XSS Include

This exercise covers how one can use Cross-Site-Scripting Include to leak information.

< 1 Hr.
Orange Badge


This exercise covers the exploitation of a Cross-Site Scripting Include (XSSI) vulnerability, a common issue in modern applications that use JSON with Padding (JSONP). The main problem with the target application is that sensitive data is exposed when users access a JavaScript page. Because the application relies on cookies for authentication, a malicious server can request the same JavaScript page and access sensitive information. You'll learn how to craft a simple HTML page that gets the victim to visit it, thereby leaking the sensitive information back to your webserver.

The exploitation requires modifying the website's homepage by rewriting the display function. Instead of displaying the data on the page, the function will leak the information back to your webserver using image tags. This exercise provides practical experience in identifying and exploiting XSSI vulnerabilities, which are prevalent in applications using JSONP. By the end of this exercise, you will understand how these vulnerabilities can be exploited and the importance of securing applications against such threats.

Want to learn more? Get started with PentesterLab Pro! GO PRO