Cross-Site Scripting (XSS)- Defacing, Phishing, and Session Hijacking

Photo cred- @markusspiske

In this module we learned what the three types of XSS are as well as how to identify and exploit them. Before digging into the mechanics though, I’d like to point out something important to note.

In the previous post I covered deobfuscating Javascript and I touched on how being able to code isn’t really a requirement to being a web app security tester.

However, I firmly stand on this – having a firm grip of Javascript will greatly enhance your success in hunting bugs and exploiting web applications. And Cross-Site Scripting is a domain where Javascript reigns supreme.

We are still grinding along HTB’s Bug Bounty Job Role Path, https://academy.hackthebox.com/course/preview/cross-site-scripting-xss

Here’s a summary of what was covered:

• We looked at some real live XSS attacks that have occurred in history
• How to perform defacing to change the look of a website
• How to perform phishing attacks to steal login details which could be used to carry out phishing simulation exercises
• How to perform session hijacking attacks- obtaining cookies to be used to access user accounts

Day 41

Stored XSS

To get the flag, use the same payload we used above, but change its JavaScript code to show the cookie instead of showing the url.

Reflected XSS

DOM XSS

To get the flag, use the same payload we used above, but change its JavaScript code to show the cookie instead of showing the url.

Day 43 – 44

Defacing and Phishing

Try to find a working XSS payload for the Image URL form found at ‘/phishing‘ in the above server, and then use what you learned in this section to prepare a malicious URL that injects a malicious login form.

Then visit ‘/phishing/send.php‘ to send the URL to the victim, and they will log into the malicious login form.

If you did everything correctly, you should receive the victim’s login credentials, which you can use to login to ‘/phishing/login.php‘ and obtain the flag.