Hi, in this updating blog post, I will post answers and explanations of how I solved them.
The difficulty levels are Apprentice, Practitioner, and Expert.
What is Cross-Site Scripting?
Cross-Site Scripting (XSS) is an injection attack that allows an attacker to inject scripts into websites that will affect other user/s.
The problem arises because lack of input validation and lack of character encoding.
The main XSS types are:
Reflected XSS - User input is returned by the web application in the server's response without encoding it to make it safe to be rendered in the user's browser.
Stored XSS - The user's input is stored in the database of the target server (for example, after post creation in forums, private messages, etc.), then the victim is able to retrieve the stored data without encoding, which makes it unsafe to be rendered on the victim's browser.
DOM-based XSS - This type of XSS is when all the attack flow stays in the DOM of the browser. The payload will not be sent to the server.
1. Reflected XSS into attribute with angle brackets HTML-encoded
First, I checked which characters were encoded.
In the first reflection, all of them are encoded. In the second reflection ' and " are not encoded.
I could not escape the <input> element because <> characters are encoded, but I knew I could add an attribute since all I need is the " character.
I added the 'onmouseover' attribute, which tells the browser to run a script when the mouse cursor is above this element.
2. Stored XSS into anchor href attribute with double quotes HTML-encoded
The description says there is a stored XSS in the comment section so let's send a comment and check all parameters (sometimes only one parameter is vulnerable).
After entering the comment page, we see that all parameters are HTML-encoded except for some characters of the 'website' parameter from the last request.
I sent a similar payload as in the previous lab. After initiating the script by moving the mouse cursor above the element, the lab was considered solved.
In short, XSS inside a script.
As in the previous labs, I tested which characters are not encoded. I only used these special characters: ; and /.
I used // in order to comment out all the remaining characters.