Thursday is here and we move on to the Intro to Cross-site Scripting room on THM!
This module covers XSS Payloads, Reflected XSS, Stored XSS, DOM Based XSS, Blind XSS, Perfecting your payload & Practical Example (Blind XSS)!
In the “Perfecting your payload” section of the room we are shown various web pages which contain input boxes that we need to try and exploit Cross-Site Scripting vulnerabilities with varying methods to bypass filters which may be present.
I rushed ahead on this section and exploited reflected XSS initially via the URL bar as I could see that the ‘payload=’ section of the URL parameters was exploitable however, this was not what was required (even though it worked!).
Instead I was required to checkout the source code of the page and as I assumed this was the required parameter however this payload was expected to be exploited via the text box/input tag with the exact syntax ‘<script>alert('THM');</script>‘.
Aftet this was done and exploited we move on to task 2.
Task 2 – It wouldn’t work if we were to tryand use the previous JavaScript payload because you can’t run it from inside the input tag. Instead, we need to escape the input tag first so the payload can run properly. We did this with the following payload: "><script>alert('THM');</script>
The important part of the payload is the "> which closes the value parameter and then closes the input tag.
Task 3 – This time we have been presented with an input parameter which asks for my name and reflects the data back in to a <textarea> section on the web application.
We’ll need to escape the textarea tag a little differently from the input one (in Level Two) by using the following payload: </textarea><script>alert('THM');</script>.
Task 4 – Entering my name into the form, we see it reflected on the page. This level looks similar to level one, but upon inspecting the page source, we see your name gets reflected in some JavaScript code.
We’ll have to escape the existing JavaScript command, so that we are able to run the code; we do this with the following payload ';alert('THM');// which we see from the below screenshot will execute the code. The ' closes the field specifying the name, then ; signifies the end of the current command, and the // at the end makes anything after it a comment rather than executable code.
Task 5 – We try the same payload as task 1 however we can see from the below picture that the web application has stripped out the script from the JavaScript input that we have used.
We can see this confirmed within the source code.
What we need to do is –
By using the <sscriptcript>alert('THM');</sscriptcript> payload it will strip the first string of ‘script’ but exectue the second allowing us to progress.
Task 6 – Similar to level two, where we had to escape from the value attribute of an input tag, we can try "><script>alert('THM');</script>, but that doesn’t seem to work. Let’s inspect the page source to see why that doesn’t work.
You can see that the < and > characters get filtered out from our payload, preventing us from escaping the IMG tag. To get around the filter, we can take advantage of the additional attributes of the IMG tag, such as the onload event. The onload event executes the code of your choosing once the image specified in the src attribute has loaded onto the web page.
Let’s change our payload to reflect this /images/cat.jpg" onload="alert('THM'); and then viewing the page source.
We get the flag from task 6 -THM{XSS_MASTER}
Side note –
While moving to the last section of this module THM
absolutely shit itself and was having some major issues, cloudlfare boxes popping up and refusing to load.
Practical Example (Blind XSS) –
staff-session=4AB305E55955197693F01D6F8FD2D321
THM Update –
Overall, quite a fun room which covers alot in a fun and expansive way with good practicals and various techniques to overcome XSS restrictions!
Until next time & don’t sleepwalk through life!
Mirupafshim