In this post we’ll have a look at the nodejs XSS attack/exploit in XVNA (eXtreme Vulnerable Node Application). Cross-site scripting is part of the OWASP Top 10 list that was published in 2017.
We’ll use the setup detailed here (XVNA runs on port 80). As a web proxy, Burp or ZAP are highly recommended, but you can use anything else that allows you to view/edit/send HTTP requests.
From the main dashboard in XVNA, we need to go to the A7:2017-XSS section. Here we are offered the option to pick an item an check its price.
If we study the request in our web proxy, we can see that the name of the item is given as a parameter to the id variable (/GET /xss_r?id=<name>).
Let’s search again and intercept the request. Now we can modify the request and add some javascript code. In this example we’ll use a basic test, but feel free to try other, more interesting, payloads.
Instead of “Apple”, we now have a code that should display a popup with the message “XSS”. Once you made the changes to the request, you can forward it to the browser.
Yay, it works! Let’s see why 🙂
The page (a7_xss_reflected.html) will display the text “You have searched for <search term>“. Try with another term, let’s say XSS-test.
If we check the a7_xss_reflected.html page, we can see that it displays the value of trustedMessage.
A quick search, reveals that the value is set in a7_xss_reflected.js, where $scope.trustedMessage‘s value isn’t sanitized.
Enjoy!