12

If I do a test with a classic <script>alert(1)</script>, does the website owner see my attempt? Does XSS leave some trace behind?

I will try to build a little server on my Ubuntu with a bunch of websites to test something. Where could I find the evidence in the OS or server?

Benoit Esnard
  • 13,942
  • 7
  • 65
  • 65
onec0de
  • 121
  • 4
  • 1
    The webserver logs will likely log the input from users. – schroeder Mar 15 '18 at 13:43
  • Define "see". Are you asking if they could see evidence from monitoring the web traffic (via WAF, IDS, wireshark, etc.), or are you asking whether there will be evidence left in the log files? – PopularIsn'tRight Mar 15 '18 at 19:56
  • I mean: my friend Alpha got a website, build and under maintenance of the Beta's company. if I put the Alert script does Alpha (as owner) or Beta can see my input in some way? If yes, do they view both the input and who tried to do this? (via IP or any other evidence)? – onec0de Mar 16 '18 at 12:29

2 Answers2

10

What can the website owner see?

Basically everything.

If the XSS vector (<script>alert(1)</script> in your case) is part of:

- HTTP headers (including cookies)
- URL (path, query string) except the anchor part
- POST data (including uploaded files)

Then the website owner is able to see it.

If your XSS vector is client-side only, then the website owner may still log it if Content-Security-Policy has been configured to log attacks.

How to test XSS without being spotted?

Don't, unless if you have been permitted to do so.

Run your own vulnerable webserver

Running your own webserver is not that hard:

echo "<?php echo $_GET['xss'];" > index.php
php -S 0.0.0.0:80

This will start a webserver available at http://localhost/.

Known vulnerable applications

Also, check out some projects like Damn Vulnerable Web Application, created to help people learn some vulnerabilites.

Moreover, for XSS, there exists a lot of resources to learn them:

Benoit Esnard
  • 13,942
  • 7
  • 65
  • 65
2

Here you can see an example of an XSS reflected tested against DVWA:

10.0.0.1 - - [15/Mar/2018:14:47:24 +0000] "GET /vulnerabilities/xss_r/?name=%3Cscript%3Ealert%28%27xss%27%29%3B%3C%2Fscript%3E HTTP/1.1" 200 1715 "http://10.0.0.1/vulnerabilities/xss_r/" "Mozilla/5.0 (X11; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0"

If the has any kind of additional security like an IDS or a WAF it will be detected and informed to the website owner.

Ipv7
  • 21
  • 2
  • thnx, it's very clear. just another question: from the log you post can you understantad who made the script? final: where did you find the logs on a linux machine? thnx – onec0de Mar 16 '18 at 12:30
  • Sure, you can get the IP among the data related to the platform and the browser, the logs comes from the apache service, it dependes on which system is running but usually: /var/log/httpd/ – Ipv7 Mar 19 '18 at 14:59