by Anshuman    May 24, 2019

This is the demonstration of Cross-Site Scripting attack in Custom header parameter and for this demo, I’ll be using bWAPP and bWAPP is a buggy web application and we can use to test various vulnerabilities in the web.

bWAPP Official Link:-

Now please choose Cross-site-Scripting — Reflected (Custom Header) from the drop-down menu and click Hack.

What is Custom Header?

Custom HTTP headers are commonly used to provide additional information and it will be helpful in case of troubleshooting by the web developers.

And Content-Type is the best example for custom HTTP header and from this header parameter, we are sending data in different formats either from (JSON or XML).

So in this demo bWAPP is the custom header and from this header, we will inject XSS payload.

To inject the payload, we need to intercept the HTTP request and we can use Burp suite.

What is Burp Suite?

Burp suite is a graphical tool which is used to test Web application security and by the help of this tool, we can identify the vulnerability in the web.

If you want to know more about this tool then you can visit their official website. Portswigger.

So to intercept the first request go to the proxy tab and click on the intercept button to start intercepting the HTTP request.

And after that go to the portal page and choose (Cross-Site Scripting — Reflected Custom Header) and click Hack.

So now if you go to the Burp you can able to see the intercept request and click forward until you reach the "xss_custom_header.php" page.

So now add bWAPP custom header and to test let’s give a simple message "This is a buggy custom header" and click forward.

As you can see here our message reflecting on the web page so as it’s reflecting we can inject our payload.

So let’s go to the burp suite and turn off the intercept. And follow the same steps again to intercept the request.

Now in bWAPP custom HTTP header add the payload as

<script>alert('This is a buggy custom header')</script>

As you can see here we are able to inject the JavaScript payload in "Custom HTTP header".

How do we prevent this attack?

1.User input needs to be encoded in the HTTP header and developer can implement filters which will eliminate any scripting tags.

2.And in some cases, X-XSS-Protection header can prevent some level of XSS (cross-site-scripting) attacks as it’s an add-on to the browsers to sanitize HTML responses.

I hope you guys like this post-bye bye for now.

Happy Hacking :)