Inc. | Hera for WAPTv3 | Cross Site Scripting 24

Each visitor will receive a nasty message after opening the guestbook website:

© 2018 Caendra Inc. | Hera for WAPTv3 | Cross Site Scripting 25

A reflected XSS occurs when an attacker inserts malicious input into a page of a web
application (through a form, or within the URL) and gets the input reflected back to the
user in the response.

This type of attack is said to be reflected because the user input appears reflected in the
response and it is interpreted as HTML code.

The tasks you will perform are:

• Detecting the input vectors

• Analyzing the insertion point
• Checking filters
• Exploitation

Start Burp Proxy and set the target scope. From now on, all of the HTTP requests made by
your browser to that target will appear in the Site map tab.

© 2018 Caendra Inc. | Hera for WAPTv3 | Cross Site Scripting 26

With your browser, explore the web application that asks for your lucky number.

You will type in your name:

After asking for your lucky number, you will get the answer from the oracle:

© 2018 Caendra Inc. | Hera for WAPTv3 | Cross Site Scripting 27

Come back to Burp proxy and go to the Site Map tab to analyze the requests made by your
browser; your parameters will have appeared here.

The web application performs an HTTP request to the page getLuckyNumber.php with
the parameter name. This is the parameter you need to check in the next steps.

© 2018 Caendra Inc. | Hera for WAPTv3 | Cross Site Scripting 28

There is nothing else interesting in the request that you should be concerned about.

In the next task, you will analyze the HTTP response to determine the insertion point of
your input data.

You must pay critical attention to where your input data is placed in the response.

They could appear within an HTML element attribute, for example:

• <a href= "<your input> ">

• <div style="color: <your input>;"
• <img src="<your input>">
• <button onclick="fun(<your input>);">

Alternatively, they could appear simply as content of a given HTML element:

© 2018 Caendra Inc. | Hera for WAPTv3 | Cross Site Scripting 29

 • <div> . . .<your input>. . . </div>
• <span> . . .<your input>. . . </span>

This information is necessary to build a working XSS payload and it becomes critical in case
the server is filtering the input.

Now you need to analyze the response of your previous HTTP request. In this case, the user
input is reflected within the HTML paragraph element p:

For this insertion point, you should use a payload like this:

<script> [JS CODE] </script>

Now you should check whether the web application filters or changes (for example by
replacing characters) the previous values.

The easiest method to use is to check whether the web application filters the following
characters: < > /

© 2018 Caendra Inc. | Hera for WAPTv3 | Cross Site Scripting 30

These characters are special characters in HTML syntax. If the web application does not
filter them, they will be interpreted as HTML code and not as text. You need to perform an
HTTP request to the page getLuckyNumber.php with the previous characters and
determine whether they have been filtered or replaced.

Go to Burp Proxy, select the previous request from the Site Map and send to the Burp
Repeater. Burp Repeater is a simple tool for manually manipulating and reissuing
individual HTTP requests.

Go to the Repeater tab, select the request and change the parameter name from the old
value to the test payload above (< > / ).

© 2018 Caendra Inc. | Hera for WAPTv3 | Cross Site Scripting 31

Press the Go button and note how the input is processed by the web application.

The special characters are not filtered by the web application. You have found and are
ready to exploit this XSS vulnerability.

© 2018 Caendra Inc. | Hera for WAPTv3 | Cross Site Scripting 32

You can use the following JavaScript code as your input payload:

<script>alert('XSS')</script>

The link will be something like:

http://3.lab.xss.site/getLuckyNumber.php?
name=<script>alert('XSS')</script>

When your victim opens the previous link, his browser will run your XSS code showing the
classic XSS alert window.

© 2018 Caendra Inc. | Hera for WAPTv3 | Cross Site Scripting 33