In this write-up, we presented and covered cross site scripting vulnerability both
reflected and stored using Mutillidae.

Reflected XSS
Reflected XSS is the kind of XSS that makes the browser returns an alert or cookie
back to the client. It’s not stored in the website database as Stored XSS is.
Common testing points for reflected XSS are input boxes and contact forms. In the
below figure, we have an input box that accepts a hostname.

Stored XSS
In stored XSS, the malicious javascript code gets stored in the website database
and doesn’t get reflected in a pop-up. This means we don’t need to send a crafted
URL to the target to steal their cookies. Whenever the target visits the page in
which we inserted the malicious JS, the payload will get executed each time a user
visits the vulnerable page.

Finding the Flaw: A Simple Test

The first thing I did was test if the website was even vulnerable. I found an input field on the site and typed in a simple script: <script>alert('hi')</script>.

When I submitted the form, a pop-up box appeared with the word “hi” in it. This was my “Aha!” moment. It meant the server was taking my script and running it in my browser without any checks. This confirmed the site was vulnerable to a reflected XSS attack.

Crafting the Exploit: Stealing Cookies

Now for the fun part. I wrote a more advanced script. The goal wasn’t just to show a pop-up; I wanted to steal the user’s cookie. Cookies are small pieces of data that websites use to remember you, and if an attacker can steal your cookie, they can often impersonate you.

I set up a server on my Kali Linux machine with a special PHP script called stealer.php. This script was designed to catch any cookies that were sent to it and save them in a text file.

The Attack: Putting It All Together

I took my malicious script, which was designed to grab the user’s cookie and send it to my server, and I pasted it into the same vulnerable input box on the website.

When I submitted the form, the script ran, and just as planned, it sent the cookie to my server. I checked the text file on my Kali machine, and there it was—the user’s cookie, successfully stolen.

This demonstration shows just how easy it can be to exploit a reflected XSS vulnerability. It’s a powerful reminder of why it’s so important for websites to properly sanitize user input.

Video Walkthrough

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles