This is the demonstration of Cross-Site-Scripting attack in eval function and Hypertext reference and for this demo, I’ll be using bWAPP and bWAPP is a buggy web application and we can use to test various vulnerabilities in the web.
bWAPP Official Link:- http://www.itsecgames.com/
How to perform a Cross-Site Scripting attack in eval function?
Now please choose Cross-site-Scripting — Reflected (Eval) from the drop-down menu and click Hack.
What is eval?
As you can see the date function is being used to display the current date of my computer and this Date() function is an example of eval() and as it’s an eval function so we can write alert() function also.
As you can see it’s executed the alert() function.
How to prevent this attack?
The better way to prevent this attack is you should n’t be using eval() at all while developing a website and as per the Mozilla developer documentation it’s very dangerous unction and it could be used by the third party for malicious purposes. And also it slow because it has to invoke JS interpreter to execute the code.
For more information please check out Mozilla developer documentation:- Standard built-in objects - eval()
How to perform a Cross-Site Scripting attack in hypertext reference?
Now please choose Cross-site-Scripting — Reflected (HREF) from the drop-down menu and click Hack.
In this demo what it does, it takes the input from the first screen and displays it on the second screen.
So on my first screen, I enter my name "Anshuman" in the input box and it will reflect on the next screen.
So right click on the webpage and choose view page source to check the source code of this particular webpage.
As you can see my name is reflecting and in order to inject the code first, we need to close this greater than and less than angular parenthesis then we can inject <script> tag.
So the final payload will be as below.
For more information?
I hope you guys like this post-bye bye for now.
Happy Hacking :)