Cross Site Scripting XSS Explained | TryHackMe Junior Penetration Tester

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
all right welcome back today we will be doing a cross-site scripting room from the junior penetration tester pathway so cross-set scripting is the room before the last one which is command injection we will be doing command injection in the next on the next video right so let's jump in so basically in the crosstalk scripting room uh task one all the way to task six are all readings you can go through the readings understand more about access if you don't want you can just watch the video as usual so we have two challenges perfecting your payload and practical example i'm going to be explaining the basics of xss while doing practical challenges to save your time and to save mine as well so i deployed the first one here i'm going to take this link and navigate to that link in my virtual machine okay so we have around six levels for each level we are presented with a box saying enter your name uh by the way these boxes are very common in all of the websites so you see uh these kind of boxes for entering your name sign up boxes contacts forms comment boxes these these areas of any website are all common places to test for cross-site scripting first we have to understand what is a common area for testing for cross-site scripting so one example is an input box like this one this is an input box all right so let's see here what what what do they need from us so basically we need to get the flag from level six so we have to bypass all of these levels in order to go get to level six and then be able to extract the flag so basically for level one level one here if you right click on the box inspect the element you see we have here um i guess let's take a look at the source code so in the source code this is the element this is the form the method is get and here we have the interior name title and then here we enter our name input name equal payload so here goes the input that we will enter in the input box okay so let me open now a text editor and so we can write our own payloads so the basic xss payload that all of you know is let me make this bigger so level one so now if you type hi here i just typed hi and it was saying confirm access payload saying xss payload field of course because i typed only hi right now if you go to my editor here the simplest form of any xss payload is to get the browser to pop up a statement now let's take an example here let me copy this payload put it here so if you try this one you see now the browser popped up hello indicating that the site is actually vulnerable to cross-site scripting or reflected to cross-site scripting let's see now that in action here but here we get xss payload failed maybe because we need to type here some sort of semicolon let's try that all right next one we don't have access yet i don't know why it's failing or saying it's failed so shall we replace this with single code right it's just popping up it means this is variable okay let me replace this with the text written in the room which is dhm maybe this is what they want all right so make sure you type thm here because this is the expected text or the expected text in the alert that they would want you to get the browser to pop up in the room so basically make sure it's thm nothing else now go to level two now so now we bypass the level one so let's type the successful script which is the etcher now level two now if you try the same one with level two here it's not gonna work so you see now whatever you typed it has been returned back to you as is now if you take a look at the source code okay so here is your payload input value equal script alert thm slash script and the reason is we have the double quotes for some reason the double quotes are you know making mess with our payload so we have to get rid of these double quotes so how do we do that we need to make small change on our payload so so we go back here the same payload right just we need to close the double quotes so we type double quotes and we close the the statement with a row take that so while you do that you see we have double quote right now if we close the double code with this one here okay and we put this arrow to close the input tag now our script will work it will start from here okay then let's try that and it works now why do you see this by the way double quote and one right arrow the reason for that is if you take a look now at the source code okay let's take a look at the source code now you see this double quote here and we have the arrow that we entered and then there goes our script that got executed and lastly we got the extra double code and a row that came with the original source code that's why you see this one here all right go to level three now so level three okay now if we don't want normally normally we don't just throw excess payloads in a blind way we just want to understand the code so we um make sure we end up with the minimum number of failed attempts not to you know alert any kind of firewall that might be deployed on that might be deployed behind your application so just first we want to understand the source code viewpage source okay let's type something out like hi and now you see we have some sort of text area here let's take a look now face page source so this is the text area so text area tag and then you have your input and then the ending of the text area tag so now we have to bypass the text area tag in order to do that we have to close this uh close the beginning of the text area tag and then start our script so this corresponds to if we want to close this text area tag we take this one start our payload with this one and then we follow that with the original payload let's try that see if this is going to work and it worked now let's check out the page source okay here you go so text area and then we ended the text area tag and then we started our script which got executed and then we have an extra closing tag for the text area which won't do much to our script the most important is to get the payload executed this way all right level four so level four type now hi hello hi all right let's take a look at the source okay see now there is a script our input goes to a script this is the opening and this is the closing document.getelement by class name and this is the name zero dot inner html equal to hi so here you go your input so how do you bypass this by the way so what do you need to do now the first thing is we bypass the single codes here so the first character of our payload will be a single quote next and then we have to end this line here so in order to end that we need semicolon so with semicolon we will be able to end this statement and start with our start our statement so basically since this is a javascript we won't need to input the script or the the opening and the closing of the script so basically we have them here what do we have to do now we have just to end the statement with a semicolon and then directly jump to alert dhm this way and double forward slash just to make sure that everything after our payload won't be executed or will be treated as a comment and this will and this worked actually let's take a look at the source now see how the code looks like so this is it now we end it uh the input with a single code and then we ended the whole statement here right now after that the script tag after this statement it will jump to the next statement which is here and it will do just the or it will just do what all other scripts have done so far okay go to level five all right let's now view the page source so let's see what we have here so we have this is what do we have hello and then we have hi okay so let's try let's try with normal script right seems like there is there's nothing wrong here if we try with the simple one let's see if it will get executed as you can see didn't work why because there is a filter that strips out the word script from the tags this is the opening as you can see has been stripped from the script script tag if you take a look at the page source you see here this is your this is the opening and this is the closing of the script tag so the script word is being filtered so we have now some sort of filter behind the application okay so to bypass the filter what you can do here so level five you can take the simple form as is we need to repeat the word script two times so but not in the way that you may imagine so script like that it's not gonna work what we're gonna do here we're gonna type s here and then at the end of the or after the t we type