Dashboard Articles Playground Discussions More
Follow

How to test an XSS Reflected in POST request with payload

shuri
8 years ago

0

Hi,

I want to test an XSS Relfected from a Qualys report.

Request :

Payload mon_courriel=1&mon_message=%22'%3E%3Cqss%20%60%3b!–%3D%26%7b()%7d%3E&submit_courriel=1

Request POST http://mywebsite.com/page_1/

1 Referer: http://mydomain.com

2 Cookie: ubvt=64.39.105.1121459611430772691; ubvt=64.39.105.1121459611430772691; overlaydisplayed=true; location=l2j1lvndf6kj9jqld9v6dhe5t0;

AB_shared_session=r4alfdddd4; dp_session2[uuid]=6a52262417faa5283686abeb0f6e3b1e6183fa3efa6a5e; derniereRecherche=a
%3A0%3A%7B%7D; _sp_id.c781=afab6569706.1.1459570524.1459569706;
__gads=ID=b490ae7bdaf13cf4:T=1459569704:S=ALNI_Mby0ih34QcsLlP3LIU3hjaw;

Response:

lass=“text”/>

Votre message : "'>


How I can re-test manually, to see if I can reproduce, and when developper will be fix, test again ?

Thanks for your help,

Shuri

6replies
5voices
260views
Numlock90
8 years ago

0

You would test it using a browser.

 

Most situations are 95% PIBCAC 5% Network.
Image

shuri
8 years ago

0

Ok but should I use this lynk :

http://mywebsite.com/page_1/mon_courriel=1&mon_message=%22'%3E%3Cqss%20%60%3b!–%3D%26%7b()%7d%3E&submit_courriel=1

Or :

http://mywebsite.com/page_1?mon_courriel=1&mon_message=%22'%3E%3Cqss%20%60%3b!–%3D%26%7b()%7d%3E&submit_courriel=1

Because, I try before start my search, and I cannot reproduce any POST Xss, juste the GET one.

A GET Xss, I will use link, + payload, and I can see in code, or a popup, but in POST, I dont know how….

Thanks again

Shuri

b1nary
8 years ago | edited 8 years ago

0

tamper data or any other tool that can manipulate post /get data , or using JS XMLHttpRequest and checking the response

also burp suit is useful for this too

shuri
8 years ago | edited 8 years ago

0

Thanks b1nary,

I installed Burp and try…

Numlock90
8 years ago

0

Tamper data add-on for firefox would be easier than Burp,
(just I think burp is a bit overkill for this)

 

Most situations are 95% PIBCAC 5% Network.
Image

dloser
8 years ago

0

curl is pretty easy too… :p

Reply has been removed
You must be logged in to reply to this discussion. Login
1 of 7

This site only uses cookies that are essential for the functionality of this website. Cookies are not used for tracking or marketing purposes.

By using our site, you acknowledge that you have read and understand our Privacy Policy, and Terms of Service.

Dismiss