The objective of this blog is to perform basic cross-site scripting (also known as XSS). (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser-side script. In this task, you will identify a vulnerable parameter within the juice shop order history section and send in your own malicious script to generate otherwise unintended results for unsuspecting visitors.
Setup Server
We will be using the Juice Shop server for testing in this blog. If you don’t know how to set up the Juice Shop server then click here.
Once the Juice Shop server is set up, then do the following steps:
- Register yourself on the website with a fake email & password.
- Do some shopping (Add items to checkout and then order them)
You should see your item at this link http://localhost:3000/#/order-history
Perform the XSS Attack
Click on the “Truck” button for one of your orders to show the delivery status of your order.
Notice the id parameter in the URL http://localhost:3000/#/track-result?id=b58c-2366c060df01737d with the b58c-2366c060df01737d portion. You could have a different URL with a different order number, but this is the portion to pay attention to. As the b58c-2366c060df01737d (or similar) is displayed on the screen, it could be susceptible to an XSS attack.
Paste the following string replacing the order number.
<iframe src="javascript:alert('xss')"The URL would become:
localhost:3000/#/trackresult?id=<iframe src="javascript:alert(`xss`)">We are asking the website to run the javascript code alert(‘xss’) which should open an alert box displaying xss text. You just need to press enter and reload the page. If you see the alert box like the image below then it’s good news for you, You just performed an XSS attack.
Now imagine what can an attacker do with this trick in his hand. He can replace the alert(‘xss’) with any JavaScript code he likes. He can steal important data (cookies, local storage, etc). Let’s try and replace this JavaScript code with more meaningful code and ask the user for his/her password. To do that replace the order number with the following code.
<iframe src="javascript:prompt(`Enter You Password for Verification`,`XXXXX`)>The above code would prompt a box asking the user to enter his/her password. If the user is not familiar with this shady technique, he would think that this prompt box is legit and he would not see any problem entering his password and pressing “OK”.
If you are familiar with JavaScript, you would think that it doesn’t matter if a user puts his password in the prompt box or not. Because the password doesn’t go anywhere, not even in the variable. You are right, it doesn’t go anywhere but the attacker has full control of the javascript, he can modify the code to save passwords in a variable and can send them to a different server using an API.
How does This Attack Work?
An attacker would share the shady link like above to the users who most of the time are not familiar with this kind of technique. Once the user has opened the link then he is in the attacker’s hands. As discussed earlier, any JavaScript code can be run using this technique so it does not have to be an alert box or prompt box or something like that. An experienced attacker would use more sophisticated code which would steal the credentials in the background without even letting user know anything about it.
Conclusion
Cross-Site Scripting or XSS attacks can be very dangerous, as they can fool anyone. To save yourself from such attacks you should never ever open links from suspicious sources. But if you still want to explore and want to know what this link contains then I would suggest that create a virtual machine and open this link there and do not enter real information about you.
About Me
I’m Usama Imdad, a full-stack developer / AI engineer. I write technology-related blogs occasionally. I hope you enjoyed reading this article! If you liked the blog and learned anything new today, share this post with friends. If you have any questions or suggestions, drop a comment. I will try as soon as possible to answer your queries.
You can find more info about me on my website, LinkedIn or Twitter.