Another day, another challenge… What’s the topic today? Cross-Site Scripting (XSS)!
Scenario below:
XSS permits a malevolent user to inject his own code in vulnerable web pages. According to the OWASP 2010 Top 10 Application Security Risks, XSS attacks rank 2nd in the “most dangerous” list.
Your objective is to make an alert box appear HERE bearing the message: “XSS!“.
Solution:
Entering the challenge we see the following –
Looking at the page source we noticed that there is a POST method
A POST method is used to send data to the server either to a database or to another file or API (Application Programming Interface).
Going to Google – I found a link from OWASP that describes the common ways to test for Cross-Site Scripting (XSS).
Trying one of the items in the web page – alert(“XSS!”); – I get the following:
We were successfully able to use XSS scripting on the webpage.
Lessons learned:
When having input fields – as the web developer we need to make sure there is input validation. The reason for this is that we can disallow invalid characters (in this case the script tags) so our website would not be susceptible to XSS.
Hi! I can’t see the text in the screenshots. It’s a bit unclear. This is what I see:
“alert(“XSS!”);”
and when I try it I don’t get anything. What am I missing?