5.3.3 Stored XSS

Stored XSS

Stored cross-site scripting (also known as second-order or persistent XSS) arises when an application receives data from an untrusted source and includes that data within its later HTTP responses in an unsafe way.

Suppose a website allows users to submit comments on blog posts, which are displayed to other users. Users submit comments using an HTTP request like the following:

POST /post/comment HTTP/1.1 Host: vulnerable-website.com Content-Length: 100 postId=3&comment=This+post+was+extremely+helpful.&name=Carlos+Montoya&email=carlos%40normal-user.net

After this comment has been submitted, any user who visits the blog post will receive the following within the application's response:

<p>This post was extremely helpful.</p>

Assuming the application doesn't perform any other processing of the data, an attacker can submit a malicious comment like this:

<script>/* Bad stuff here... */</script>

Within the attacker's request, this comment would be URL-encoded as:

comment=%3Cscript%3E%2F*%2BBad%2Bstuff%2Bhere...%2B*%2F%3C%2Fscript%3E

Any user who visits the blog post will now receive the following within the application's response:

<p><script>/* Bad stuff here... */</script></p>

The script supplied by the attacker will then execute in the victim user's browser, in the context of their session with the application.

Lab

Inject a Stored XSS's payload into a Blog's comment field.

Exploit Stored XSS Vulnerability in MyBB Forum

What is MyBB Forum?

MyBB, formerly known as MyBulletinBoard, is an open-source forum software written in PHP. It allows users to set up and manage their own online communities where people can post discussions, share information, ask questions, and interact with each other. MyBB provides various features such as user registration and profiles, customizable themes and templates, private messaging, moderation tools, and plugins/extensions for additional functionality. It's popular among website owners who want to create vibrant online communities without extensive programming knowledge, thanks to its user-friendly interface and extensive customization options.

  • Login into MyBB

  • Download and execute (./script.py) python script to enumerate potential MyBB plugin vulnerable

We can exploit it following these steps:

  • Go to downloads.php page

  • Create a New Download

  • Add the following to the title <BODY ONLOAD=alert('XSS')>

  • Now when the admin goes to validate your download he will be alerted

Previous5.3.2 Reflected XSSNext5.3.4 DOM-Based XSS

Last updated