video transcript
Hello, world! I'm Jesse from Chef Secure.
In the last recipe, you learned the most basic of XSS attacks –
injecting script tags.
This only works in the most basic scenarios,
and may not work even when a webpage is still vulnerable.
So in this recipe, I'm gonna show you how to unbasicify your payload.
How does your browser know where to find images to load?
HTML attributes.
What about where links go?
HTML attributes.
How about... CSS styles?
HTML attributes... mostly.
HTML attributes modify, or give data to, an HTML tag. But sometimes you
can't trust this data, because it comes from people like... YOU!
Go to the Attribute Breakout example for this recipe below.
On the bottom there's the word, "Hover." So if you hover your cursor over it,
you'll see something that says, "change me"
So let's try typing something in the input box. Click the UPDATE button, and
then hover again.
You'll see that it changed. So right click on "Hover"; select the inspect
option.
Within the opening tag of this h1 element, you see two attributes: class and
title.
The title attribute of the h1 element was updated with our input.
You see how the attributes are set using a name, and equals sign and a quoted
value? This is how you set attributes.
These values can actually be single quoted, double quoted or even unquoted as
long as there aren't any space characters, so your browser knows where the
value ends and a new attribute begins.
HEY, LISTEN!
This is something very important.
To put it another way, as an attacker , this means you can break out of
attributes using either single quotes, double quotes or space characters
depending on how the attribute is set.
Keep this in mind for later.
So what happens when we try injecting our basic payload from last recipe?
See for yourself.
Type in the basic payload from last recipe. using your opening script tag,
an alert and then a closing script tag. Click the UPDATE button. And...
Absolutely nothing happens.
We need to rethink our payload so it works in both the normal content part of
elements as well as within attributes.
Here we go. Start off with a closing quote to break out of the attribute.
Now where are we?
Inside the tag still. So we need to close out that tag with a greater-than
symbol. Now you already know what to do here – just type in your basic
script with an alert. And close your script tag. Click the UPDATE button.
And...
There you go.
Since you closed the tag early, there are still some characters left over,
but it doesn't really matter since you got your script to execute.
Now for extra challenge, feel free to find a way to hide these remaining
characters, so that if this were a real attack, it wouldn't be lookin' so
sketchy right now.
Also, as I said earlier, this can work whether you're injecting into
attributes, like we just did, or into the content of HTML elements. So, if
you'd like to, feel free to go back to the example from the last recipe, and
try it out there if you don't believe me... or you think I'm a liar.
Hey, I'm gonna break your payload again.
Go to the Textarea Breakout example for this recipe below, and try out your
new payload.
We're now injecting inside a textarea which is just a large area where text
goes. Huh. Who'da thunk?
In web development, we use textareas all over the place to allow multi-line
inputs such as emails, or status updates. But elements like textareas are
unique in that they handle content differently than other elements.
See for yourself. Type in your new payload. Start with a double quote,
followed by a greater-than symbol. Then enter your basic payload with
script, alert, close script. Click the UPDATE button. And...
It doesn't work. So I want you to fix this payload now using the same though
process you did when breaking out of attributes earlier.
Ready?
Go!
Did you get it? All you gotta do is close out the textarea tag. So close
textarea, followed by script, alert, close script Click the UPDATE button.
And you have a successful attack.
There's going to be a remaining closing textarea tag after this, but your
lazy browser doesn't care, so neither do attackers.
