Jump to content

How to send a link where HTML has been modified ?


pierre

Recommended Posts

Hello,

I know my question is a little bit unclear.

But with Firebug, I've find a potential XSS by adding a javascript instruction in an HTML field at URL  192.168.1.1/DVWA/vulnerabilities/xss_r/:

<a href='javascript:alert(document.cookie)'>Home</a>

Original field was :

<a href="../../.">Home</a>

My question would be:

How does an attacker send a malicious link to a victim with a webpage modification included into the link ?

Edited by tot94
Link to comment
Share on other sites

Look at what gets sent to the server when you submit data then look at how you can modify it as part of the attack.

 

Rather than asking questions about every section on DVWA, have you considered doing an intro course? You'd learn a lot more. I'd recommend looking at stuff from SecurityTube.

Link to comment
Share on other sites

an intro course : have you got any URL ?

But on online videos, there are only attacker-server.

For SQLi, it is fine, whereas in XSS or CSRF, the situation is victim-attacker-server which is not present on online videos..

Edited by tot94
Link to comment
Share on other sites

Quote

an intro course : have you got any URL ?

Search for SecurityTube

Quote

For SQLi, it is fine, whereas in XSS or CSRF, the situation is victim-attacker-server which is not present on online videos..

XSS doesn't go through the attacker, it goes direct.

Link to comment
Share on other sites

I have ever perform javascript injection by sending a malicious link to a victim like this :

http://192.168.1.1/DVWA/vulnerabilities/xss_r/?name=<script>alert(document.cookie);</script>

But here I need to remove protection on the page by injecting javascript in HTML events like this :

<a href="javascript:alert(document.cookie)">Click me</a>

But I have to modify with HTML page code with Firebug.

So I where wondering how I could send a link with javascript in HTML event to a victim in order to steal cookies ?

:cool:  :cool::cool::cool::cool:

Edited by tot94
Link to comment
Share on other sites

you would send them this and ask them to click on it

 

http://192.168.1.1/DVWA/vulnerabilities/xss_r/?name=<script>alert(document.cookie);</script>

 

you don't modify anything.

Link to comment
Share on other sites

No here I can't because of this pattern :

/<(.*)s(.*)c(.*)r(.*)i(.*)p(.*)t/i

It intercept <script> tag and replace it with a space.

So I have to bypass this hardening whit HTML Event which what I describe above.

But I don't know how to send the link whith HTML page modified..

Am I more understandable ?

Link to comment
Share on other sites

I think you've miss understood how reflected works.

 

At the dvwa level you send out a link that the user clicks on and that is it, it does direct to the user then direct to the site, if you are interpreting things then it isn't XSS.

Which level are you trying to solve?

Link to comment
Share on other sites

Look at what the page is filtering

        $name = preg_replace( '/<(.*)s(.*)c(.*)r(.*)i(.*)p(.*)t/i', '', $_GET[ 'name' ] );

Now look at this XSS cheat sheet and spot a way to send XSS that doesn't get caught by this regex check:

https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

Enter that into the field and see what happens. Now look at where you are and work out how you would get that to a user in a way they could click on it.

Link to comment
Share on other sites

Yes I've found the section able to bypass the hardening :

Malformed A tags

Skip the HREF attribute and get to the meat of the XXS... Submitted by David Cross ~ Verified on Chrome

<a onmouseover="alert(document.cookie)">xxs link</a>

or Chrome loves to replace missing quotes for you... if you ever get stuck just leave them off and Chrome will put them in the right place and fix your missing quotes on a URL or script.

<a onmouseover=alert(document.cookie)>xxs link</a>

 

Thanks :)

Link to comment
Share on other sites

Do you understand the concept now? You don't need to intercept things, all the interaction is between victim and site. Your job is to work out what to ask the victim to request.

For an attack string, my usual weapon of choice is

<img src="x" onerror="alert(1)" />

As it triggers without the user having to do anything.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...