Documented xss using <script> does not work, only the <image> one works

Question

Documented xss using <script> does not work, only the <image> one works

mathiasconradt opened this issue 2 years ago · comments

The first xss documented on
https://github.com/ine-labs/AWSGoat/blob/master/solutions/module-1/01-Reflected%20XSS.md

<script>alert('1')</script>

with expected behaviour:

An alert box pops up on our screen which confirms that our application is vulnerable to XSS injection attacks

does not work, at least not for me.

The xss using the <image> tag works as expected and documented.

When entering above line, nothing happens.

Environment:
Tested with Brave (Version 1.41.100 Chromium: 103.0.5060.134 (Official Build) (64-bit)) and Chrome (Version 104.0.5112.79 (Official Build) (64-bit)), on 5.18.14-1-MANJARO + xfce. Also tested on Mac OS 12.5 with Chrome, same result.

Mathias Conradt · Answer 1 · Fri Aug 12 2022 16:33:00 GMT+0800 (China Standard Time)

I'm just watching the video https://youtu.be/qa-dXJ4lOWI?t=30 and there the <script> tag does not trigger any alert either, so I guess it's just the documentation that should be adjusted, that one does not expect a popup there already.

So it's basically just about removing this line from the docs:

An alert box pops up on our screen which confirms that our application is vulnerable to XSS injection attacks

Jeswin Mathai · Answer 2 · Mon Aug 15 2022 05:42:48 GMT+0800 (China Standard Time)

Thanks Mathias! We have updated the manuals with #13 .