In this module, we exploit the XSS vulnerability present in the exercise target, so you can start the task below and repeat the steps at your own pace.

Get 10 new followers with the help of malware.

In this task, we exploit the XSS vulnerability in the WYSIWYG editor and inject our malicious code onto the DefaceBook wall.

XSS WYSIWYG 1


In this module, we will familiarize ourselves with WYSIWYG editors and exploit the XSS vulnerability hidden in this editor. Let's start by getting acquainted with the XSS worm that spread like wildfire in Samy Kamkar's MySpace in 2005.



https://en.wikipedia.org/wiki/Samy_(computer_worm)

https://www.youtube.com/watch?v=DtnuaHl378M

Next, we will follow in Samy's footsteps and execute the same attack.

Below is a picture of the TinyMCE WYSIWYG editor.


WYSIWYG (What You See Is What You Get) editors enable the creation of enriched text in the browser. Enriched text refers to text that can have colors, italics, sometimes images, lists, and other similar functionalities.

Typically, these editors are behind the scenes HTML editors that send the HTML code created by the user in the browser's WYSIWYG editor to the server.

Naturally, in such a solution, there is a risk that the user will add harmful JavaScript code to the HTML code, in addition to colors and fonts.

Let's start by creating a new post on the wall. We will intercept the resulting HTTP request using the BrupSuite program (turn on intercept) and add JavaScript code to the post:

post=hello<script>alert("Hello")</script>

When the vulnerability is confirmed, we can remove the post.

The goal of the task is to obtain ten followers on DeFacebook. We will carry out the attack in the following phases:

We investigate what kind of HTTP request arises from tracking another user.

We are building JavaScript code that runs a query and automatically monitors our account.

We exploit the recently discovered XSS vulnerability and inject malicious code onto the page.

We expect that ten bot users will be exposed to malware, and thus begin to follow us.

Open your user page and notice the identifier in the URL address.

Understand the structure of required HTTP request

Next, we monitor another user and search for the HTTP request from the BurpSuite program's HTTP history. We write down the path, method, and parameters.

Create JavaScript code that tracks our account

Now we write JavaScript code that monitors our account and ensures this operation in the JavaScript console.

Now that the malicious code is ready for operation, we will add it to the post within the 


Finally, we expect 10 people to visit the wall and be exposed to malware.

Note! - Remember to only use the path, not the entire URL, in the malicious code. Otherwise, the malicious code will fail due to CORS errors.

*In this module, we exploit the XSS vulnerability present in the exercise target, so you can start the task below and repeat the steps at your own pace.*

@exercise 168f0d2e9f88

In this module, we will familiarize ourselves with WYSIWYG editors and exploit the XSS vulnerability hidden in this editor. Let's start by getting acquainted with the XSS worm that spread like wildfire in Samy Kamkar's MySpace in 2005.

[https://en.wikipedia.org/wiki/Samy\_(computer\_worm)](https://en.wikipedia.org/wiki/Samy_(computer_worm) )

[https://www.youtube.com/watch?v=DtnuaHl378M](https://www.youtube.com/watch?v=DtnuaHl378M)

Next, we will follow in Samy's footsteps and execute the same attack.

## WYSIWYG Editors

*Below is a picture of the TinyMCE WYSIWYG editor.*

![](sanity:image-cdabddc75941003fc249b61360cd779b371e35ea-928x222-png)

WYSIWYG (What You See Is What You Get) editors enable the creation of enriched text in the browser. Enriched text refers to text that can have colors, italics, sometimes images, lists, and other similar functionalities.

Typically, these editors are behind the scenes HTML editors that send the HTML code created by the user in the browser's WYSIWYG editor to the server.

Naturally, in such a solution, there is a risk that the user will add harmful JavaScript code to the HTML code, in addition to colors and fonts.

---

## Finding Vulnerabilities

Let's start by creating a new post on the wall. We will intercept the resulting HTTP request using the BrupSuite program (turn on intercept) and add JavaScript code to the post:

**post=hello<script>alert("Hello")</script>**

When the vulnerability is confirmed, we can remove the post.

---

## Attack stages

The goal of the task is to obtain ten followers on DeFacebook. We will carry out the attack in the following phases:

- We will investigate our own username.
- We investigate what kind of HTTP request arises from tracking another user.
- We are building JavaScript code that runs a query and automatically monitors our account.
- We exploit the recently discovered XSS vulnerability and inject malicious code onto the page.
- We expect that ten bot users will be exposed to malware, and thus begin to follow us.

---

## Discovering your own username

Open your user page and notice the identifier in the URL address.

![](sanity:image-2f35d0cfc10e6ad68257092388b2607b9cf76ce4-373x47-png)

---

## Understand the structure of required HTTP request

Next, we monitor another user and search for the HTTP request from the BurpSuite program's HTTP history. We write down the path, method, and parameters.

![](sanity:image-bd3f3432c30bfcf396585d03a9a6a2a036882cd4-525x254-png)

---

## Create JavaScript code that tracks our account

Now we write JavaScript code that monitors our account and ensures this operation in the JavaScript console.

```javascript
fetch('/users/100/follow',{method:'POST'})
```

---

## Performing Attack

Now that the malicious code is ready for operation, we will add it to the post within the **script** element.

```javascript
post=hello <script>fetch('/users/100/follow',{method:'POST'})</script>
```

Finally, we expect 10 people to visit the wall and be exposed to malware.

*Note! - Remember to only use the path, not the entire URL, in the malicious code. Otherwise, the malicious code will fail due to CORS errors.*


WYSIWYG XSS and SoMe worms

Learn how to find and exploit a vulnerability that is one of the most common vulnerabilities, easy to find, and yet very dangerous. Hackerone ranked XSS the #1 bug bounty vulnerability of 2021.

XSS (Cross-Site Scripting) vulnerabilities are both common and serious. For example, HackerOne has listed XSS as the number one vulnerability on their top 10 vulnerabilities list.

Vulnerability management is therefore extremely important, whether you are a penetration tester, a security consultant, a developer, or a bounty hunter!

WYSIWYG XSS and SoMe worms

WYSIWYG Editors

Learn to hack — start here