As per PortSwigger Academy: “This lab contains a simple reflected cross-site scripting vulnerability in the search functionality. To solve the lab, perform a cross-site scripting attack that calls the alert function.”

This lab is a fantastic illustration of how important it is to know the basics of the language syntax you are using for the attack. Knowing no JavaScript I thought it is a good idea to show my methodology while trying to assemble a payload on my own. Also, this lab is a great illustration of the fact that there are vulnerabilities that require zero tools to exploit. In this lab, I operated solely through the search bar without using BurpSuite.

The first thing I did is to see what the site’s legitimate search response looks like both with a search results message and in the URL address.

Using the supplied example in the vulnerability description

<script>/*+Bad+stuff+here...+*/</script>

I modified the URL to fit the lab’s parameters

<script>/alert/</script>

This did nothing and just gave 0 search results

Assuming I am lacking the understanding of the alert function, I did a google search on it which gave me “alert() instructs the browser to display a dialog with an optional message, and to wait until the user dismisses the dialog.”

<script>/alert()/</script>

No results. Going back to the vulnerability description at the PortSwigger Academy and experimenting with syntax variations such as

<script>/*alert()*/</script>

It didn’t work. I tried a few more options with zero results.

After looking more closely at constructing the alert function script, I finally was able to make the correct payload.

<script>alert("All Your Base Belong To Us");</script>

This is what gave me the result I needed to solve the lab with an alert box popping up saying “All Your Base Belong To Us”.

Conclusion

All user input must be validated as an XSS prevention method.

PS PortSwigger Academy has a very helpful tool to construct payloads.
https://portswigger.net/web-security/cross-site-scripting/cheat-sheet

Leave a Reply

Your email address will not be published. Required fields are marked *