Answered step by step
Verified Expert Solution
Question
00
1 Approved Answer
Pentesting Assignment Here is your task: The str _ ireplace ( script , null, ) function disallows the SCRIPT element used in Reflected XSS lab
Pentesting Assignment Here is your task: The strireplacescript null, function disallows the SCRIPT element used in Reflected XSS lab from being executed. However, if you understand how the control works, then you can bypass this control. Your task is to bypass the control by allowing a different SCRIPT element to execute. To bypass this function, follow these steps: Refer to reputable sources for an explanation of how the strireplace function works. Research code vulnerability databases to see how others have bypassed this control. Pentest the site armed with the information learned and the procedure demonstrated in this section. imagejpg Perform these steps prior to pentesting: Click the START button in the adjoining window. imagejpg Click the Kali workstation icon in the topology. imagepng Type root in the Username field and press Enter. imagejpg Type P@sswrd into the Password field and press Enter. imagejpg Click on the terminal icon. imagejpg Execute the following command and provide the support users password to establish an SSH session with the backend web server. root@Hacker:~# ssh support@urbank.com support@urbank.coms password: P@sswrd Note: The password of P@sswrd will not be displayed when you type it for security purposes. imageLbjpg Execute the following command and provide the sudo password when prompted, to run all the steps prior to this lab. support@Web:~$ LABB sudo password for support: P@sswrd Note: if you submit an incorrect password, then script may only partially run and you may have to restart the session. Also note: you should wait for the script to complete before continuing. ex setup.PNG Execute the following command to open index.php into with the nano text editor. support@Web:~$ sudo nano c varwwwWebServerindexphp imagejpg Add strireplacescript null, to line imagejpg Press and hold the Ctrl key and the x key Ctrlx imagejpg Press the y key. imagejpg Press Enter. imagejpg Click the minimize button on the terminal. min term.PNG Click the Iceweasel icon. imagejpg Type urbank.com to the browser's search field and press Enter. Type the query parameter myusername and append your SCRIPT element and press Enter. penPNG There are two ways to tell if your attack was successful: If the JavaScript executes If the complete SCRIPT element is injected
Pentesting Assignment
Here is your task: The strireplacescript null, function disallows the SCRIPT element used in Reflected XSS lab from being executed. However, if you understand how the control works, then you can bypass this control. Your task is to bypass the control by allowing a different SCRIPT element to execute.
To bypass this function, follow these steps:
Refer to reputable sources for an explanation of how the strireplace function works.
Research code vulnerability databases to see how others have bypassed this control.
Pentest the site armed with the information learned and the procedure demonstrated in this section.
imagejpg
Perform these steps prior to pentesting:
Click the START button in the adjoining window.
imagejpg
Click the Kali workstation icon in the topology.
imagepng
Type root in the Username field and press Enter.
imagejpg
Type P@sswrd into the Password field and press Enter.
imagejpg
Click on the terminal icon.
imagejpg
Execute the following command and provide the support users password to establish an SSH session with the backend web server.
root@Hacker:~# ssh support@urbank.com
support@urbank.coms password: P@sswrd
Note: The password of P@sswrd will not be displayed when you type it for security purposes.
imageLbjpg
Execute the following command and provide the sudo password when prompted, to run all the steps prior to this lab.
support@Web:~$ LABB
sudo password for support: P@sswrd
Note: if you submit an incorrect password, then script may only partially run and you may have to restart the session. Also note: you should wait for the script to complete before continuing.
ex setup.PNG
Execute the following command to open index.php into with the nano text editor.
support@Web:~$ sudo nano c varwwwWebServerindexphp
imagejpg
Add strireplacescript null, to line
imagejpg
Press and hold the Ctrl key and the x key Ctrlx
imagejpg
Press the y key.
imagejpg
Press Enter.
imagejpg
Click the minimize button on the terminal.
min term.PNG
Click the Iceweasel icon.
imagejpg
Type urbank.com to the browser's search field and press Enter. Type the query parameter myusername and append your SCRIPT element and press Enter.
penPNG
There are two ways to tell if your attack was successful:
If the JavaScript executes
If the complete SCRIPT element is injected
Step by Step Solution
There are 3 Steps involved in it
Step: 1
Get Instant Access with AI-Powered Solutions
See step-by-step solutions with expert insights and AI powered tools for academic success
Step: 2
Step: 3
Ace Your Homework with AI
Get the answers you need in no time with our AI-driven, step-by-step assistance
Get Started