Professional Documents
Culture Documents
1 Hello XSS
- Zistite, či váš prehliadač obsahuje XSS auditor a ako funguje.
(blokuje JS alebo celú stránku?)
- Stránka “hello.php” je zraniteľná na reflected XSS.
- Nájdite a zneužite zraniteľnosť na zobrazenie “hello world” správy cez javascript.
- Svoje finálne URL a zistenia zdokumentujte.
Documentation:
1. Using the Vega software, I have done a scan over the page.
2. Intercept the request in Burpsuite proxy and pass the encoded Script
3. Result:
3.2 Exfiltration using reflected XSS
- Využite nájdenú zraniteľnosť z 3.1 na vykonanie reflected XSS útoku.
- Získajte pomocou javascriptu obsah používateľových cookies, zakódujte ich do
base64 reťazca a cez XMLHttpRequest (XHR) ich exfiltrujte cez GET request na:
https://dev.netvor.sk/ex/?ami=ais_login&data=exfiltrovane_data
- Javascript najskor otestujte a odlaďte na svojom prehliadači.
- Pre získanie exfitrovaných dát navštívte stránku:
https://dev.netvor.sk/ex/data/ais_login.txt
Finálnu útočnú URL vložte do formuláru https://bit.demo-cert.sk/sim/ - ktorý vám
odsimulujte “kliknutie” používateľa.
Získajte cookie obete (simulátora) z exfiltračného serveru.
Result:
https://xsaleh.bit.demo-
cert.sk/hello.php?name=%3Cscript%3E%0Aalert%28decodeURIComponent%28%0A%22
Location%3A%20%22%20%2B%20location%20%2B%20%22%5Cn%22%20%2B%20%0A%
22Location.hostname%3A%20%22%20%2B%20location.hostname%20%2B%2 0%22%5Cn
%22%20%2B%20%0A%22Location.href%3A%20%22%20%2B%20location.href%20%2B%
20%22%5Cn%22%20%2B%20%0A%22Location.pathname%3A%20%22%20%2B%20locati
on.pathname%20%2B%20%22%5Cn%22%20%2B%20%0A%22Location.protocol%3A%20
%22%20%2B%20location.protocol%20%2B%20%22%5 Cn%22%20%2B%20%0A%22docu
ment.cookie%3A%20%22%20%2B%20document.cookie%20%2B%20%22%5Cn%22%0A%
29%29%3C%2Fscript%3E
Click here
- I opened the URL encoder and wrote a simple JS script to retrieve some useful
information such as cookies, and using Burpsuite, I intercepted the request and
injected the encoded input as input for the attribute name.
- RESULT:
- Coding Cookies to base64:
-
- After uploading to https://dev.netvor.sk
Blocking
I could block the functionality of chat.php by injecting
As an input for the message filed, which is going to redirect all the requests to
https://xsaleh.bit.demo-cert.sk/ page which in result means, chat.php will never be
reached or any file is using the messages.txt file
3.4 Code review
Description:
The code is vulnerable to SQL injection as it’s explained in the previous table at line 12 o f
the code, using the parameters data without validation cause it, as a result we can have a
reflected XSS by invalidating the SQL statement and UNION it with INSERT SQL query to
insert a user which holds as login some JavaScript wrapped in html tag such <img> and I
will be executed at line 32.
Another way to get it is by getting the cookies object coz they ’re stored without using the
HTTP only flag, which gives the attacker the ability to take advanta ge of it and get it by
using some commands such document.cookie.
The best way to fix the SQL injection is validating the inputs and escape the special chars,
we should store cookies with HTTPonly flag on, and to solve the Impersontating issue, I
would recommend tracking the IP used to login and store as it’s going to check new
locations of users who are trying to sign-in.