Additional SCRIPT Elements

Overview

In this lab you will learn different SCRIPT elements to reflect session IDs using document.location, document.cookie, new Image().src. You will also learn how the preg_replace function can be used to disallow SCRIPT elements from executing, but can be bypassed with others.

outcomes

In this lab, you will learn to:

Use URL encoding in the browser to reflect session information using JavaScript.
Implement a security control for remote reflected XSS JavaScript vulnerabilities.
Bypass the implemented security control.

VIDEOS

Before you start this lab, review these videos.

Reflected Session Information

Implementing a Security Control

Verifying the Control Works

Courses

Pentesting and Understanding Vulnerabilities - Skill Labs

Key terms and descriptions

www

The World Wide Web (www) is a client–server system that allows documents and web resources be available over the Internet.

HTTP

HTTP is an application layer protocol that allows web browsers to communicate with web servers. HTTP is a stateless protocol, so it does not maintain state between requests.

HTML

The Hypertext Markup Language (HTML) is the standard format of a web page.

PHP

PHP is a server-side scripting language used to create web applications.

Cross-Site Scripting (XSS)

Cross-Site Scripting (XSS) is a type of injection attack that involves exploitations through code.