Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
2021/245_XSS_0103.md
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
96 lines (60 sloc)
2.16 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## 245CT: 0103 | |
### XSS: | |
- High on OWASP top 10, (problem probably will never go away) | |
- "Simple" but difficult to fix | |
#### Example: | |
- Attacker injects code onto the page | |
- Usually JS | |
~~~TERM | |
www.evil.com/input=<script>alert1</script> | |
~~~ | |
### Identifying XSS: | |
- Do we filter input when it arrives? | |
- Do we filter output before displaying. | |
![alt text](https://i.imgur.com/Pn8ObxC.png) "Page accessed" | |
> We can use XSS to create reflected popups on the local display. | |
~~~term | |
<script>alert(1)</script> | |
~~~ | |
![alt text](https://i.imgur.com/cfuiw1P.png) "Reflected XSS alert" | |
- Notice the alert ^ information is in URL | |
~~~term | |
http://172.17.0.1/reflected_xss_get.php?forminput=<script>alert("Hello World")</script> | |
~~~ | |
![alt text](https://i.imgur.com/LNRgh2f.png) "Hello World alert" | |
- We have included script in form data | |
### Type of XSS: | |
##### Stored: | |
- 'Classic' | |
- Stored in the server, before return | |
- Anyone who accesses site can be affected | |
##### Reflected: | |
- Least dangerous, only target user who puts input. | |
##### DOM Based | |
- Objecting into the document object model | |
### Attack types: | |
##### Popups | |
##### Redirection | |
- <script>window.location="http://172.17.0.1/index.php"</script> | |
##### Stealing Information | |
- Cookies | |
- Local storage | |
- Passwords | |
##### Snarfing Passwords | |
- Find user with password manager | |
- Setup fake webpage to take creds | |
##### Session jacking: | |
- Cookie used for Identifcation on the site | |
- We can get it using JS | |
- Store a redirect to a site we control, send cookie, have site steal cookie, Login as user | |
- Store an image that takes the cookie, site cant get to page but still performs task. | |
- Exploiting GETs allowing to append to image tag. Cookie sent to server | |
#### Browser dev tools, console terms: | |
- alert(1) | |
- window.location - Give location on site | |
- alert(document.cookie) - Reveal cookie | |
> We can display data from the page we are on: | |
~~~term | |
alert(localStorage.key(0) + " " + localStorage.getItem(localStorage.key(0))) - Grabbing local storage | |
~~~ | |
![alt text](https://i.imgur.com/rtI8xKA.png) "Gathering storage data" | |