# Pentesterlabs - Web For Pentester 1 - XSS Challenges

This guide will walk you through the Pentesterlabs - Web for pentester 1 XSS challenges.

The XSS challenge consists of 9 different tests, increasing in difficulty level as you progress.

Each level employs new filtering and protection techniques, so it is imperative that you learn to adapt your XSS payloads to the target.

Now if you’re ready to get started, let’s get into it.

## My Setup

My setup for this challenge includes:

1. Kali linux testing vm
2. burpsuite
3. browser - Firefox ESR - Proxied through burpsuite
4. Web for pentester 1 installed in a vm

## Challenge 1

Challenge source code for reference:

<?php require_once '../header.php'; ?>
<html>
Hello
<?php
echo $_GET["name"]; ?> <?php require_once '../footer.php'; ?>  Challenge 1 starts off with a blank web page and the text “hello hacker”. The webpage itself is fairly bland. Turning to the URL, we see that the website runs on PHP, and this page takes a URL parameter called “name”, which is currently set to “hacker” By changing this URL parameter to “pentester”, we can see that the web page now shows “hello pentester”. By doing this, it is now clear that the value in the URL is being reflected in the page body. I wonder if this will accept angle brackets? :thonk: Passing the name parameter the following payload pentester<123> shows that the webpage is reflecting the angle brackets. If we look at the response in burpsuite, it is clear that these angle brackets are not being properly encoded, and are instead being treated as part of the HTML code! note that burp is syntax highlighting the <123> portion, this indicates that burp is recognising it as a potential HTML tag Now for the payload! Now that we know that it accepts and renders angle brackets, we can try a <script> payload. Here, i am using <script>alert('xss')</script> as my attacking payload YAY! IT WORKED! Congratulations on completing challenge 1. Let’s move on to the next. ## Challenge 2 Challenge source code for reference: <?php require_once '../header.php'; ?> Hello <?php$name =  $_GET["name"];$name = preg_replace("/<script>/","", $name);$name = preg_replace("/<\/script>/","", $name); echo$name;
?>
<?php require_once '../footer.php'; ?>


At first sight, challenge 2 looks identical to challenge 1… did they make a mistake?

Let’s find out.

Challenge 2 starts the same way, with a webpage containing “hello hacker”, and a URL with the “name=hacker” parameter. It even reflects our input the same as the last one did!

Since this is all the same as last time, surely the same payload will work again …right?

But…. But… Where is the XSS???

This is the first stage where we encounter input validation and XSS filtering. After submitting this payload, we can see that the web page rendered “hello alert(‘xss’)”, but doesnt show the script tags we included. From this, we can see that it is only filtering out the script tags.

Let’s test this theory, by injecting something other than script tags, that will show us if the HTML is rendering our code:

By using a <h2> heading tag, we have confirmed that there is still HTML injection. Which means that XSS is still possible, we just need to amend our payload!

Unfortunately for developers, filtering user input is difficult, because there is alot of cases to cover. Since this developer is still allowing HTML code to be rendered, maybe they just did a check for the string “script”.

If we CaMeL CaSe the payload, it wont match the string comparison for the word “script”, so now we can use <ScRiPt>alert('xss')</ScRiPT>

It Works! XSS Achieved!

Now on to challenge 3.

## Challenge 3

Challenge source code for reference:

<?php require_once '../header.php'; ?>
Hello
<?php

$name =$_GET["name"];
$name = preg_replace("/<script>/i","",$name);
$name = preg_replace("/<\/script>/i","",$name);
die("error");
}
?>

die("error");
}
?>

This means that our destination (the place our payload ends up) is now inside the statement var $a = "{destination}"; What we need to do here is “escape” out of the double quotes, and complete the remainder of the javascript line before we can add our own line of malicious code. Our first step here is to add in a double quote to break out of the existing ones. THis can simply be done using "alert(1) Once we have that, we need to complete the line using valid syntax by adding a semi-colon to end the line. Our payload is now ";alert(1) If we run this as-is, we can see that our payload fails with this error in the console: This means that we have not properly completed the line. If we refer back to the HTML code in burp, we can see that even though we have broken out of the double quotes, a double quote is still being appended to the end of our payload causing a syntax error. In order to fix this, we can comment out the rest of the line using // Now our payload should work: Payload used: ";alert('xss')\\ ## Challenge 7 Challenge source code for reference: <?php require_once '../header.php'; ?> Hello <script> var$a= '<?php  echo htmlentities($_GET["name"]); ?>'; </script> <?php require_once '../footer.php'; ?>  Challenge 7 is identical to challenge 6, except using a single quote to break the string instead of a double quote. Payload used: ';alert('xss')\\ ## Challenge 8 Challenge source code for reference: <?php require_once '../header.php'; if (isset($_POST["name"])) {
echo "HELLO ".htmlentities($_POST["name"]); } ?> <form action="<?php echo$_SERVER['PHP_SELF']; ?>" method="POST">
<input type="submit" name="submit"/>

<?php

require_once '../footer.php';

?>


Challenge 8 is a bit of a step up in terms of difficulty, as it relies on some problem solving skills, and works very differently to previous challenges.

Challenge 8 is a new type of challenge that presents you with a prompt asking for your name, and a button that says submit query, with nothing special in the URL.

If we try all of our usual attacks, we can see that the response is properly encoding our XSS payloads, with &lt; and &gt; (stands for less-than and greater-than, ie. the < and > symbols).

After exhausting all options in the input box, we return to the URL, looking to see if there is something that will reflect our input.

Unfortunately, no such luck, however if we play around with the URL a bit, we can see that adding characters after example8.php results in a 404 not found page:

but if we add a / before our characters, it doesnt matter what we give it, it will load the same page over again.

At this point, we turn to the HTML code, to see if this gives us any clues.

If we play around with various tag closings, we can see that most do nothing, however a combination of " and > (ie, exiting a string and closing a HTML tag), will print the rest of that line of HTML to the screen

In our HTML code, we can see that our input in the URL is being reflected into the form’s “action” URL. Using this, we can see the rest of the HTML line that needs to be completed for our payload to work.

The easiest way to do this, is to simply take the remainder of the line, and put it after the / in the URL:

By doing this, we have successfully completed the line of HTML code, and now have an injection point for our xss payload within the form body.

We can now use a standard XSS payload to complete the challenge.

Payload used: /" method="POST"><img src=x onerror=alert('xss')>

## Challenge 9

Challenge 9 is an easy one, as it is essentially the same as previous challenges, however it introduces a new type of XSS known as DOM based XSS.

Unfortuantely this challenge no longer works on most modern browsers, as they all have built in protections against DOM based XSS. I was not able to successfully exploit this issue using the versions of firefox and chromium i had installed, however if you use something less secure like Internet Explorer, this exploit will run successfully.

When run in firefox, the payload that is supposed to work (replacing the text after the # with a standard script alert 1) reflects the payload to the page, but does not execute.

## You’re Done

Congratulations! You’ve made it all the way through the Pentesterlabs XSS challenges in Web for Pentester 1!

Now time to move on to the next lot of challenges.

Stay tuned for up coming posts and walkthroughs for the other challenges in Web for Pentester 1.

Happy Hacking Everyone