This is the demonstration of Stored Cross-Site-Scripting attack in Change Secret and Cookies and for this demo, I’ll be using bWAPP and bWAPP is a buggy web application and we can use to test various vulnerabilities in the web.
bWAPP Official Link:- http://www.itsecgames.com/
How to perform a Stored Cross-Site-Scripting attack in Change Secret?
Now please choose Cross-site-Scripting — Stored (Change Secret) from the drop-down menu and click Hack.
As you can see from the above screenshot there is an input box to change the current user secret and if you go to the phpMyAdminthen you will find a secret column under "users" table.
To test let’s enter one secret message "Nice".
As you can see from the above screenshot the "secret" has been changed to "Nice".
So what’s happening is actually when you enter a new secret message, it’s taking the input of the secret message and also in the hidden input field it’s passing the user’s login name.
As you can see from the screenshot in the hidden input field the user’s name is passed to the server and this is always a bad practice to send the data in an input hidden field because most of the time developers forgot to validate this input fields and it will be very easy for the attacker to inject malicious code to the application.
Now let’s change the input type of this "hidden" field to "text". Right-click "Inspect Element" and go to the hidden input field and change the input type to text and hit enter.
As per the above screenshot, you can see the attacker changing the input type to text, so that he can inject malicious code to the application.
"><img src=x onerror=alert(1)>
So in order to prevent this attack always try to avoid using hidden input fields and if you are using then do proper sanitization of special characters otherwise it’s very easy for the attacker to inject malicious code.
For more information?
How to perform a Stored Cross-Site-Scripting attack in Cookies?
Now please choose Cross-site-Scripting — Stored (Cookies) from the drop-down menu and click Hack.
As per the above screenshot, you can see an interface where which type of movie you like and if you hit the Like button then the message will appear that "Thank you for making your choice!".
Now let’s intercept the request in burp suite so that we can know what’s going on in the background.
As per the above screenshot, we got the HTTP request and as you can see in cookie header the movie_genre is reflecting.
As per the above screenshot, I'll pass new movie type "thriller" and let’s check it’s reflecting or not.
As you can see which movie type I passed it’s reflected on the cookie header, so I could able to insert one more new movie type to the parameter.
So as per this vulnerability, an attacker can able to inject malicious code to the cookie header.
And in order to prevent this attack proper validation is required in the query parameter.
For more information?
I hope you guys like this post-bye bye for now.
Happy Hacking :)