Demonstrating XSS Attack on a Custom Web Application

Node.js and XSStrike. Took these logos from the respectives websites.

Step 1

Create an index.js file with this code in it. (Also, install express from here)

Step 2

Start your web app by running the below code on your command prompt.

node index.js
http://localhost:3000/?name=inputField
This should how your page should look like. Screenshot by Author.

Step 3

Go to the folder where you have downloaded XSStrike and run the below command. (Install python3 from here if you do not have it)

python3 xsstrike.py -u http://localhost:3000/?name=inputField
Install the XSStrike dependencies from here in case you get errors. Screenshot by Author.

Step 4

Copy any one of the payloads and try them on the URL as shown below.

Try other payloads if one does not work. Screenshot by Author.

Resources:

  1. Stackoverflow answer to prevent XSS in server side javascript.
  2. OWASP cheat sheet to Node.js security.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Yarala Hruthik Reddy

Yarala Hruthik Reddy

I do a lot of things. Just trying to find my breakthrough. www.iamYHR.com