Ensure the owaspbwa VM is running. Select the OWASP WebGoat application from the initial landing page of the VM. The landing page will be configured to an IP address specific to your machine.
After you click the OWASP WebGoat link, you will be prompted for login credentials. Use these credentials: username: guest; password:guest.
After authentication, click the Start WebGoat button to access the application exercises.
Click Malicious Execution | Malicious File Execution from the left-hand menu. You are presented with a file upload functionality page. The instructions state that only images are allowed for upload:
Browse to the location where you saved the xss.jpg image that you downloaded from the PortSwigger blog page mentioned at the beginning of this recipe.
The following screenshot how the image looks. As you can see, it is difficult to detect any XSS vulnerability contained within the image. It is hidden from plain view.
Click the Browse button to select the xss.jpgfile:
Switch to Burp's Proxy | Options. Make sure you are capturing Client responses and have the following settings enabled. This will allow us to capture HTTP responses modified or intercepted:
Switch to Burp's Proxy | Intercept tab. Turn Interceptor on with the button Intercept is on.
Return to the Firefox browser, and click the Start Upload button. The message should be paused within Burp's Interceptor.
Within the Intercept window while the request is paused, type Burp rocks into the search box at the bottom. You should see a match in the middle of the image. This is our polyglot payload. It is an image, but it contains a hidden XSS script within the comments of the image:
Click the Forward button. Now turn Interceptor off by clicking the toggle button to Intercept is off.
Using Notepad or your favorite text editor, create a new file called poly.jsp, and write the following code within the file:
Return to the Malicious File Execution page, and browse to the poly.jsp file you created, and then click the Start Upload button. The poly.jsp is a Java Server Pages file that is executable on this web server. Following the instructions, we must create a guest.txt file in the path provided. This code creates that file in JSP scriptlet tag code:
Right-click the unrecognized image, and select Copy Image Location.
Open a new tab within the same Firefox browser as WebGoat, and paste the image location in the new tab. Press Enter to execute the script, and give the script a few seconds to run in the background before moving to the next step.
Flip back to the first tab, F5, to refresh the page, and you should receive the successfully completed message. If your script is running slowly, try uploading the poly.jspon the upload page again. The success message should appear:
