Cross-site-Scripting - Reflected (GET & POST)

Published: 16 May 2019 at 19:55 UTC | Updated: 06 June 2021 at 10:43 UTC
Published: 16 May 2019 at 19:55 UTC Updated: 06 June 2021 at 10:43 UTC


This is the demonstration of Cross-scripting - Reflected attack on GET & POST method and for the demo, I'll be using bWAPP and bWAPP is a buggy web application and we can use to test various vulnerabilities in the web.

bWAPP Official Link:- http://www.itsecgames.com/




Let's login to bWAPP with their default username & password.

Username - bee
Password - bug

1. Cross-site-Scripting - Reflected (GET )



Now please choose Cross-site-Scripting - Reflected (GET ) from the drop-down menu and click Hack.

Now on below webpage, you can able to see there are two input fields are there Firstname & Lastname and let's enter the first name as Anshuman and last name as Pattnaik and let's see what's happening.



You can able to see the value of the first name & last name both are reflecting in the address bar. So if the variable's value will reflect in the address bar then there is a possibility that an attacker can tamper that variable's value and inject some JavaScript code.

So to test let's try to print the firstname in bold character and see what's happening .



As you can able to see the firstname value Anshuman printed in bold letter and in the address bar also it's HTML <b> reflecting. So from this, we can know that proper HTML encoding is done properly.

If the web application developer doesn't do character encoding properly then these type of issue will come.



So now as the input field accepting < & > tag then we can inject <script> tag so let's try a simple JavaScript code and hit GO.



As you can see it shows the firstname value Anshuman in an alert dialogue box so from this experiment you can know that on this web page both the input fields are XSS vulnerable.


2. Cross-site-Scripting - Reflected (POST )



Now please choose Cross-site-Scripting — Reflected (POST ) from the drop-down menu and click Hack.



Now the same input we can try again the firstname as <b>Anshuman</b> and lastname as Pattnaik.



As you can see we got the same output as GET the firstname printed in a bold letter.



So let's try inject <script> tag and let's see what’s happening.



As you can see it shows the firstname value Anshuman in an alert dialogue box. So here these two input fields are XSS vulnerable.

Note

There two things to prevent XSS in both GET and POST
  1. Always do proper validation and sanitization of the special characters.
  2. Use tag of charset - ISO-8859-1 on your web pages.
<META http-equiv="Content-Type" content="text/html; charset= ISO-8859–1">

In that case, Cross-Site Scripting attack can be reduce the number of possible forms of a script injection. So it's good to follow the above steps.

Thank you for reading this post and Happy Hacking :)