In this module, we exploit the XSS vulnerability in the exercise target, so you can start the task below and repeat the steps at your own pace.
Continuing from the previous module's topic. This time, the developers have improved input handling and our previous malicious code no longer works.
Finding Vulnerability
We start by investigating what changes the developers have made, by trying the following combination.
'; //
Exactly, the developers have added escaping of quotation marks to the application, so that the JavaScript code treats quotation marks as part of the string. Escaping means using backslashes in situations where you want to use string-breaking characters as part of the string.
The string below contains a single quotation mark and a backslash is used to include it inside the string without breaking the string's definition.
const a = '\'';
// a is equal to 'We continue the analysis by examining how the application treats the backslash, i.e. whether we can escape the backslash. We input the following.
\'; //
Great, the application doesn't escape the backslash itself. This means that we can use a backslash before the quotation mark, so in the final JavaScript code, the application will escape our backslash and we can break the string and write our own JavaScript code. However, since the application escapes all the quotation marks we enter, we can't create our own strings in the application and we can't build our malicious code in the usual way. Fortunately, JavaScript has a built-in function called fromCharCode, which allows you to build strings without using quotation marks at all. It works like this.
var x = String.fromCharCode(120,115,115);
/*
120 == x,
115 == s,
115 == p
meaning that the fromCharCode function returns us the string xss
*/With the fromCharCode function, you can construct any string you want. Here you can find a list of characters and their char code values.
To double secure the vulnerability, we will still try to use the mentioned function in creating the alert box.
We create an 'xss' string and save it in the variable x. Then we input variable x into the alert function.
\'; var x = String.fromCharCode(120,115,115); alert(x); //
Exploit Vulnerability
Finally, we execute an attack using the same idea as in the previous module, meaning we utilize the built-in link storage function of the application to leak the administrator session cookie. This happens in the following steps.
- We will modify our previous malware in such a way that it uses the fromCharCode function for each character string.
- We add a link to the page that contains the final URL address where our malware is located. In this case, we use the search parameter.
- We expect the system administrator to test our link, which forces the system administrator's browser to create a new link itself, including their session cookies
- We log in as the system administrator
Try to reproduce the listed steps yourself! - You can take a cue from previous modules.
SPOILERI:
Ready to become an ethical hacker?
Start today.
As a member of Hakatemia you get unlimited access to Hakatemia modules, exercises and tools, and you get access to the Hakatemia Discord channel where you can ask for help from both instructors and other Hakatemia members.