Demonstrating XSS Attack on a Custom Web Application
By using Node.js and XSStrike.
We would be using the above two tools to demonstrate an XSS attack.
- Node.js would be used to generate a basic web application. (Download the LTS version from here)
- XSStrike to carry out the actual attack. (Download it from here and also install the python dependencies it requires)
Start your web app by running the below code on your command prompt.
Open the respective URL shown below in your browser.
Go to the folder where you have downloaded XSStrike and run the below command. (Install python3 from here if you do not have it)
python3 xsstrike.py -u http://localhost:3000/?name=inputField
You should get an output something like this, press ‘y’ and ‘enter’ till you have generated sufficient payloads to test.
Copy any one of the payloads and try them on the URL as shown below.
Then try giving an input and check the result.
There you go with your complete custom demonstration of an XSS attack. As far as the solutions to prevent these kind of attacks, especially in Node.js application, you can check the below resources as there are various ways to do it.