Cross-site Scripting
Introduction
Stored XSS
Lets go to the Stored XSS Webpage
Lets try to add a comment on the page, first we have to create a user and login.
Lets now try to add a comment.
Now lets create an alert popup box appear on the web page with the document cookie.
Lets click ok
Now lets change the XSS Playground heading to I am a hacker.
Lets now try to take over the user Jack's account by stealing his cookie.
Now lets go to the log page
We have the cookie
Lets change users to Jack and post a comment
First lets go to the developer tools and change the cookie to Jacks.
Now lets reload the page
We are now the user Jack, lets post a comment
Reflected XSS
Lets craft a reflected XSS payload that will cause a popup saying "hello"
For getting the IP address of the machine we can use this payload
DOM-Based XSS
Lets go to the DOM-Based XSS page and look at the source code
This is interesting, looks like there are no checks on the input we give
Now lets exploit it and get the cookie.
Now hover over the Image not found text
Next lets create an onhover
event on an image tag, that change the background color of the website to red.
Make sure to hover over the Image not found text
Using XSS for IP and Port Scanning
XSS Keylogger
Filter Evasion
Lets do the first challenge
Lets do challenge 2
Lets do challenge 3
Challenge 4
Protection Methods and Other Exploits
Last updated