1. Home
  2. Training Library
  3. Introduction to Cross-Site Scripting Attacks

Reflected XSS


Cross-Site Scripting Attacks
XSS Intro
Reflected XSS
PREVIEW12m 54s

The course is part of this learning path

Reflected XSS

This course covers cross-site scripting (XSS) attacks, which are important to know about for anyone interested in ethical testing or bug bounty hunting. We'll cover reflected XSS, reflected AJAX XSS, and stored XSS.


Hi, within this section, we're going to cover the Cross-Site Scripting attacks which is XSS attacks. So, these vulnerabilities allow us to run JavaScript code in the client browser, okay? So, you're going to actually come across this vulnerability pretty common when you try to do web pentesting and bug bounty, so this is important and we have already seen some examples, right now we're going to see the details. I'm inside of my bWAPP as usual, so my bWAPP is running on the virtual box along with my Kali Linux. I'm reaching the Kali Linux or I'm reaching the bWAPP with inside of my Kali Linux as usual. So, I'm going to set my security level to low, I believe it was medium in the last section. So, I'm going to cross this and find the Cross-Site Scripting attacks like that. So, I'm going to start with the Reflected one then we're going to go into the Stored one as well. So, we actually know the Reflected one and Stored one, so we know what does Stored mean or what does the Reflected mean because we have seen them in the HTML injection and also we have the dome-based XSS attack in here as well but I believe we don't have that kind of example in the bWAPP. We're going to see it, don't worry we're going to see it in the Juice Shop examples. Right now, we're only going to focus on the Reflected one and the Stored one. So, we have actually seen how it works in the HTML injection but this time we're only going to focus on the XSS itself, so it really doesn't necessarily mean that we have to have an HTML injection in order to have an XSS attack. So, we're going to see, we're going to try and see how we can discover the XSS attacks and how we can actually find the Reflected ones and the Stored ones with inside of different setups as well. So, GET and POST really doesn't matter which one we choose right now, they only have different kind of requests as we have seen in the HTML attack. So, right now I'm going to go for the Reflected one, so this will be running on the link itself. So, if you send that link to anyone, the JavaScript code that you have injected will be executed on their browser. So, it can get messy and serious depending on the exploit of the hacker and again, we're going to focus on running simple JavaScript codes like doing an alert message, showing a dialog box but hackers can exploit this with beef attacks, browser exploitation, framework attacks, and cookie stealing attacks. So, if you find one you're definitely going  to get back some bounty out of this one I believe. So, let me choose the Reflected GET and go over here and we see the first name and last name inputs like we have seen before. So, this is basically a website, it asks for the first name and last name of the user. So, if we give it, I don't know what's going to happen, maybe it will just display some welcome message as before. So, I'm going to give Atil Sam, as usual and say 'Go' and here we go. It display some welcome message to us. And we can see the parameters in the URL as well, so the first name is Atil and last name is Sam, and it submits the form here as a parameter as well, right? So, we're actually familiarized with this stuff, thanks to HTML injections. So, what we can do, we can just try to inject some XSS over here, right? We can do this by leveraging the XSS payloads like we have seen before. So, if you can come to Google and search for XSS payloads, you will be presented with more than two million or one million results, and I'm just opening the first one. Of course, I can just share this with you as well. As you can see there are a couple of choices over here, we have to try each of them if we really want to find some XSS vulnerability or if we are really certain about, there might be some XSS vulnerability in this page. So, there might be some filters as we have seen before. So, for example, we see the most basic one which is script alert and we can write this in various ways like using uppercase letters, lowercase letters, mixed letters and so on and so forth. So, I'm going to start with the most basic one and see if we can make it work. And again in here, for example, we see a semicolon at the end of the alert, okay? So, this is a JavaScript code and we generally do something with the, we generally end this with the semicolon, but in some cases if you omit the semicolon, if you write without a semicolon, then it will work but it won't work with the semicolon even though it doesn't make sense because of the filtering, because of their security protocols, okay? So, sometimes you need to write the script with uppercase S and it will work because they will be filtering only the script with the lowercase letters. Again, this is one of the things that we have seen before, we have to try until we find someone. So, this really requires some patience by the way, bug bounty