Skip to content

Lab 07 Cross Site Scripting

Jump to bottom
Tomas Rosenqvist edited this page Nov 8, 2018 · 14 revisions

Challenge XSS Tier 0

  1. Make sure you're browsing the Juice Shop via HTTPS.

Using HTTPS is not strictly necessary, but prevents any intermediary firewall from detecting XSS attempts if you're running from a company network or similar.

  1. Keep the Devtools open
  2. Log in as any user.
  3. Go to the order tracking form.
  4. Enter <script>alert("XSS")</script>.
  5. Use the Devtools to inspect the server response.

Challenge XSS Tier 1

  1. In the product search bar, enter <h1>huge text</h1> and hit search.
  2. Notice how the text you entered appears in the search results page, and that it seems to be formatted as a heading (i.e. quite large text). This means that your input is reflected back in the response from the server. Also notice what the current URL is in the address field of your browser.
  3. Now search for <script>alert("XSS")</script> in the product search bar.
  4. Use the Devtools to inspect the server response.

Questions

  • What's the difference between the two challenges (Tier 0 and Tier 1)?

Challenge XSS Tier 2

  1. Go to the new user registration form.
  2. Open the devtools.
  3. Create a new user, using valid values for e-mail, password etc.
  4. Inspect the request in devtools.
  5. Create a new user, but enter <script>alert("XSS")</script> as the e-mail address.
  6. Use the devtools to enable the submit button and create the user.
  7. Inspect the request in devtools. Do you notice anything strange about it?
  8. Use Postman to craft a new POST request.
  9. Set the body to raw and change the type from Text to JSON (application/json).
  10. Copy the URL from the request in devtools and paste it into Postman.
  11. Copy the payload from the request in devtools and paste it into the Postman body.
  12. Alter the payload and add "email": "<script>alert(\"XSS\")</script>".
  13. Submit the request using Postman
  14. Login as any user.
  15. Go to the administration view.

Questions

  • What do you think happened when you used the browser to create a user? Why didn't it work as expected?

Suggested reading

Clone this wiki locally