Skip to content

Lab 07 Cross Site Scripting

Jump to bottom
Tomas Rosenqvist edited this page Nov 16, 2018 · 14 revisions

Challenge XSS Tier 0

  1. Make sure you're browsing the Juice Shop via HTTPS.

Using HTTPS is not strictly necessary, but prevents any intermediary firewall from detecting XSS attempts if you're running from a company network or similar.

  1. Keep the Devtools open
  2. Log in as any user.
  3. Go to the order tracking form.
  4. Enter <script>alert("XSS")</script>.
  5. Use the Devtools to inspect the server response.
  6. Notice how the code you injected is included in the server response (i.e. it is reflected back to the client).

Challenge XSS Tier 1

  1. In the product search bar, enter <h1>huge text</h1> and hit search.
  2. Notice how the text you entered appears in the search results page, and that it seems to be formatted as a heading (i.e. quite large text). Also notice what the current URL is in the address field of your browser.
  3. Now search for <script>alert("XSS")</script> in the product search bar.
  4. Use the Devtools to inspect the server response.

Questions

  • What's the difference between the two challenges (Tier 0 and Tier 1)?

Challenge XSS Tier 2

  1. Go to the new user registration form.
  2. Open the devtools.
  3. Create a new user, using valid values for e-mail, password etc.
  4. Inspect the request in devtools.
  5. Create a new user, but enter <script>alert("XSS")</script> as the e-mail address.
  6. Use the devtools to enable the submit button and create the user.
  7. Inspect the request in devtools. Do you notice anything strange about it?
  8. Use Postman to craft a new POST request.
  9. Set the body to raw and change the type from Text to JSON (application/json).
  10. Copy the URL from the request in devtools and paste it into Postman.
  11. Expand the Request Payload for the request in devtools, and copy it (a JSON object) into the Postman body.
  12. Alter the payload in Postman and add "email": "<script>alert(\"XSS\")</script>".
  13. Submit the request using Postman.
  14. Login as any user.
  15. Go to the administration view.

Questions

  • What do you think happened when you used the browser to create a user? Why didn't it work as expected?

Suggested reading

Clone this wiki locally