Skip main navigation

Exploitation Cont.

In this video, Paulo Silva will demonstrate a continued attempt to insert a payload into the system and expand on vulnerabilities to XSS threats.
6.5
This is the original payload. Let’s try something different. This time, we will use an image attack with an empty source attribute, meaning that loading image will fail. In case of error, a model box with the text “XSS” should be shown.
27.5
Let’s copy and paste it in the search box.
35.3
Here it is, our model box.
41.1
As you can see, the payload is also in the URL.
46.6
It doesn’t appear in the page’s body, but it was added to the DOM. Since the payload is in the URL, if we send it to another user, then it will be executed in the user’s browser.
72.4
Let’s go a step further. First, we need to know what information is stored in the browser when we are authenticated.
117.6
We have several cookies and one item in the local storage. The token is also stored as a cookie, and both are used for authentication purposes. The value is a JSON web token, which we can decode and see what’s inside as long as the payload section is not encrypted.
159.7
In this case, we can see the email, password, and role, among several other details.
168.8
Let’s now change our XSS payload to show token’s value in the model box instead of the word “XSS”.
191.1
Instead of typing the payload into the search input field, we can craft a malicious URL to send to our victims.
215.4
Assuming Juice Shop admin receives and visits this URL, then the model box should show the value of admin’s token.
225.6
Instead of opening a model box, attackers can use other techniques to receive the value on the servers controlled by them. Assuming this is what happened, let’s see what an attacker can do with the token on its one browser.
255.5
As you can see, there is no active session in attacker’s browser.
271.8
The browser doesn’t have a cookie called token, so we will create one with the value stolen from victim’s browser.
287.1
We have to do the same in the local storage.
304.1
Now, if we reload the page, we are authenticated as Juice Shop admin.
338.5
This is called session hijacking, one of XSS possible consequences, and from now on, we can act on admin’s behalf. Next, we will discuss what makes the application vulnerable and how to prevent it.

In this video, the demonstration on identifying if the system is vulnerable to XSS threats is continued

In the last video, you saw an attempt to insert a payload into the system, which was not successful. In this video, you will see a continued attempt to do so. You will also learn what these attempts and failures can tell you about the system to help you plan an alternate attack.

Investigate and share: You have just watched a demonstration on session hijacking. Go to the OWASP Session Hijacking page and read the information there. Do you think that your system is vulnerable to these kinds of attacks? What are you currently doing to mitigate these attacks? In the next video, you will learn more about how to protect your system, but first share your comments in the section below.

This article is from the free online

Advanced Cyber Security Training: OWASP Top 10 and Web Application Fundamentals

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education