forked from juice-shop/juice-shop
-
Notifications
You must be signed in to change notification settings - Fork 2
Lab 07 Cross Site Scripting
Tomas Rosenqvist edited this page Nov 16, 2018
·
14 revisions
- Make sure you're browsing the Juice Shop via HTTPS.
Using HTTPS is not strictly necessary, but prevents any intermediary firewall from detecting XSS attempts if you're running from a company network or similar.
- Open the devtools in your browser (and keep it open during this lab).
- Log in as any user.
- Use the order tracking form to inject javascript code
- Go to the order tracking form.
- Enter
<script>alert("XSS")</script>. - Use the Devtools to inspect the server response.
- Notice how the code you injected is included in the server response (i.e. it is reflected back to the client).
- Now use the product search bar to inject javascript code.
- In the product search bar, enter
<h1>huge text</h1>and hit search. - Notice how the text you entered appears in the search results page, and that it seems to be formatted as a heading (i.e. quite large text). Also notice what the current URL is in the address field of your browser.
- Now search for
<script>alert("XSS")</script>in the product search bar. - Use the Devtools to inspect the server response.
- In the product search bar, enter
- Showing annoying popups to yourself might seem pointless, but can it be used to annoy someone else as well?
- Copy the URL from the address field in your web browser
- Open a new incognito browser tab (Chrome) or InPrivate tab (Edge/IE)
- Paste the url in the new tab (i.e. simulate a different user clicking this link in an e-mail you sent them).
- What's the difference between the two challenges (Tier 0 and Tier 1)?
- Create a new user, and inspect the requests that are made in the application
- Go to the new user registration form.
- Open the devtools.
- Create a new user, using valid values for e-mail, password etc.
- Inspect the request in devtools.
- Create a new user and attempt to inject javascript in the e-mail address field.
- Create a new user just like before, but enter
<script>alert("XSS")</script>as the e-mail address. - Use the devtools to enable the submit button and create the user.
- Inspect the request in devtools. Do you notice anything missing from it? Why might it be missing?
- Create a new user just like before, but enter
- Let's see if we can create a new account using Postman instead of your browser.
- Start Postman (you don't need to register for an account).
- Create a new Request, and save it in a new Collection.
- Set the request type to POST.
- Set the body to
rawand change the type fromTexttoJSON (application/json). - Copy the URL from the request in devtools and paste it into Postman.
- Expand the Request Payload for the request in devtools, and copy it (a JSON object) into the Postman body.
- Alter the payload in Postman and add
"email": "<script>alert(\"XSS\")</script>". - Submit the request using Postman.
- Check if the attack succeeded
- Go back to your browser.
- Login as any user.
- Go to the administration view.
- After closing the popup, do you notice anything unusual in the user table?
- What do you think happened when you used the browser to create a user? Why didn't it work as expected?