📿XSS Attacks
Defacing
Defacing
a website means changing its look for anyone who visits the website.
We can utilize injected JavaScript code (through XSS) to make a web page look any way we like.
Here are the HTML elements are usually utilized to change the main look of a web page:
Background Color
document.body.style.background
Background
document.body.background
Page Title
document.title
Page Text
DOM.innerHTML
Example payload to change the background
Set an image to background:
Change the title of the website:
Changing some text on the page:
We can also utilize jQuery functions for more efficiently achieving the same thing or for changing the text of multiple elements in one line (to do so, the jQuery
library must have been imported within the page source):
To erase the content of the website and change the body:
We can also minify our html code and inject it as a one-liner:
Phishing
A common form of XSS phishing attacks is through injecting fake login forms that send the login details to the attacker's server, which may then be used to log in on behalf of the victim and gain control over their account and sensitive information.
Here is a HTML form used for phishing:
To inject it ->
In this case, we are exploiting a Reflected XSS
vulnerability, so we can copy the URL and our XSS payload in its parameters, as we've done in the Reflected XSS
section, and the page should look as follows when we visit the malicious URL
Payload to remove some HTML on a page:
So our payload becomes:
We can comment out any HTML, by adding an HTML opening comment after our XSS payload
Now to steal the credentials we must set up our listener ->
And now if our target decides to login with the credentials test:test
, and check the netcat
output we get
However, as we are only listening with a netcat
listener, it will not handle the HTTP request correctly, and the victim would get an Unable to connect
error, which may raise some suspicions. So, we can use a basic PHP script that logs the credentials from the HTTP request and then returns the victim to the original page without any injections. In this case, the victim may think that they successfully logged in and will use the Image Viewer as intended.
We can start our server like this:
Try to find a working XSS payload for the Image URL form found at '/phishing' in the above server, and then use what you learned in this section to prepare a malicious URL that injects a malicious login form. Then visit '/phishing/send.php' to send the URL to the victim, and they will log into the malicious login form. If you did everything correctly, you should receive the victim's login credentials, which you can use to login to '/phishing/login.php' and obtain the flag.
Session Hijacking
With the ability to execute JavaScript code on the victim's browser, we may be able to collect their cookies and send them to our server to hijack their logged-in session by performing a Session Hijacking
(aka Cookie Stealing
) attack.
A Blind XSS vulnerability occurs when the vulnerability is triggered on a page we don't have access to.
Blind XSS vulnerabilities usually occur with forms only accessible by certain users (e.g., Admins).
Let's imagine we want to be part of a website and send our informations via a form and we see this:
The informations will appear for the Admin only in a certain Admin Panel that we do not have access to. To exploit this we can use a JavaScript payload that sends an HTTP request back to our server. If the JavaScript code gets executed, we will get a response on our machine, and we will know that the page is indeed vulnerable.
We start by including a remote script by providing its URL ->
We can change the requested script name from script.js
to the name of the field we are injecting in, such that when we get the request in our VM, we can identify the vulnerable input field that executed the script
If we get a request for /username
, then we know that the username
field is vulnerable to XSS, and so on.
Now we can start testing various XSS payloads and we can find few examples we can use from PayloadsAllTheThings:
Now we start a php webserver:
Now we can start testing these payloads one by one by using one of them for all of input fields and appending the name of the field after our IP
Once we find a working XSS payload and have identified the vulnerable input field, we can proceed to XSS exploitation and perform a Session Hijacking attack. We want to find payloads to steal cookies such as:
put it in a script.js file and send the following payload through our vulnerable input ->
However, if there were many cookies, we may not know which cookie value belongs to which cookie header. So, we can write a PHP script to split them with a new line and write them to a file. In this case, even if multiple victims trigger the XSS exploit, we'll get all of their cookies ordered in a file.
We can save the following PHP script as index.php
, and re-run the PHP server again:
Try to repeat what you learned in this section to identify the vulnerable input field and find a working XSS payload, and then use the 'Session Hijacking' scripts to grab the Admin's cookie and use it in 'login.php' to get the flag.
We create our index file with the PHP code above, host it and send our payload ->
Last updated