and web pentesting. You're going to have to try and you're going to have to try until you find a working one. So, let me try it in here, okay? I'm going to write script and just do an alert and I'm going to display "hacked". So, I'm not going to put any kind of semicolon in here and try it like that, okay? If you want, you can just put a semicolon here as well. It's the regular way to put a semicolon and you can just try it without one as well to see if it works or not. So, here we go. Let's try it with the semicolon because it's the most basic way and here we go. We can see it says 'hacked', so it's working and if we can come over here and we can see it over there as you can see the semicolon is converted into some kind of URL encoding, okay? So, it did it automatically for us and it understood it, but maybe sometimes you're going to have to just convert it yourself and see if that works or not. We're going to see how this works again. Don't worry about it if you don't know how to convert something into the URL encoding way. Now, if I send this link to anyone, if they open this link, the alert will be presented to them in their own browser. So, it's not a good thing for the website. Again, it can get malicious with other type of attacks like Beef attack and other type of cookie stealing attacks. We're going to see the importance of cookies later on by the way, and we're not going to focus on that but rather we're going to focus on finding the vulnerabilities in different kind of ways. So, you can try some kind of other things over here like this. We have already tried this so it's no different, okay? So, it's basically running the script with just showing the alert with 1, 2, 3. And over here, you can try this like just randomly making this S, R, T, uppercase. I'm going to try this as well, I'm going to paste this, okay? And I'm going to write something over here and if I say 'Go' as you can see it works as well. Sometimes the first might not work but this might work, so make sure you try some different kind of variations over here. So, as you can see the third one is without semicolon and over here, I believe we had the same thing. So, we have this image source things as well. So, rather than giving source, actual source in the image attribute, we can just give it a JavaScript code and try to see if it works or not. And as you can see in the first option over here, they have written the JavaScript in different mixed characters like uppercase, lowercase. So, let me try one of these as well to see if that works. So, here we go, and let's write something. If I say go, here we go, it doesn't work in this case. So, it's not working. Maybe it can work in some other configuration, maybe the previous ones do not work. So, make sure you try each of them and we see the iframe injection over here as well. So, let's try the iframe injection, okay? And see if this works or not. And let's say Sam and here we go. It works somehow and it asks for an input in the iframe, okay? And let's go back. So, I believe we have broken something as you can see we cannot see the menu, so I'm going to go back, and let me go back to XSS the Reflected GET one more time. So, I'm going to try and see if we can make this a little bit harder like in a medium. So, let me go to medium and let's try to just run the script alert like this, okay? And see if it works. And as you can see it doesn't work. It filters out something so it says welcome Sam. It actually filtered out the whole thing in here. So, I have said alert XSS with regular script. So, what can I do? I can just try the other ones, right? So, I have this for example, let me try this and see if this bypasses the filter. Let me come back and go to first name and just write a regular last name and it doesn't work as well. So, here we go. Now, it got a little bit more difficult, right? So, what can I do? I can just try the other things as well, like this one, the image source one. So, it didn't work previously, maybe right now it will work. Let me try this and here we go, it doesn't work as well. So, let me go to iframe this time and see if this works or not. So, let me paste this and let me try this way. No, it doesn't work as you can see we see the iframe but we cannot see the XSS. Let me try this, okay? So, as you can see, we add an incremental script tag in here and here we go. Now it works. So, what was happening? It was filtering out the first script, okay? And we added the second one and it made it work. So, most probably they're trying to wipe out some of the script tags over here. So, if we had an additional one, then it will work. So, as you can see, it requires some patience and it requires some trials and failures in order to come up with a good vulnerability discovery in here. So, that's it for the Reflected and again, if you send this link to anyone, if they can reach the website, it will be run, it will be executed on their own browser. So, this is all for Reflected, actually Reflected GET, we're going to see another Reflected variance in here and then we're going to move to the Stored and then we're going to finish the XSS section. So, let's meet in the new lecture.


About the Author
Learning Paths

Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.