What if the page is protected by JavaScript validation, do you think we still can hack it? Of course we can; the JavaScript validation is not enough—we should do it on the server as well. Let's see how to overcome JavaScript using Burp:
- First, we will switch the security level to 1, which will enable JavaScript validation, by clicking on the Toggle Security button in the Mutillidae menu bar:
- Try to visit the same page above from the menu; on the left menu, choose OWASP 2017 | Cross Site Scripting | Reflected | DNS Lookup and let's try to execute our alert script:
As you can see, the script was blocked by the browser, it didn't even allow me to continue typing my script because of the validation rule applied to the textbox field. But this should not be a reason to stop us from going forward; I will enable the proxy in my browser (as I showed you in the previous chapter) and start Burp/Proxy to intercept the request:
- I will change the target_host value and insert my alert script. Next, let's forward it to the server (using the Forward button):
Check this out! The JavaScript has executed successfully:
