1. Home
  2. Training Library
  3. Introduction to Cross-Site Scripting Attacks

Reflected AJAX XSS


Cross-Site Scripting Attacks
XSS Intro
Reflected XSS
PREVIEW12m 54s

The course is part of this learning path

Start course

This course covers cross-site scripting (XSS) attacks, which are important to know about for anyone interested in ethical testing or bug bounty hunting. We'll cover reflected XSS, reflected AJAX XSS, and stored XSS.


Hi, within this lecture we're going to focus on XSS reflected attacks one more time. But this time we're going to focus on this AJAX JSON thing, which is actually a different form that we can see. So, make sure you come over here and choose the AJAX/JSON, okay. And you will be presented with a page like this. So, this is basically the same thing, but it has a different UI and it has a different way of operating. So, as you can see, it presents us with a Search for a movie input. So, if we give any input, it will search for it and it will display the movie back to us. So, this is again reflected, it won't be stored and we're going to see how it works. For example, if I search for my name, as you can see it says that, "Sorry, we don't have that movie". So, let me search for spiderman no, we cannot find it, nope. Not like this as well. So, let's search for iron man. Here you go. It says that, "Yes! We have that movie". So, it's basically a search input, but search input fields can also have XSS vulnerabilities as well, right?

So, we need to understand how this works because as you can see we cannot see it in the URL.

Okay, basically, I believe it basically sends an input or like a parameter to the server with a GET request, but we have to be make sure of that. So, I'm going to open the 'Burp Suite' one more time. So, let me open the Burp Suite and see how it works. So, as you can see we use the Burp Suite in every part of the weapon testing. So, that's why I haven't created a separate section for the Burp Suite. We're going to see how it works in the different sections. So, I'm going to come over here and as long as I turned the proxy on and we're getting something because I believe it's working real time. So, if you just type something, it will be sent to the server. So, type and nothing will happen because it will intercept. As you can see, we see the GET request, but we don't see any parameters in here because it was the initial request. So, I believe we need to forward this and move on and see the other requests. So, we don't see anything in the URL. We will try to see what kind of parameters we're passing over here. So, if I forward this and I believe we have to forward this as well and here we go. Now we see this even though we cannot see it on the URL, it's passing the title, okay. And it's passing it one more time. So, it's passing it constantly as long as we leave it there, right? So if it has something as an input, it will pass it to the server. So, that's how it works. Of course we can give the parameter. Let me turn this off and we can give the parameter like an XSS parameter, like a script parameter over here and see if it works. So, I'm going to do an old alert over here, okay. So, with the semicolon and stuff, if we do it, nothing happens. So, let me turn this off obviously and I believe we need to hit on 'Enter' or something like that. It doesn't do much, okay. Intercept is off, the Proxy is off,  but it doesn't seem to be working. So, maybe we can try this without a semicolon or maybe we can try to do something like an HTML attack, but I don't believe it's working right now at all. So, let me open this one more time from scratch, okay. So, Reflected. Here we go. Now let's see. Let me write script and alert. So, if I write script, nothing happens. Okay. If I write this I get an error. If I write script, nothing happens in here. So, maybe they're filtering out the script thing like that. So, maybe we can try like an HTML injection. Here we go. If I do h1, then we see it actually injects the HTML code. Maybe we can do the XSS with inside of the HTML attack like we have seen in the first lecture, right, in the HTML section.

So, let me try this. h1 okay, heading. And then script and then alert and I'm just going to display 1 and I'm going to close down the script and I'm going to close down the h1 as well. But here you go. It doesn't work. So, it doesn't work. Even though I know that I can inject HTML, it doesn't work with XSS. So, maybe we can try something like this. So, open an image tag. I am going to say src=a. So, if source is equal to a, then there will be definitely an error, right? So, what does it mean? So, I'm making the source attribute equal to something that doesn't exist and this will definitely not going to show the a as an image because there is no a image, but rather it will throw an error. And over here we can say if there's an error, show this, or if there is an error, show me that dialog or something like that, okay. And this time I'm going to do this and here you go, it shows the dialog. So, we can actually run some JavaScript called in here with on-air. So, this is one of the stuff that you should take note of because it might work in real-life examples as well.

So, if you can inject HTML, you can try to run JavaScript code in the on-air attribute like this. So, this is going to get into your notes, definitely. And as you can see it cannot show the image, it displays some kind of an image icon, but it cannot show any image because there is no image like an a. So, it goes on because we need to change this. So, let me just refresh this and here you go. Now, I really wonder if we just send this email, like if we can send this link with an email to someone else, if it is going to work or not. So, I'm going to write the same thing, okay, even though we cannot see the URL over here, we can still get it from the Burp, right? So, I'm going to say like this and for some reason it doesn't work. Let me just do this without a quotation marks and see, nope, it doesn't work. Let me do it like this, nope, it doesn't work. So, I believe we have to just change something, nope, it doesn't work as well. So, we need to refresh this, I believe we broke something again. So, let me go back and just run this one more time and come here and say, img src = x onerror. We're going to display an alert dialog with 1 for example, and here we go.

Now it's working. Now what I'm going to do, I'm going to just see how it looks like in Burp Suite so that I can get the link out of this. So, I cannot see the link right now, I cannot see the past parameters or something like that. So, I'm going to open the Burp Suite, okay, one more time. I believe it was already open. But here we go, I'm just going to leave this and create a new project for me, okay. And then we're going to change the FoxyProxy settings. So, intercept is on and I'm going to turn the Burp Proxy on and let me just do this. Okay, think and intercept was off. Let me see. Here we go. Now we can get this and we can see the past parameters over here, okay. Now I can try to get this link. So, I'm going to right click and say copy URL, okay, and pretend that I have sent this to someone else. So, I'm going to turn this off. I'm going to turn the Burp Proxy off and I'm just going to refresh this and delete this and paste the thing that I have copied. So, let me paste the thing like this and delete the whole thing actually.

And here you go. If I send this link to anyone, let's see if this will work. Here you go, it works. Even though it shows some kind of distorted page over here, we can still see that JavaScript gets executed on the client. So again, this is a reflected XSS vulnerability. So, this is just another form of XSS vulnerability. They basically operate in the same way when it comes to reflect it. Now, I believe we need to pass the reflected one and we need to go to the stored one because it's much more dangerous because it affects everything that visits that website. Okay, that's all for the reflected one. So, we're going to stop here and continue with the store within the next lecture.

About the Author
Learning Paths

Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.