Penetration Testing with Kali Linux
PWK - Copyright © 2023 OffSec Services Limited. All rights reserved.
236
While there are multiple types of encoding, the most common we’ll encounter in web applications
are
HTML encoding
367
and
URL encoding
.
368
URL encoding, sometimes referred to as
percent
encoding
, is used to convert non-ASCII and reserved characters in URLs, such as converting a
space to “%20”.
HTML encoding (or
character references
) can be used to display characters that normally have
special meanings, like tag elements. For example, “<” is the character reference for “<”. When
encountering this type of encoding, the browser will not interpret the character as the start of an
element, but will display the actual character as-is.
If we can inject these special characters into the page, the browser will treat them as code
elements. We can then begin to build code that will be executed in the victim’s browser once it
loads the maliciously-injected JavaScript code.
We may need to use different sets of characters, depending on where our input is being included.
For example, if our input is being added between
div
tags, we’ll need to include our own
script
tags
369
and need to be able to inject “<” and “>” as part of the payload. If our input is being added
within an existing JavaScript tag, we might only need quotes and semicolons to add our own
code.
8.4.4
Basic XSS
Let’s demonstrate basic XSS with a simple attack against the OffSec WordPress instance. The
WordPress installation is running a plugin named
Visitors
that is vulnerable to stored XSS.
370
The
plugin’s main feature is to log the website’s visitor data, including the IP, source, and User-Agent
fields.
The source code for the plugin can be downloaded from its website.
371
If we inspect the
database.php
file, we can verify how the data is stored inside the WordPress database:
function VST_save_record() {
global $wpdb;
$table_name = $wpdb->prefix . 'VST_registros';
VST_create_table_records();
return $wpdb->insert(
$table_name,
array(
'patch' => $_SERVER["REQUEST_URI"],
'datetime' => current_time( 'mysql' ),
Yüklə
Dostları ilə paylaş: