In this post we’ll have a look at the nodejs XSS attack/exploit in XVNA (eXtreme Vulnerable Node Application). Cross-site scripting is part of the OWASP Top 10 list that was published in 2017.
From the main dashboard in XVNA, we need to go to the A7:2017-XSS section. Here we are offered the option to pick an item an check its price.
If we study the request in our web proxy, we can see that the name of the item is given as a parameter to the id variable (/GET /xss_r?id=<name>).
Instead of “Apple”, we now have a code that should display a popup with the message “XSS”. Once you made the changes to the request, you can forward it to the browser.
Yay, it works! Let’s see why 🙂
The page (a7_xss_reflected.html) will display the text “You have searched for <search term>“. Try with another term, let’s say XSS-test.
If we check the a7_xss_reflected.html page, we can see that it displays the value of trustedMessage.
A quick search, reveals that the value is set in a7_xss_reflected.js, where $scope.trustedMessage‘s value isn’t sanitized.