10 Feb
2023
8
min read

Learning XSS with ChatGPT

ChatGPT is all the rage at the moment, with people claiming everything from "It can make a beginner look like a pro" to "I'm out of a job." so I thought I'd take a little time to explore just how capable this new tool really is. How well can ChatGPT really perform at the job of a pentester? Let's find out.

If I wanted to manually test for cross-site-scripting, what might I do?

Let’s give that a shot…

Step 1) In the above XSS challenge, “Enter your name” is an input field

Step 2) Let’s try entering the malicious script provided

Step 3) It looks like we have execution. SUCCESS

Step 4) Now let’s try some other challenges…

There are no input fields at http://rig.cytix.io/challenges/xss-2.php?animal=bird so how else might I be able to manually test this for XSS?

Let's apply that logic

Step 1) It looks like clicking the animal name changes the query parameter from bird to cat…

Step 2) Let’s give that URL a go…

It didn’t execute… Let's try something else

http://rig.cytix.io/challenges/xss-2.php?animal=<script>alert("XSS")</script> didn't work, what else can I use instead?

Going through them one-by-one...

#3 is a winner!

Time for something a little harder?

how might I exploit XSS at this url http://rig.cytix.io/challenges/xss-3.php#Andy

No luck…

This didn't work in my browser, what else should I try?

In at #2...

We have a winner 🥳

Ok, so we’ve got some pretty successful payloads under our belt. Now to actually make it do something interesting…

Make the svg payload do something more interesting


For the POC to work, I just need to switch out “yourserver.com” for localhost…

Looking at our listener...

It looks like we’ve stolen ourselves a cookie!
bug report

Get a Free Trial  From Cytix

Haven’t tried Cytix yet? Try our free trial to see how it works.

Get a Free Trial

Ok so that’s great… but any decent security tester needs to know how to do more than just exploit.

How should I prevent attacks like these?

Start Detecting Vulnerabilities Others Miss Today

  • Detect Vulnerabilities Faster
  • Patch Vulnerabilities Faster
  • Be more compliant
Learn More
business

Read Next:

Explore More Articles

Rashi P

.

4 Dec

2023

Shifting Security to the Left.

arrow

The core philosophy behind the concept of shifting left in software development is that by catching security weaknesses early in the process, the chances of these weaknesses making their way into production systems are significantly reduced. This ultimately leads to a smaller risk and lower costs for remediation in the long term. Interested to know more?

Cybersecurity
pentesting

Rashi P

.

23 Nov

2023

A Brief History of Security Testing

arrow

The origins and evolution of security testing. It started in the late 1970s when hackers and security testers began using tools to assess computer system security. Today, security testing is a crucial part of any comprehensive security strategy. Join us as we delve into the world of security testing and its importance in safeguarding our systems from malicious attacks.

Cybersecurity
Security Testing
Vulnerability

Rashi P

.

31 Oct

2023

Future Market Trends

arrow

This article explores the importance of a collaborative approach to security testing, highlighting the limitations of current solutions and discussing emerging market trends. By understanding the current state of the sector and identifying key themes such as bug hunting versus the analyst approach, integration, and decision intelligence, organizations can enhance their security testing practices.

No items found.

Detect, Resolve &
Patch Faster With Cytix

Get a free test today and see how it works.
Get a Free Trial
CTA Image
cta rectangle image
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept