Practical XSS Lab 2 — Balancing is Important in Life!
As a part of my weekly updates for my blog: I’m a Web Application Penetration Testing — Intern, I wanted to start demonstrating the practical aspects of the internship. I’m not going to dive deep into the details but rather showcase some of the things I’ve learned throughout my 10-week internship with Hacktify Cybersecurity.
Balancing Payloads
In this lab, I discovered the process of escape sequences and how to balance payloads. I’ll take you through the process that I used and try to make sense of all this simple yet complex (at first) process.
Similar to my previous lab, this is the main page that I’ll be testing. After submitting penetration@test.com, I see that my payload is reflected on the page, below the subscribe input field, and in the URL search bar. So these two locations will be my entry points for the client-side application.
View the Page Source
When I view the page source, I notice that it’s reflected in one location: the input field.
<input type="text" name="email" class="field" placeholder="Enter your Email" value="penetration@test.com">
Testing for XSS Injection
I submitted the following JavaScript payload and got the following reflection.
N7RUZN<script>alert(1);</script>
Back to Page Source
Back in the Page Source, I could see that it’s getting passed as a value to the “value parameter”. To get my payload to work as intended, I’ll have to escape from the Input tag and open a new script tag that will carry my payload.
<input type="text" name="email" class="field" placeholder="Enter your Email" value="N7RUZN<script>alert(1);</script>">
Balancing the Payload
Since my payload is being displayed as a value, it will need to be balanced, and I’ll be able to do this by escaping from the input tag. I used a three-step process to try and break this down and make it more manageable and easier to absorb, which it does to a certain extent : )
Step 1. Find the location of the reflection by viewing the Page Source.
<input type="text" name="email" class="field" placeholder="Enter your Email" value="N7RUZN<script>alert(1);</script>">Step 2. Remove all irrelevant information and keep the value parameter and its value (payload).
value="N7RUZN<script>alert(1);</script>">Step 3. I’ll remove everything in between the double-quotes and store this in an arbitrary value named b and make a note of it.
b = N7RUZN<script>alert(1);</script>Which leaves me with the following:
value="">Then I took the second double-quote and everything following it and stored it in an arbitrary value named a which I used to craft my payload.
a = ">Step 4. Crafting the Payload.
I used the following formula to craft my final payload.
payload = a + ba = ">, b = N7RUZN<script>alert(1);</script>payload = ">N7RUZN<script>alert(1);</script>
Updated Payload
">N7RUZN<script>alert("Balancing is Important in Life!");</script>Proof of Concept
Sample Report Writing
Since I’m still working hard to produce some quality reports, I want to share what I currently have in the works with the community.
Hopefully someone finds this useful down the line.
Thanks for following my journey into InfoSec!
