In this scenario we will begin with a simple and easy exploitable reflected XSS attack and then we will move to a cookie stealing scenario and the total pwnage of the remote target.
We begin with this simple web app
After checking the DB and then doing the login , the web admin is directed to a page like that:
And if we try to search for something we see:
We see here a simple search web form, it seems that the admin can use that to search for content in the server DB. the begining of the php code behind that might look like:
$name = $_GET[‘q’];
You are searching: <?php echo $name; ?>
As wee see, the content of the text box is printed directly on the page, this looks like the typical reflected XSS bug. We can check that by introducing:
Inside the text box
First of all we can start our netcat listener on port 80
nc -lvp 80
Now we can generate an evil email wich includes a link to the following url:
This will try to send the cookie to our netcat listener in our box. Next step will be using social engineering to send a mail to our victim and steal it’s cookie:
We can also use a command line tool in Kali to send the evil mail
And when our victim visits our mail:
We got our victim’s cookie!!
Now we can use an http proxy like paros to use that cookie for browsing the site as admin:
Now we can browse the site as admin:
But what to do now? We only got the admin account, it looks like we can’t do anything funny here.
We can escalate this attack by first starting some client side exploit, we can use browser autopwn for example
We start the server and craft our evil url:
We can use the same trick we did before for redirecting our victim’s to our evil url
And when te victim get caught:
By setting up this scenario, I dare you to think about all the posibilites of this attack.