$ sudo docker pull blabla1337/owasp-skf-lab:cross-site-scripting-attribute
$ sudo docker run -ti -p 127.0.0.1:5000:5000 blabla1337/owasp-skf-lab:cross-site-scripting-attribute
{% hint style="success" %} Now that the app is running let's go hacking! {% endhint %}
The application shows an input fields that allows the user to change the color of the text shown in the page.
If we want to make it red, we can just write red in the input box and click the Submit Button.
<center> <p style="font-size:2em;"> {% autoescape false %}<span style='color:{{xss}};' > Let me be a new color!</span>{% endautoescape %}</p></center>
and it is not escaped so it should be possible to perform a Cross Site Scripting (XSS) injection.
Now we have seen where the user input is being reflected in the style, we will have to look what dangerous HTML characters are not properly escaped so we can build our XSS payload. So for our first check we use the following string as an input:
foobar"></
As you can see the application does not react at out malicious payload, so nothing happens. Why? Maybe the quotes that are used in the template are not the right ones. Let's try our new payload changing the quotes:
red;'><img src=x onerror=alert(1)>
and clicking the button, we achieve what we were looking for.
Please refer to the OWASP testing guide for a full complete description about path traversal with all the edge cases over different platforms!
{% embed url="https://www.owasp.org/index.php/Testing\_for\_Reflected\_Cross\_site\_scripting\_\(OTG-INPVAL-001\)" caption="" %}