Learn how to test a website for an XXS vulnerability – Cross site scripting.
You can use any web browser of your choosing for this lab.
We will begin this lab by opening a web browser of your choice. There are numerous sites on the web that have been setup for the purpose of practising attacks like XXS. We will be using this site: https://xss-game.appspot.com
The site has several levels of XXS which vary in difficulty. It also offers you several hints on how to proceed if stuck on a level. This is a great way to advance your knowledge of this type of web application attack.
Let’s begin by navigating to the following URL:
This is the first level. We are presented with a simple search box for a web page.
For example, <h1>”Header here”</h1> will create a header. Enter this value into the search box and see what result you get.
Now, to execute the XXS attack. Try to figure it out yourself using the hints the site provides you. The answer is the following:
This will cause an alert text box to pop up on our screen with “1” on it.
We have successfully executed an XXS attack.
For level 2, we will only be talking about it in brief. In this level, we are presented with a forum page.
The script we entered for level 1 will not work here. We need to first enter a HTML tag which will adopt the script we entered in level 1, so that every time this page is visited and the tag is loaded, the XXS attack will run. This is a method of achieving a persistent XXS attack on a site.
To deepen your understanding of different levels of XXS, you should attempt the next few levels and see how far you get.