by Anshuman    May 20, 2019

This is the demonstration of Cross-Site-Scripting attack on Ajax webpage with JSON response and for this demo, I’ll be using bWAPP and bWAPP is a buggy web application and we can use to test various vulnerabilities in the web.

bWAPP Official Link:- http://www.itsecgames.com/

Now please choose Cross-site-Scripting — Reflected (AJAX/JSON ) from the drop-down menu and click Hack.

As you can see here it’s asking the user to enter the movie name but you can see here there is no search button because as it’s an AJAX web page it will update the web page without reloading the page and the client-server interaction will happen in the background.

So let’s enter the same movie name again Skyfall.

Now as you can see here the movie name reflect on the web page as it’s reflecting we can inject Javascript code.

<script>alert('Skyfall')</script>

As you can see here our payload did n’t work and we received 0 results because the response is coming in JSON and this JavaScript code inside the double quotes.

As you can see here inside this PHP script our current response inside this double quote and as this code written inside a PHP script and as you guys might have known PHP is a hidden programming language and attacker won’t get access to see this code.

So if Javascript code will fail then the attacker can inject Javascript code inside HTML tag.

To test the HTML tag let’s print our movie name "Skyfall" in a bold character.

<b>Skyfall</b>

As you see here we are able to inject HTML tag inside double quote. So let’s enter our payload.

<img src=x onerror=alert('Skyfall')>

As you can see here we successfully launch an XSS attack on an AJAX webpage.

How do we prevent this type of attack?

A better way to prevent this attack is proper HTML encoding of special characters and if you are using PHP script then you can use "htmlspecialchars" API to convert special characters to HTML entities.

1.&(ampersand)→&

2."(double quote)→",unless ENT_NOQUOTES is set

3.'(single quote)→' (for ENT_HTML401) or ' (for ENT_XML1, ENT_XHTML or ENT_HTML5), but only when ENT_QUOTES is set

4.< (less than) → <

5.> (greater than) → >

For more information please follow these below links

1.Testing for AJAX Vulnerabilities (OWASP-AJ-001) :- Testing for AJAX Vulnerabilities (OWASP-AJ-001)

2.XSS (Cross Site Scripting) Prevention Cheat Sheet:- XSS (Cross Site Scripting) Prevention Cheat Sheet

3.OWASP/CheatSheetSeries : - OWASP/CheatSheetSeries

I hope you guys like this post-bye bye for now.

Happy Hacking :)

BUG BOUNTY