XSS Introduction

Web applications power most business workflows, and Cross-Site Scripting (XSS) remains one of the easiest paths for attackers to compromise users. Recent incidents show that XSS is being used to steal sessions, deliver malware, and escalate attacks within a network. In this room, we'll focus on real-world XSS; how an attacker turns a vulnerable input into a working exploit; and practical mitigations developers can apply to reduce risk.

Scenario

A company has asked you to perform a penetration test on their internal web application. The application includes a public comments section, a user dashboard, and a news search option.

An immediate pentest is required to identify any vulnerabilities and prevent any data exfiltration or further damage.

Learning Objectives

This room will teach you about the following concepts:

• Understand common terminologies linked with XSS
• Identify and classify XSS types: reflected, stored, and DOM
• How to exploit XSS vulnerabilities
• Mitigation techniques for XSS vulnerabilities

Prerequisites

We expect you to have a fair understanding of the following concepts before starting the room:

• Understanding of IP addresses, ports, and protocols (Networking Concepts room)
• Familiarity with Windows system administration, including event logs and file system structure. (Windows Fundamentals 1 room)
• Cybersecurity Fundamentals: Basic knowledge of malware, phishing, and common attack vectors (Phishing Basics and Phishing Emails room)

Machine Access

Launch the AttackBox using the Start AttackBox button, and the Target machine using the Start Machine button below. 

Set up your virtual environment

To successfully complete this room, you'll need to set up your virtual environment. This involves starting both your AttackBox (if you're not using your VPN) and Target Machines, ensuring you're equipped with the necessary tools and access to tackle the challenges ahead.

Attacker machine

Status:Off

Target machine

Status:Off

Start Machine