special characters
Step 1 try entering these in comment sections to see how it displays.
if you inspect the web pages and still see those raw chars, it's vulnerable!
if not properly filtered (PHP) -> "htmlspecialchars" function should be used to properly sanitize it, which convert key characters into HTML entities.
Step 2 famous <script> alert()</script>
Step 3: Steal cookies and session info
What's cookies and what can we do with them?
cookies -> websites have them to track state info about users. Cookies can be set with flags that are not required. We want to look for Secure and HttpOnly flags
Secure flags - intruct browser to only send the cookie over encrypted connections
HttpOnly flags - it denies JavaScript access to the cookie. if it's not set, we can easily steal the cookie by using an XSS.
The following script sends a GET request to the attacker's machine and force the victim to send the cookie (PHPSESSID) with it.
If a user logs into the server, we get a call back and steal the cookie.
Use a cookie editor to add the session info and visit an admin only pages!
OSCP book didn't cover any non-client facing XSS.
Client side attacks:
invisible iframe
people who visit the site that has this invisible iframe will connect back to the attacker's machine! (attacker can set up a netcat listner)
Last updated