Note after clicking the Generate Password button, a password is shown. Also, note the username value provided in the URL is reflected back as is on the web page: http://192.168.56.101/mutillidae/index.php?page=password-generator.php&username=anonymous. This means a potential XSS vulnerability may exist on the page:
Switch to the Burp Proxy HTTP history tab and find the HTTP message associated with the Password Generator page. Flip to the Response tab in the message editor, and perform a search on the string catch. Note that the JavaScript returned has a catch block where error messages display to the user. We will use this position for the placement of a carefully crafted JavaScript injection attack:
Switch to the Burp Proxy Intercept tab. Turn Interceptor on with the button Intercept is on.
Reload the Password Generator page in Firefox browser by pressing F5 or clicking the reload button.
Switch to the Burp Proxy Interceptor tab. While the request is paused, note the username parameter value highlighted as follows:
Replace the preceding highlighted value of anonymous with the following carefully crafted JavaScript injection script:
canary";}catch(e){}alert(1);try{a="
Click the Forward button. Now, turn Interceptor off by clicking the toggle button to Intercept is off.
Note the alert popup. You’ve successfully demonstrated the presence of a JavaScript injection XSS vulnerability!
