Web For Pentesters – Cross Site Scripting Example 2

0
110
Web For Pentesters - Cross Site Scripting Example 1

Hello friends how are you doing? This is Osama and in this example i will be covering the second example of Cross Site Scripting of our series of Web For Pentester. And as we move forward in this course the challenges provided in the Lab will get hard and really interesting to solve and a fun way to learn more about your own skills and how the web application works. If you haven’t seen the previous example that we solved then here is the video reference to that post. Example-1

Explanation :-

In the previous challenge we used the payload :- <script>alert(document.domain)</script> if you you the same payload in the second example you will get a result of some thing like this in the response.

http://[yourlab]/xss/example2.php?name=<script>alert(document.domain)</script>

The web page will render it and the php code will remove the script tag from the payload and this result will be shown on the page :-

Hello alert(document.domain)

To defeat this filtering we could try to bypass it using a capital letter.. as when setting up this kid of filtering you should keep in mind that you filter all types of K-sensitive type of the payload. This is how you by pass it.

http://[yourlab]/xss/example2.php?name=<ScripT>alert(document.domain)</ScRipt>

This works successfully. By just making any character from the script tag we can easily bypass this kind of filtering.

Here is the video example so you can understand better.

I hope you do like it if you do the please share it with your friends and do comment below if there should be any improvements made in the up coming videos.

LEAVE A REPLY

Please enter your comment!
Please enter your name here