crypt what's going to happen now the application will take the script filter it out and leave us with another one for us so s here and encrypt here let's see if this plays out and actually it worked let's take a look at the source now so this is your input as you can see the script has been just included in the up in the the source code as is okay now now to the last level so level six now so see now we have a path and there is a path to image right if we enter now you see an image has been displayed now our options are just to replace the name of the image so we get different image returned back to us all right if you take a look now at the source code you see we have the source or the image tag source equals the path to the image now if you just go ahead and replace the image images slash cat with any one of these payloads it will not work because it will be included inside the source so this won't work so you have to bypass the image tag here so one way to do that is to get back so we will leave slash images slash cat as is and we will be closing this with the double quotes and start our payload so this time because there is image tag here we're going to use the onload function so unload equal alert let's take this as is and that's it oh okay enter so a little work unload equal alerts how about debut the page source see that see why this didn't work aha so unload equal alert hm ah all right so this is the we have one double quotes here that doesn't have another there is no uh you know unlocked here technically see the closing double quotes doesn't have the corresponding opening one so we need to type double quotes here one here and one here this way it will work i guess we have to remove them completely right let me get back so we have one here by the application so let's remove this one and type one here to make the statement complete so basically if you don't know what is onload the all mod event executes the code of your choosing so once the image loads right the application will execute the code you put here even if the image doesn't exist by the way ah this way worked and that's how you get the flag for the first level or for this task so next one so let's um germinate this machine and start this one so in the last challenge we have to yeah so we have to catch steal the cookies all right which is the perfect scenario or the common scenario you would see in real world cases so where you have you know a website we're able to cross-site scripting and what the attacker would do they would create a payload and include the payload in the url like this one send the url to a user who is registered on the site once the user clicks on the link the cookie of the user will be returned back to the attacker that's what we'll do that's what we'll do right now we will wait for the machine to start by the way if you all of the payloads that i have written here you can find them in the notes i just published the notes i will be publishing the updates on the application penetration testing notes you can find it if you are subscribed to the channel membership all right let's see what happened to the machine so we have the ip address now all right all right so we navigate now we have this side icm sme rtsupport okay all right so before we dive in let me just give a small introduction or premise so basically in this site we or our objective will be to see if the site is vulnerable to stored cross-site scripting which is very different from reflected across that scripting that we have examined in the last scenario in the last scenario we got or we we got the browser to uh you know return or pop up some alerts back to the user which is us now in distorted cross-site scripting there is no alert returned back by the browser any code any xss payload that you input in any box will be stored in the website database so for example if you integrate cookie stealer or keylogger into your xss payload in into some sort of page every user who visits this page all right they will have their cookies stolen or whatever they type into this page will be logged and sent back to the attacker that's the danger of the stored across site scripting the code will be executed without any need for another interaction between you and the victim in the reflected cross-site scripting you need to send a link to the victims in order to execute your code now the case here is much different so let's see now how this plays out if you go to customers and sign up for an account so now we will pretend that i am the admin of the site okay so i'm just now registering my information uh okay login all right so now suppose you are an admin or let's say not admin right let's say you are a user on the site and you want to send a support ticket to the administrator of the website uh you know claiming about some technical issue or claiming that you have some trouble regarding your request regarding your application whatever doesn't matter now now let's go ahead and create a ticket let's type test test so now our ticket has been created right now the administrator they will see your tickets here and they will open on the ticket and see the contents of the tickets until now everything is fine now let's create a new one to get in this example here we will type test2 and here we will input some sort of xss payload see if this will work now our objective is to build an access payload that will steal the cookies of the user that we have just registered which is me okay now suppose you are the attacker right you are creating a ticket and you want the administrator or the website owner when they view that when they view the ticket like we did a while ago their cookie would be sent to you so what do we do here the first thing we will craft the payload so challenge okay the first thing is we take a look at the source code see what kind of input box is this mostly this text area let's take a look at this scroll down scroll down okay so here it is we have text area here as we saw previously we have to close the text area okay so in our payload here instead of test i'm going to type the closing tag of the text area in order to close this statement here so the first thing we take the text area or slash text area and then we type our payload so basically the payload here will be much different from these these are for reflected across size scripting now the same would apply actually for reflected crosstalk scripting if you want to see the cookies of the user so basically type now script fetch here i type the ip address of my machine okay and now i will start our observer on my machine why i'm doing this by the way i want to get the user or the administrator who will view my tickets when they when they visit my ticket okay the code here will be executed which means they will be making a request to my web server when they make a request to my web server their cookies will be included that's how we steal the cookies so 8 000 which is the port cookie equal i just i forgot what was here let me see it was bit did i want to type the function for encoding the cookie into base64 to ensure successful transmission we need base we need base64 for that okay yeah btoa okay so let's copy this apart so btoa will base 64 the cookie to ensure successful transmission and then we close the script that's your payload so now i'm going to go ahead create a new ticket send the payload and wait for the cookies to come back dashboard create a ticket name it tests v2 and here you put your payload create that's fine now you have done your part now there will come the administrator of the site they will see two tickets the first one is fine the next one when they click on it you see there is nothing here right they will see nothing only subject what happened the code you have just entered as an attacker got executed now okay and attacker now without unknowingly actually unknowingly they have sent you a get request to web server with their cookies included in the requests let's take a look all right so this is the cookie and as you can see the cookie encoded in paste 64. let's take that decode this one no need no no need anymore for the web server to be on echo base 64 dash d admin equal false session equal and this is your last cookie you get that and you answer with it and the challenge will be done so that was for today i hope you enjoyed that and see you in the next video
Info
Channel: Motasem Hamdan
Views: 22,200
Rating: undefined out of 5
Keywords: XSS, Training, OWASP
Id: 2eD6TtDpLtk
Channel Id: undefined
Length: 26min 57sec (1617 seconds)
Published: Thu Nov 11 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.