[EN] TryHackMe 25 Days of Cyber Security: Day 6 Walkthrough
[Day 6] Web Exploitation Be careful with what you wish on a Christmas night
What is XSS?
Cross-site scripting (XSS) is a web vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application. Cross-site scripting vulnerabilities normally allow an attacker to masquerade as a victim user, and carry out any actions that the user is able to perform. If the victim user has privileged access within the application (i.e admin), then the attacker might be able to gain full control over all of the application’s functionality and data. Even if a user is a low privileged one, XSS can still allow an attacker to obtain a lot of sensitive information.
Why does it work like that?
Types of XSS
How to detect XSS?
Both reflected and stored XSS vulnerabilities can be detected in a similar way: through the use of HTML tags, such as
<b></b> or others. The idea is to try out inputting text with those tags and see if that produces any differences. Any change in text size or color immediately indicates an XSS vulnerability.
Bonus: Mitigating XSS
The rule is simple: all user input should be sanitized at both the client and server-side so that potentially malicious characters are removed. There are libraries to help with this on every platform.
Smart developers should always implement a filter to any text input field and follow a strict set of rules regarding processing the inputted data.
1. Deploy your AttackBox (the blue “Start AttackBox” button) and the tasks machine (green button on this task) if you haven’t already. Once both have deployed, open Firefox on the AttackBox and copy/paste the machines IP (http://MACHINE_IP:5000) into the browser search bar (the webserver is running on port 5000, so make sure this is included in your web requests)
[No Answer Needed]
2. What vulnerability type was used to exploit the application?
The ‘Make a Wish’ website mechanics work by storing/saving value entered in the form and write into memory, just like a comments on social media. Based on what we have founded, the type of the vulnerability is ‘Stored Cross Site Scripting’.
3. What query string can be abused to craft a reflected XSS?
For example, if we look for ‘book’ the url would change into:
As we all know, in the URL the question mark (?) specify that a GET method is used in query, ‘q’ is the parameter, and after the equal sign (=) is the parameter’s value. A Reflected XSS query string in URL would look like this:
4. Launch the OWASP ZAP Application
[No Answer Needed]
5. Run a ZAP (zaproxy) automated scan on the target. How many XSS alerts are in the scan?
On the OWASP ZAP interface, click on ‘Automated Scan’ on the right. Paste the URL of the target website, and press ‘attack’. The scan could take several minutes, could be much longer. If it’s done, go to ‘alerts’ tab and analyze the results. As we can see in the picture, there is 2 alerts on reflected XSS.
6. Explore the XSS alerts that ZAP has identified, are you able to make an alert appear on the “Make a wish” website?
This code could be injected in the ‘New Wish’ field or in the URL query as on question 3.