Capture the header with burp suite and manipulate the header to inject the malicious code.
Burp Suite header
GET /bWAPP/htmli_current_url.php?<h2>dfbfd</h2> HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/bWAPP/htmli_current_url.php Cookie: security_level=0; PHPSESSID=2rbsk7srls24vvk3m5gciudngv Connection: close Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0
In this level, there is no sanitization and the source code is
$url = "http://" . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"];
Note however, that some browsers may encode the
> characters in the URL, causing the attack to fail. However there are other scenarios which do not require the use of these characters, nor embedding the code into the URL directly, so these browsers are not entirely immune to this type of attack either.
So, using IE old version will be a successfull attack and and the source code is
$url = "<script>document.write(document.URL)</script>";
Usually document.url, document.write, document.location comes under DOM XSS, if its not properly handled.
For more details about DOM based attacks, refer the first link in reference section.
<a href='mukhilan.com' >test</a>
In this, we can try different payloads like creating a login template and that will redirect to your malicious website which will get the users credentials in URL GET parameter. After that, you can store the credential with a script and redirect the victim to the dashboard page. Like this, we can try a different type of payload.
In some cases, medium level and high level are the same. In this case,I have used some encoded payloads. It’s Sanatized properly.