Overview
In this tutorial, I will cover a simple technique to identify reflected values in a target web application and easily locate Cross-Site Scripting vulnerabilities. By injecting unique heuristic strings, we can quickly check if the value we are testing is reflected and not being sanitized by the application. I have used this technique in the past and it has helped me find various injection bugs that have paid up to $500 in some cases.
Requirements
In order to use this technique, you’ll need Burpsuite along with the custom grep strings and fuzz lists provided in this tutorial to get started. For more advanced tricks covered at the end of this tutorial, you’ll also need Apache and Beef (Browser Exploitation Framework).
Why is this helpful to me?
Using this technique allows you to do the following:
- Find reflected values quickly (only 3 requests per injection point)
- Find the location of all reflected values in the response
- Confirm XSS vectors via heuristic testing
- Exploit XSS vectors with certainty
Great! How do I do it?
1 - Download the Burp attack configuration or manual payload and grep
strings here
2 - Load the attack configuration or manual payload lists from the Burp
Intruder menu
3 - Copy/paste the request to the Intruder screen and add injection
points:
- Form fields
- GET/POST parameters
- Header fields
- Cookie values
- URI structure
NOTE: You’ll need to copy/paste the hostname into the “Host” tab of the Intruder configuration for this to work.
4 - Run the attack and analyze the results. Is “INJECTX” reflected? If
so, are HTML special characters such as <>/()”’ sanitized? If not,
XSS is possible.
5 - If HTML special characters are reflected in the response, proceed to
XSS exploitation
Workflow:
1 - Is the injection point reflected in the response? If yes, goto step 2. As seen below, the “INJECTX” string is found which confirms the payload was reflected.
2 - If the payload was reflected in the response, where in the response is it reflected? Search for “INJECTX” to find all injection points. Go to step 3.
3 - Once reflected injection points are found, which characters are being sanitized? Again, search for “INJECTX” in the response and look for the heuristic test characters to see which are still untampered. At a minimum, we’ll need “‘></(). To make this easier, you can create searchable columns in Burpsuite and specify “INJECTX”, “” and “(INJECTX)” as your grep strings. If these characters or search strings are found, then XSS is possible. Proceed to step 4.
4 - If XSS is possible, inject our “real” XSS payloads either through manual browser attempts, Burp Intruder or Repeater to exploit the XSS vector. In this case, I’m using <iframe> that’s linked back to my web server.
Remote XSS Confirmation
Using a remote payload such as an <iframe> or <img>, you can get remote confirmation via Apache logs which also help keep track of blind and stored XSS vectors. This will also list the referring page the XSS loaded from along with the source IP which helps to keep track of which page and hosts are vulnerable.
Advanced XSS and Client-side Attacks via Beef
Since we control the <iframe> page, we can inject whatever HTML/JS code we want. In this case, it loads a Beef (Browser Exploitation Framework) hook.js which can be used to launch more advanced XSS/client side attacks.
Drawbacks and limitations:
- XSS vectors must be reflected in the static HTML response
- Does not work with DOM XSS injections unless additional plugins such
as BurpKit are used or JS is rendered manually using other techniques - Does not work great for blind XSS vectors
- Does not take into account XSS bypass methods if input is sanitized
Demo Video
Download
Questions? Comments/feedback?
@CrowdShield on twitter
Bugcrowd: https://bugcrowd.com/1N3/
GitHub: https://github.com/1N3
Website: https://crowdshield.com