Reflected XSS is a type of XSS attack where a vulnerable web server reflects the script in malicious actor's request back to the client browser where the malicious code is executed.
In this article we use Burp Suite to attack omarine.org with reflected XSS.
Burp Suite Community Edition is free, limited, but still quite useful.
Run Burp Suite and then click Proxy=> Intercept, then Open browser to open the Burp Suite browser. Go to https://omarine.org:
Go back to the Burp Suite window, select the "HTTP history" tab
Narrow the scope
The request list above is very long and difficult to track, we filter out only the requests of the host omarine.org.
Click Target => Site map. In the list on the left, right-click the https://omarine.org item, select "Add to scope" to add it to the scope
Go back to Proxy, click on Filter bar, the dialog "Filter settings" will pop up, check "Show only in-scope items", then click Apply
Now the list of items is neat
Next, we switch to the Burp Suite browser. On the omarine.org webpage, type CANARY in the search text box to find this item
No result. We return to the Burp Suite window, select the item with the URL /search/?q=CANARY, right-click it and select "Send to Repeater"
Click Repeater on the toolbar
In the Request view on the left, modify the search parameter on the first line, adding a script as shown below:
We have delivered the payload and are ready to attack. If the web server has no defense against this type of attack, the malicious script will reflect in the response and execute on the victim's browser. The web server therefore needs to at least sanitize the input to disable the script. Specifically, the characters < and > need to be encoded as < and > Correspondingly.
Click the Send button to attack
In this case the firewall blocked the attack right in phase 2 (before the response be processed), where the above attack is just one of many types of web application attacks that are blocked by the firewall.
Share on Twitter Share on Facebook Share on Linked In
Contact: tuyen@omarine.org
Comments
There are currently no comments
New Comment