I'm currently on a mission to solve every challenge on every level with Mutillidae Vulnerable web application. This post is about JSON XSS attacks. But before we jump into the JSON attack let begin with a quick background on JSON. JSON (Javascript Object Notation) is just a form of light weight data exchange, many developers have replaced Xml with JSON due to its lightweight nature. Ok we got the intro out of the way lets get into some JSON.
1. Fire up the Mutillidae II application i currently have LAB26 VM running which includes some awesome vulnerable web applications that you can play around with and learn some good web app fu :) you can download Lab26 from the following url https://www.vulnhub.com/entry/lab26-11,190/
We are going to attack the Pen Test Tool Application.
2. When Selecting the Pen Test Tool from the drop down menu which in our case is the Show All option Make sure that Burp Suite is up and running with Intercept turned on. So you can intercept the request.
2. When Selecting the Pen Test Tool from the drop down menu which in our case is the Show All option Make sure that Burp Suite is up and running with Intercept turned on. So you can intercept the request.
3. As you can see this is a Post request. with in the POST request you can see that the ToolID is where we provided our input when the Show All drop down was selected.
4. So I've changed the ToolID from the ID number to bsdbandit as my input into the pen test tool lookup application and then sent the request on it's way.
4. As we can see my bsdbandit input has landed within the JSON of the application response. This is where understanding how json works and what characters are needed in order to break out of the JSON syntax and inject your own javascript payload. Remember when dealing with XSS its all about where your input lands and what characters are available weather or not they are encoded. In this Case since im working with JSON im going to need the following characters in order to break out: "}();
5. I have replaced my bsdbandit input with the following payload:
"}});alert(7);// and sent the POST request method over to the pen test tool application.
6. It looks the web app has run our payload. As you can see the application does not do any input validation and output encoding the application.
7. And Tada our alert pops up :)
No comments:
Post a Comment