For this recipe, we will use the prototyping features provided by the Magical Code Injection Rainbow, an application included in our OWASP BWA vulnerable virtual machine:
- First, go to the application and select XSSmh from the menu to go to the XSS sandbox. Here, we can set up a field vulnerable to XSS with custom types of sanitization.
- In our case, we will use the last Sanitization Level: Case-Insesitively and Repetitively Remove Blacklisted Items, matching Keywords.
- In Sanitization Parameters, we will need to enter the blacklisted words and characters—add alert,document,cookie,href,location,and src. This will greatly limit the range of action of a possible attacker exploiting the application.
- The Input Sanitization section ...
