Find answers, ask questions, and connect with our
welcoming community.

Home Page Forums General Discussions Testing for XSS in the real world assuming…

  • Testing for XSS in the real world assuming…

    Posted by Anthony on June 18, 2021 at 5:04 pm

    Would it be safe to assume that no matter what site you test is automatic set on “Hard” or “Impossible” category when we practice on DVWA. Would it be best to test with more “Exotic” payloads rather than basic ones, since those are for the most part not realistic to exploit these days. I know simpler is better, but some of these WAFs are just a pain to think outside the box when it comes to XSS for the real world.

    Anthony replied 1 year, 5 months ago 2 Members · 2 Replies
  • 2 Replies
  • Christophe

    Administrator
    June 28, 2021 at 4:38 pm

    While the DVWA difficulty settings are helpful in test environments to try things out, I wouldn’t necessarily think of apps you’re testing in the real world as mapping to the “Hard” or “Impossible” levels. Every app is different and some apps may have both vulnerabilities that are extremely easy to exploit, while at the same time having very difficult ones to exploit.

    I know some people use the term “exotic” payloads, but I don’t really know what that means. To me, a payload is a payload. I don’t really know what would make one payload more exotic than another apart from one person’s opinion. What I’m trying to say is that having a list of various payloads you can pick from is helpful, and that list should be wide and deep because a payload that might work on one application could be completely useless on another (no matter how ‘exotic’ it is). ‘Basic’ payloads can also still be useful in testing out the application initially, to see what gets blocked, filtered, sanitized, etc…and then from there, you can narrow down payloads that are more likely to make it through.

    So just because <script>alert(1)</script> is very unlikely to make it through nowadays (though I bet you could still find low-value targets that are still susceptible to that payload, unfortunately), it doesn’t always mean that the payload is completely useless. How is the application responding to the payload? Is it stripping out the words script? Is it giving you an error response? Is it stripping out the < > / but keeping script & alert(1)? It gives you clues as to what’s going on behind the scenes. Use that information to iterate and go from there.

    • Anthony

      Member
      June 28, 2021 at 5:26 pm

      Yes getting past these WAFs have been a major headache the manual route but i have multiple XSS tools, and they still don’t do any better than manual hunting. It’s a total cluster mess on my end i take breaks spend time with family and so on. But after 13 months and coming up with nothing makes me question if this is really for me or not. I don’t really follow anyone in the hacking world other than you and maybe one other person. I don’t look anymore on how others get these massive bounties and flex it online. I just stick to myself and try to figure this out as i continue because it has been extremely difficult.

      I know you have given me advice many times and i am sorry i sound like a broken record i am just trying to move forward.