Reflected XSS Mitigation and URL Encoding

In this lab you will learn how to control and bypass a reflected Cross-Site Scripting (XSS) vulnerability. You will learn why you need to encode URL characters. You will also learn how the str_ireplace function can be used to disallow some SCRIPT elements from executing. However, it will not disallow all SCRIPT elements.

outcomes:

In this lab, you will learn to:

Understand why URL encoding is important.
Implement a security control for reflected XSS vulnerability.
Bypass the implemented security control.

VIDEOS:

Before you start this lab, review these videos.

Encoding

Implementing a Security Control

Verifying the Control Works

Overview

In this lab, we are going to demonstrate why we encoded the SCRIPT element when defining the myusername variable inside of the browser. We will also implement a security control that will mitigate the reflected XSS attack in the Reflected XSS lab. Your pentesting assignment will be to bypass the security control.

Reflected XSS Mitigation and URL Encoding

Courses

Pentesting and Understanding Vulnerabilities - Skill Labs

Key terms and descriptions

Cross-Site Scripting

Cross-Site Scripting (XSS) is a type of injection attack that involves exploitations through code.

Reflected XSS

A reflected XSS has two characteristics: Insertion only occurs within the client-side file, and information is reflected back to the local user.

querystring

A querystring is added to the end of a URL and begins with a ?.