XsS Back Button - I Can See You From Behind

How it works
  1. Go to your target URL https://www.website.com/ and use Burp Suite (Spider the website) to find parameters or search boxes
  2. In my case I got a search box so I entered a very old payload ”><svg/onload=alert(333)> which is obsolete but still works
Payload
Source Code Sanitized
Source Code 2
  • Filter input on arrival - At the point where user input is received, filter as strictly as possible based on what is expected or valid input.
  • Encode data on output - At the point where user-controllable data is output in HTTP responses, encode the output to prevent it from being interpreted as active content. Depending on the output context, this might require applying combinations of HTML, URL, JavaScript, and CSS encoding.
  • Use appropriate response headers - To prevent XSS in HTTP responses that aren’t intended to contain any HTML or JavaScript, you can use the Content-Type and X-Content-Type-Options headers to ensure that browsers interpret the responses in the way you intend.
  • Content Security Policy - As a last line of defense, you can use Content Security Policy (CSP) to reduce the severity of any XSS vulnerabilities that still occur.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jerry Shah (Jerry)

Jerry Shah (Jerry)

3.1K Followers

|Penetration Tester| |Hack The Box| |Digital Forensics| |Malware Analysis|