Sign in Subscribe

THM - Advent of Cyber [Day 5]

Alex McCulley

2 min read

Today’s task deals with XSS (Cross Site Scripting). XSS is when malicious JavaScript is injected into a web app and can sometimes be executed by other users depending on the type of XSS. The task describes the four types of XSS vulnerabilities: DOM, reflected, stored, and blind.

DOM

Document Object Model or DOM for short, is when malicious JavaScript is executed directly in the browser without new pages or backend code being entered. This is different from other XSS attacks because they typically involve the malicious code being in the web page response, not in the DOM environment on the victims browser.

Reflected

Reflected cross site scripting is when a user can supply malicious JavaScript into an HTTP request and have the code execute when the user visits the page. The easiest way to remember this is that the webpage ‘reflects’ the changes a user is making to it.

Stored

This is a very dangerous type of XSS due to the fact that the malicious code is ‘stored’ (go figure) on the victim server and will be loaded by every subsequent visit to the page by other users.

Blind

This kind of attack is like stored only you can’t see the payload working.

The Task

The task is to fix the website that the Grinch has ruined by changing Christmas to Buttmas using a plugin. We’ll need access to the Grinch’s account to set everything right.

After logging in as McSkidy, the task wants us to change the Grinch’s password so we can gain access. First we should check to see if it’s possible to use HTML in comments so we can make a link to reset the password of the Grinch’s account. We can show this by typing hello world in the comment section and seeing that world is underlined meaning that it’s accepting HTML. Now we can pass JavaScript into the comment and link to our malicious code. Here’s the payload that the task wants us to use

<script>fetch('/settings?new_password=pass123');</script>

Once our comment has been left, any user that visits the forum will have their password changed. This is a blind XSS and according to the task, the Grinch will visit our webpage every minute or so. After waiting, we can simply logout of our account and into the Grinch’s, and there’s a nice flag waiting for us!

Sign up for more like this.

Enter your email
Subscribe
Follow Me on Mastodon! Follow Me on Twitter