0

I have been given permission to run OWASP Zap on a web application. I don't have a lot of experience of pen testing so it's all a bit new to me.

I ran Zap on the application and it came up with a High severity alert relating to DOM based XSS.

The attack was #javascript:alert(1) and it gave me a URL <my web app URL>#javascript:alert(1). The method used was POST.

The page in the web app that the vulnerability is in is a form.

I would like to manually reproduce this issue and see the alert and was wondering how I can go about this?

I tried pasting the URL into the browser but this is doing a GET not a POST.

I also tried to use Firefox developer tools to change the request to a POST and then resend it but I still couldn't see the alert.

Umbungu
  • 945
  • 3
  • 10
  • 30
  • 3
    HTTP POST requests via a browser where you can see the response itself are only possible with a `
    ` or similar
     – Samathingamajig Jun 10 '21 at 19:31
  • 1
    Just specify a POST request in your form like `
    ..
    ` and try sending some `` in the form submission to server, if the js code is executed, then indeed XSS has occurred.     – Tanner Dolby Jun 10 '21 at 20:00

1 Answers1

1

You can use burprepeater in burpsuite comunity. In the request you can change method to post.

You can change your request and copy when you belive that the request run fine. Then you can do a Curl -X in your terminal if you belive its necesary why burpsuite its only you need

Try this and coment. Regards

José Luis Iñigo Blasco
  • 19
  • 2