0xma Cyber Security Articles




April 17, 2022

Cross-Site Scripting (XSS) Attack - Example 2

In this tutorial, we will see how to perform a cross-site scripting (XSS) attack and retrieve cookies of another user. We inject the XSS payload in the username section of the user's profile. Once the user sends a message to the site administrators, the XSS payload is triggered and we retrieve the cookies.

Let's register a user.

Registration page.

Once registered, it redirects us to the main page.

Main Page.

Click on the username and go to Profile.

Going to the profile page.

This is the profile page where we can change the username, email and password.

Profile page.

Changing the username to include the <b> tags makes the username bold. If the username is displayed in bold text somewhere in the web application, then it is a good indication that the web application might be vulnerable to XSS attacks.

Submitting the XSS payload.

The username shown at the top-right corner of the page shows the <b> tags and the username is not displayed in bold.

XSS payload in the profile page.

Let's see if the username is displayed in bold text in other places of the web application. We go to the "Contact Us" page.

Going to the Contact Us page.

Let's type something in the form and click on "Send".

Submitting the Contact Us form.

The form has been submitted successfully.

Message successfully sent.

Click on the "Message to: admin" link.

Going to the sent message.

We can see that the username "0xma" is in bold. In case it is not visible, I will try to italicize the username.

Bold username in the Info page.

Let's surround the username with <i> tags to italicize it.

Italicizing our username.

Submit the form.

Sending another message.

And now we can see that the username is displayed in italics.

Italcized username in the Info page.

Our next step is to steal the cookies. Let's use some JavaScript to connect to the local server which we initiate by running the sudo python3 -m http.server 80 command in the terminal. Note that this command runs a web server on our local machine and opens port 80. Once it connects to the web server, it will reveal its cookies.

Modifying username to retrieve cookies.

Let's submit the form once again.

Submit the form.

Click on the "Message to: admin" link.

Going to the sent message.

We get a "Error response" page with error code 404. Unlike the last time, we don't see our message.

Error response page.

Whenever someone on the target side checks the message, it will send the cookie to the local web server in a GET request. After a couple of minutes, we get a GET request which includes the session cookies.

Session cookie received in Python web server.

Let's URL Decode our session cookies in CyberChef. However, we could do this in Burp Suite as well.

URL decoding the session cookie in CyberChef.

Right-click on the browser page and then click on "Inspect". The Storage tab shows the cookies.

Viewing the current session cookie.

Enter in the URL decoded session cookie.

Replacing the current session cookie with the newly received session cookie.

Now the user is logged in as the "admin" user.

Gaining admin privileges on the web application.

If you liked reading this article, you can follow me on Twitter: 0xmaCyberSec.