Testing for javascript injection.

XSS is an attack that allows you to inject and execute malicious HTML or JavaScript. This can be used to steal critical data (for example, session data) from cookies. As the code is executed in the context of a vulnerable application, this allows you to perform other attacks such as phishing, keyboard login, or redirecting the user to a malicious website. In the case of "stored Cross-Site Scripting" the injected code is permanently placed in the application, which makes it more dangerous than "Reflected Cross-Site Scripting" where the attacker must send the victim a specially prepared link.


One of the applications studied identified many parameters that were susceptible to javascript injection. The following is an excerpt from the request with the malicious code marked in red. It performs an action that displays an Alert notification,and it only targets documentation that such an attack is possible. During a real hacker attack, most often using XSS steals a session cake.


portion of the request with the malicious code marked in red


In the figure below, you can see the execution of malicious code in the victim's browser through an action that displays an Alert notification.


execute malicious code in the victim's browser through an action that displays an Alert notification

Chcesz wiedzieć więcej?

Zapisz się i bądź informowany o nowych postach (zero spamu!). Dodatkowo otrzymasz, moją prywatną listę 15 najbardziej przydatnych narzędzi (wraz z krótkim opisem), których używam przy testach penetracyjnych.

Nigdy nie podam, nie wymienię ani nie sprzedam Twojego adresu e-mail. W każdej chwili możesz zrezygnować z subskrypcji.

Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *