0xor1day

SSRF and XSS

3 min read

SSRF - server side request forgery -allows user to cause the webserver to make an additional or edited HTTP request to the resource of the attacker’s choosing -two types

  1. data is returned
  2. blind -successful SSRF can result in access to unauthorized area, access data, scale to internal networks, reveal authentication tokens

&x= - payload ending stops the remaining path from being appended ?x= - turns to query string

https://website.thm/item/2?server=api https://website.thm/item/2?server=server.website.thm/flag?id=9&x= server requesting: https://server.website.thm/flag?id=9&x=.website.thm/api/item?id=2

requestbin.com - HTTP logging tool to monitor requests SSRF defenses -Deny List: all request accepted except a list to protect sensitive endpoints (169.254.169.254 - may contain sensitive data in a cloud env) -Allow List: all request denied except a list -open redirect: an endpoint on the server where the website visitor gets automatically redirected to another website address

Cross-site Scripting (XSS) -injection of malicious JavaScript into web app with intention of being executed by others A payload: javaScript code the attacker wishes to execute on target machine

document.cookie - contains the user’s session token session stealing: steal user session from cookies of a target machine can take over the target session key logger: get the key log that user typed that is in control of attacker business logic: call a javascript function or particular network resource

Reflected XSS -user-supplied data in an HTTP request is included in the webpage source without any validation

  1. attacker sends a link to victim that contians a malicious payload
  2. victim visits vulnerable website
  3. attacker’s script is executed on website
  4. data the attacker’s script gathered in send to attacker (cookie = can take over victim’s account) test for Reflected XSS -parameters: in the url query string a good place to test for relected XSS -url file path

Stored XSS -stored in a database -user input needs to be checked for JavaScript or malicious code

  1. Attacker inserts malicious payload into client database
  2. Victim visits website and malicious script is executed
  3. The data the malicious script gathered is sent to attacker (attacker can take over victim’s account) test for stored xss

**Polyglots:

An XSS polyglot is a string of text which can escape attributes, tags and bypass filters all in one. You could have used the below polyglot on all six levels you’ve just completed, and it would have executed the code successfully.

jaVasCript:/-//*\/’/”/**/(/* */onerror=alert(‘THM’) )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/—!>\x3csVg/<sVg/oNloAd=alert(‘THM’)//>\x3e

Blind XSS practical - extract another user’s cookies, take over their session

  1. setup a listening server using netcat nc -nlvp 9001

  2. Payload The tag closes the textarea field. The closes the JavaScript code block.

Graph View