{"id":263,"date":"2018-04-01T19:47:29","date_gmt":"2018-04-01T19:47:29","guid":{"rendered":"http:\/\/malwrforensics.com\/en\/?p=263"},"modified":"2018-04-02T03:06:19","modified_gmt":"2018-04-02T03:06:19","slug":"extreme-vulnerable-node-application-xvna-reflected-cross-site-scripting-xss-step-by-step-tutorial","status":"publish","type":"post","link":"https:\/\/malwrforensics.com\/en\/2018\/04\/01\/extreme-vulnerable-node-application-xvna-reflected-cross-site-scripting-xss-step-by-step-tutorial\/","title":{"rendered":"eXtreme Vulnerable Node Application (XVNA) – reflected cross-site scripting (XSS) step by step tutorial"},"content":{"rendered":"

In this post we\u2019ll have a look at the nodejs XSS attack\/exploit in XVNA (eXtreme Vulnerable Node Application). Cross-site scripting is part of the\u00a0OWASP Top 10<\/a>\u00a0list that was published in 2017.<\/p>\n

We\u2019ll use the setup detailed\u00a0here<\/a>\u00a0(XVNA runs on port 80). As a web proxy,\u00a0Burp<\/a>\u00a0or\u00a0ZAP<\/a>\u00a0are highly recommended, but you can use anything else that allows you to view\/edit\/send HTTP requests.<\/p>\n

From the main dashboard in XVNA, we need to go to the\u00a0A7:2017-XSS<\/strong>\u00a0section. Here we are offered the option to pick an item an check its price.<\/p>\n

\"\"<\/p>\n

If we study the request in our web proxy, we can see that the name of the item is given as a parameter to the id<\/em> variable (\/GET \/xss_r?id=<name><\/em>).<\/p>\n

\"\"<\/p>\n

Let’s search again and intercept the request. Now we can modify the request and add some javascript code. In this example we’ll use a basic test<\/a>, but feel free to try other, more interesting,\u00a0payloads<\/a>.<\/p>\n

\"\"<\/p>\n

Instead of “Apple”, we now have a code that should display a popup with the message “XSS”. Once you made the changes to the request, you can forward it to the browser.<\/p>\n

\"\"<\/p>\n

Yay, it works! Let’s see why \ud83d\ude42<\/p>\n

The page (a7_xss_reflected.html<\/em>) will display the text “You have searched for <search term><\/em>“. Try with another term, let’s say XSS-test<\/em>.<\/p>\n

\"\"<\/p>\n

If we check the a7_xss_reflected.html page, we can see that it displays the value of trustedMessage.\"\"<\/p>\n

A quick search, reveals that the value is set in a7_xss_reflected.js<\/em>, where\u00a0$scope.trustedMessage<\/em>‘s value isn’t sanitized.<\/p>\n

\"\"<\/p>\n

Enjoy!<\/p>\n","protected":false},"excerpt":{"rendered":"

In this post we\u2019ll have a look at the nodejs XSS attack\/exploit in XVNA (eXtreme Vulnerable Node Application). Cross-site scripting is part of the\u00a0OWASP Top 10\u00a0list that was published in 2017. We\u2019ll use the setup detailed\u00a0here\u00a0(XVNA runs on port 80). As a web proxy,\u00a0Burp\u00a0or\u00a0ZAP\u00a0are highly recommended, but you can use anything else that allows you […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[43,68,72,25,66],"class_list":["post-263","post","type-post","status-publish","format-standard","hentry","category-security","tag-cross-site-scripting","tag-nodejs","tag-owasp","tag-xss","tag-xvna"],"blocksy_meta":{"styles_descriptor":{"styles":{"desktop":"","tablet":"","mobile":""},"google_fonts":[]}},"featured_image_urls_v2":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":""},"post_excerpt_stackable_v2":"

In this post we\u2019ll have a look at the nodejs XSS attack\/exploit in XVNA (eXtreme Vulnerable Node Application). Cross-site scripting is part of the\u00a0OWASP Top 10\u00a0list that was published in 2017. We\u2019ll use the setup detailed\u00a0here\u00a0(XVNA runs on port 80). As a web proxy,\u00a0Burp\u00a0or\u00a0ZAP\u00a0are highly recommended, but you can use anything else that allows you to view\/edit\/send HTTP requests. From the main dashboard in XVNA, we need to go to the\u00a0A7:2017-XSS\u00a0section. Here we are offered the option to pick an item an check its price. If we study the request in our web proxy, we can see that the name…<\/p>\n","category_list_v2":"Security<\/a>","author_info_v2":{"name":"malwrforensics","url":"https:\/\/malwrforensics.com\/en\/author\/u_malwrforensics\/"},"comments_num_v2":"0 comments","_links":{"self":[{"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/posts\/263","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/comments?post=263"}],"version-history":[{"count":4,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/posts\/263\/revisions"}],"predecessor-version":[{"id":274,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/posts\/263\/revisions\/274"}],"wp:attachment":[{"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/media?parent=263"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/categories?post=263"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/tags?post=263"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}