Documented xss using <script> does not work, only the <image> one works
mathiasconradt opened this issue · comments
The first xss documented on
https://github.com/ine-labs/AWSGoat/blob/master/solutions/module-1/01-Reflected%20XSS.md
<script>alert('1')</script>
with expected behaviour:
An alert box pops up on our screen which confirms that our application is vulnerable to XSS injection attacks
does not work, at least not for me.
The xss using the <image>
tag works as expected and documented.
When entering above line, nothing happens.
Environment:
Tested with Brave (Version 1.41.100 Chromium: 103.0.5060.134 (Official Build) (64-bit)) and Chrome (Version 104.0.5112.79 (Official Build) (64-bit)), on 5.18.14-1-MANJARO + xfce. Also tested on Mac OS 12.5 with Chrome, same result.
I'm just watching the video https://youtu.be/qa-dXJ4lOWI?t=30 and there the <script>
tag does not trigger any alert either, so I guess it's just the documentation that should be adjusted, that one does not expect a popup there already.
So it's basically just about removing this line from the docs:
An alert box pops up on our screen which confirms that our application is vulnerable to XSS injection attacks
Thanks Mathias! We have updated the manuals with #13 .