Remote Reflected XSS Mitigation and URL Encoding

In this lab, you will learn how to control and bypass a remote reflected XSS vulnerability. You will learn to use URL encode characters using terminal PHP. You will also learn how the preg_replace function can be used to disallow some SCRIPT elements from executing, but not all. In this lab you will learn to:

outcomes:

In this lab, you will learn to:

Use URL encoding within the terminal.
Implement a security control for remote reflected XSS vulnerability.
Bypass the implemented security control.

videos:

Before you start this lab, review these videos.

URL Encoding within the Terminal

Implementing a Security Control

Verifying the Control Works

Overview

The development of this document is funded by the Boston Area Advanced Technological Education Connections (BATEC) Grant No. NSF-0703097 thru Bunker Hill Community College.

When doing administration, the simplest answer is usually the best answer. If you are aware of what characters can cause problems within the browser, you can simply use an alternative method for URL encoding. This lab will demonstrate URL encoding using terminal PHP. It will also introduce a security control (preg_replace) that can be bypassed, which is a part of your pentesting assignment.

Remote Reflected XSS Mitigation and URL Encoding

Courses

Pentesting and Understanding Vulnerabilities - Skill Labs

Key terms and descriptions

URL encoding

URL encoding is a technique used to encode information in a Uniform Resource Locator (URL) so that it can be transmitted through web browsers.

preg_replace

PHP preg_replace is a function that replaces all occurrences of a given string pattern with another. The function takes three arguments: the search string, the replacement string, and an optional list of strings containing the strings to be replaced.

Remote reflected XSS

A remote reflected XSS attack is an attack that occurs when a malicious script redirects the website’s results or response to a collection server.