search

tcpiplab / Web-App-Hacking-Notes

Notes I've taken while working through various web app pentesting labs.
88 stars 19 forks source link

Test Reflected XSS Cookie Stealing Across Accounts #1

Open tcpiplab opened 7 years ago

tcpiplab commented 7 years ago

This is for xss-reflected-steal-cookie.md. The scenario would be that user A tricks user B into clicking a link containing the XSS code.

  1. Test from one account to another of similar privilege.
  2. Test to see if it could be used for privilege escalation too.
  3. If that all works, move on to doing as a Stored XSS.
tcpiplab commented 7 years ago

Tested the XSS link in the HTML file. It successfully stole the admin user's PHPSESSID cookie and sent it to the Python listener:

2017-02-11 06:49 AM - 192.168.0.254 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:51.0) Gecko/20100101 Firefox/51.0
------------------------------------------------------------------------------------------------------------------
Cookie Name         Value
------------------------------------------------------------------------------------------------------------------
security            ['low']
PHPSESSID           ['958o040rdnl9b5flseb5po85p3']

But I made some mistakes in my testing of the next steps. I need to plan it out more carefully:

  1. Add the stolen cookie to a browser not yet having a PHPSESSID cookie from 192.168.0.18.
  2. From a different browser, try to load a page that otherwise would require a password: http://192.168.0.18/dvwa/ But note that the original admin user must still be logged in with the same PHPSESSID cookie.