Reflected Cross-site scripting commonly occurs through URL based parameters. You should know what Cross-site scripting is, and if you don't, I'm embarrassed for you. For real? I have to explain this? Okay. Cross-site scripting is injecting JavaScript into a page. It is hacking 101 and the first attack most people encounter or hear about. Inefficient methods of blocking Cross-site scripting focus around targeting script tags, and with script tags not being necessary to use JavaScript in a page, there are numerous ways around this.
We will create a script that takes a variety of standard evasion techniques and applies them to an automated submittal by using the Requests
library. We will know whether the script has succeeded because either the script or an earlier version of it will be present on the page following the submittal.
The script we will be using is as follows:
import requests import sys url = sys.argv[1] payloads = ['<script>alert(1);</script>', '<BODY ONLOAD=alert(1)>'] for payload in payloads: req = requests.post(url+payload) if payload in req.text: print "Parameter vulnerable " print "Attack string: "+payload print req.text break
The following is an example of the output produced when using this script:
Parameter vulnerable Attack string: <script>alert(1);</script> Give me XSS: <script>alert(1);</script>
This script is similar to the earlier Directory Traversal script. We create a list of payloads rather than a dictionary this time as the check string and payload are the same:
payloads = ['<script>alert(1);</script>', '<BODY ONLOAD=alert(1)>']
We then use a similar loop as before to go through those values and submit them one by one:
for payload in payloads: req = requests.post(url+payload)
Each payload is appended to the end of our URL to be sent in an unended parameter such as 127.0.0.1/xss/xss.php?comment=
. The payload will be added onto the end of that string in order to make a valid statement. We then check to see if that string is present in the following page:
if payload in req.text: print "Parameter vulnerable " print "Attack string: "+payload print req.text break
Cross-site scripting is so simple and very easy to automate and detect as the attack string is usually the same as the outcome. The difficulties with Directory Traversal or SQLi, as we will encounter later, is that the outcome is not always predictable. In the event of a successful Cross-site scripting attack, it is.
This attack can be extended by providing more attack strings. Many examples can be found in the Mozilla FuzzDB, which we will be using later in the Automated fuzzing section script. Also, various forms of encoding can be applied using the original urllib
library, which is shown throughout this module in various different examples.