27 Jan 2023
Practical application through an example attack.
Start with testing the support page for Cross-Site Scripting (XSS) issues. This test is looking for āReflectedā XSS, only affects the person making the web request.
Tried typing in in the email field. Client-side filter prevented non-email valid characters from being typed.
Next try bypassing client-side protection using Intercept. After replacing āemailā use ctrl+u to make it safe to send. Forward until response gets to browser.
Knew most of what was presented in the room just from learning on the fly in previous AoCs, but the target filtering already feels invaluable.
The Burp module continues in the Burp Suite Repeater room, but the learning path continues with OWASP Top 10. Iāll have to circle back around to Burp again at some point. I hear thereās a badge for doing all(?) of the rooms.