Hi guys,
Today I'm going to show you how to steal cookies with an XSS vulnerability, in a legal scenario.
Scenario:
A company hired you to do some web-pentests on their new website. They website is very simple: an index page where they show the company and at the bottom of that page you can leave comments.
You tried of some basic SQL injections on the comment box, you also tried to find their admin page to test the login but it's well hidden. You have the bright idea to try some XSS on the comment box.
You know that a basic way to find XSS vulnerabilities is to add this code/string to every input (that it's then added to the page) you find (URL, search, useragent, forms, etc) to see what character is encoded:
Code:
Code 1 @ http://pastebin.com/5yYTSmbQ | I use this method because of the firewallOn the page it may look like:
Code:
Code 2 @ http://pastebin.com/5yYTSmbQ | I use this method because of the firewall and you may think that only
Code:
Code 3 @ http://pastebin.com/5yYTSmbQ | I use this method because of the firewall is escaped. But you are wrong!!
Let's take a look at the SOURCE CODE(right click-> View Source Code)(not Inspect Elements) for this comment that we just posted in the comment box:
Code:
Code 4 @ http://pastebin.com/5yYTSmbQ | I use this method because of the firewallHumm.. very interesting..
They tried to protect the website from XSS by encoding in HTML characters some of the characters that are used in JavaScript.
More info here: https://en.wikipedia.org/wiki/Character_...gs_in_HTML
So we need to create a script/a way to write JavaScript code to the page without using any of those characters:
Code:
Code 5 @ http://pastebin.com/5yYTSmbQ | I use this method because of the firewall That's a challenege!
To solve this challenge you have to know how you can write/add JavaScript code to a webpage in different ways.
The way I'm going to use is that I'll tell the webpage to take the script from somewhere else. On one of my domains I hosted a script.js that has this code:
Code:
Code 6 @ http://pastebin.com/5yYTSmbQ | I use this method because of the firewallThe comment looks like this:
Code:
Code 7 @ http://pastebin.com/5yYTSmbQ | I use this method because of the firewallOnce someone (and you) visit the webpage that as the comment, you cookies will be send to the hacker.
Here's the source code that catches the cookie and save it:
Code:
Code 8 @ http://pastebin.com/5yYTSmbQ | I use this method because of the firewall
End:
Now all you have to do is to contact the administrator and tell him about the vulnerability you found during your contract. (You'll find the cookie in the logs.txt file)
He'll be very happy! DO NOT USE THIS METHOD ILLEGAL
0 nhận xét:
Post a Comment