First post of 2018!
This post will be a first in a series to solve the BodgeIt Store.
I am running the BodgeIt store from an ISO (disk image) on a virtual machine (I am using VM Workstation Player 12 which is free). I have a previous post that describes how to install ISO’s in virtual machines (VMs). Link here.
Now on to the hacking!
After installing the ISO, and powering on the VM, you will be presented with the login page:
Navigating to the IP you will see OWASP BWA (Broken Web Application) homepage:
Clicking on the BodgeIt link we’re presented with this homepage:
Going to the “About Us” we see there’s a scoring page.
Clicking on the scoring page, we see:
By the end of the series, these challenges will be green (completed).
Let’s get started!
I’m going to start with “Level 1: Display a popup using: alert(“XSS”)”
Note: I am using Google Chrome which has XSS auditor pre-installed in the application.
If you’re using Chrome you will need to temporarily disable this for the XSS vulnerability. Make sure to close ALL instances of Chrome before entering the below command.
To disable xss auditor, open a command prompt (run –> cmd.exe), and enter (or copy) the following: “C:\Program Files (x86)\Google\Chrome\Application\chrome.exe” –disable-xss-auditor
Once you press Enter, a new instance of Chrome will open.
OK, now a new instance of Chrome has opened, and we’ve navigated to the BodgeIt store.
Going to the Search link we see the following:
Entering the following line in the search input: alert(“XSS”)
And pressing the “Search” button we see:
We have successfully simulated a XSS attack!
Navigating back to the scoring page (About Us –> Scoring Page) we see:
Level 1 is complete (green)!!!
1 thought on “The BodgeIT Store Series #1, Level 1 XSS – #bodgeit #infosec #pentest #appsec #webapp #XSS”