Demonstrating XSS Attack on a Custom Web Application

By using Node.js and XSStrike.

Node.js and XSStrike. Took these logos from the respectives websites.

We would be using the above two tools to demonstrate an XSS attack.

• Node.js would be used to generate a basic web application. (Download the LTS version from here)
• XSStrike to carry out the actual attack. (Download it from here and also install the python dependencies it requires)

Step 1

Create an index.js file with this code in it. (Also, install express from here)

Step 2

Start your web app by running the below code on your command prompt.

node index.js

Open the respective URL shown below in your browser.

http://localhost:3000/?name=inputField

This should how your page should look like. Screenshot by Author.

Step 3

Go to the folder where you have downloaded XSStrike and run the below command. (Install python3 from here if you do not have it)

python3 xsstrike.py -u http://localhost:3000/?name=inputField

You should get an output something like this, press ‘y’ and ‘enter’ till you have generated sufficient payloads to test.

Install the XSStrike dependencies from here in case you get errors. Screenshot by Author.

Step 4

Copy any one of the payloads and try them on the URL as shown below.

Then try giving an input and check the result.

Try other payloads if one does not work. Screenshot by Author.

There you go with your complete custom demonstration of an XSS attack. As far as the solutions to prevent these kind of attacks, especially in Node.js application, you can check the below resources as there are various ways to do it.

Resources:

1. Stackoverflow answer to prevent XSS in server side javascript.
2. OWASP cheat sheet to Node.js security.