Web Labs Basic

Cross Site Scripting

XSS Lab 1

We end up here, our user agent is reflected to us:

user agent

We put on the intercept on burp (we can also work in the repeater tab). Let's try this first <script>alert(1)</script>

Burp

It works

Burp request

Pop up

XSS Lab 2

We end up here

cookie lab

This time our cookie is reflected to us

Burp cookie reflected

Let's try the same paylaod <script>alert(1)</script>

Burp request

It works again

Burp

alert

XSS Lab 3

We land here

land page

Here is what it looks like in burp

Burp

These 2 snippets of js are interesting

[STRIPPED]
<script>
if (localStorage.getItem("alert-labs") === null) {
	 localStorage.setItem("alert-labs", "alert-labs");
}
</script>
[STRIPPED]
<script>
if (localStorage.getItem("alert-labs") !== null) {
		 document.getElementById("content").innerHTML = "<span style=\"font-size:0.4em;\"> LocalStorage will help You: </span><br>" + localStorage.getItem("alert-labs") + "";
}
</script>
[STRIPPED]

The first snippet is going to set the local storage to alert-labs if null. The second one is going fetch the localStorage and print it in the page. This time we need to modify this in our browser. In firefox we can modify the localStorage property and enter this <img src=1 onerror="javascript:alert(1)"></img>. Just like this

Firefox LocalStorage modification

This way if we refresh the page we get our alert:

LocalStorage pop up

Note that in a real context, this would require a user interaction.

The following articles are really interesting to see how a vulnerability like this could be exploited in a real context:

• DOM-based HTML5-storage manipulation
• DOM-based vulnerabilities - Portswigger
• Wagtail XSS + LocalStorage = Account Hijack on TechAnarchy
• LocalStorage exploit via Cross Site Scripting on Appsec Ramblings
• XSS - The LocalStorage Robbery by Jerry Shah
• This article by James Kettle is really interesting and worth reading to have a better understanding of security of Web Storage

IDOR

We end up here so let's try and create a pdf file. We get an id let's take it and paste it to get our generated pdf

PDF creation

Our request to get our pdf looks like this:

Request

Let's send this to the repeater and try to get other pdf_id It seems like we can enumerate any pdf on the platform

PDF enum

Let's do this with the intruder to find the one with our flag

We put our var on the id like this

Variable

Here is how to set the payload

Payloads

We can launch the attack. The length of the response will be very helpful to know which file is the one we want. There is one that is considerably different than the other

Length

Let's try it. If we show the response in the browser we find the flag in our PDF!

Flag

Local File Inclusion

We end up here:

landing

Let's try to click on search

Search

Here is what we see on burp

Request

Let's send this to repeater and try to access to file from the server. It works we can access /etc/passwd

LFI

Apparently we do not even need to move in the folders, sending a request with just /etc/passwd works as well.