INTRODUCTION

In this article, we are going to discuss about how to check for cross site scripting vulnerability in a web application. Before we begin, if you don’t know about cross site scripting then checkout this article where cross site scripting is explained in depth.

In general terms, cross site scripting vulnerability allows an attacker to inject their own malicious JavaScript code in a web application.

HOW TO CHECK FOR CROSS SITE SCRIPTING?

Checking for cross site scripting is quite easy. You just need to follow these steps below:

1- Check for any input functionality in a webpage.

2- If the input is getting reflected back to you then pass <>batman value in input field.

3- If the value gets reflected on the webpage then view the source code.

4- Check for the following response:

  • Input: <>batman Output in Source Code: <>batman –> Vulnerable.
  • Input: <>batman Output in Source Code: &lt;&gt;batman –> Maybe Vulnerable.
  • Input: <>batman Output in Source Code: %3c%3ebatman –> Maybe Vulnerable.
  • Input: <>batman Output in Source Code: batman –> Maybe Vulnerable.

In this article, we will cover the first (Vulnerable)response.

HOW I FOUND AN CROSS SITE SCRIPTING THAT GOT ME $$$:

I was hunting on private program that offers a coding platform to its users.(We’’ll call it Vulnerable Organization). The first thing that i started to do is visit crunch base to get more acquisitions of the company. I found that the company has 2 acquisitions(Lets say Org1 and Org2). There, i search Org1 on crunch base and found that this company also has one acquisition. (Let’s say Org3). After this, i started manual testing on the Org3’s website(let’s say testing.com). There i found an input field that is asking for name. I passed the value below and click on Go:

<script>alert(1)</script>

After that, i got the following result:

I quickly reported this vulnerability to the company and they rewarded me with $$$.

CONCLUSION

I hope you understand how to check for cross site scripting vulnerability. Checkout this other articles on cybersecurity:

Hacking Account with Phone Numbers