XSS in CMS / Blog sites bypassing HTML encoding and escaping.
During one of the pentests in the past, I have come across this CMS website built on Drupal. It came with the feature of embedding hyperlinks and text.
I have tried few generic XSS payloads, followed by some of the payloads that are encoded, so that it may bypass the filters. Unluckily HTML characters in those payloads are escaped / encoded.
Since the website had a feature to add hyperlink, I had a thought, why shouldn’t I add a hyperlink that is hosted from my own webserver?
I wanted to host a HTML file that can probably steal information from the browser.
Set up an XAMPP server and run it on localhost
Create a HTML file, that has a payload <script>alert(document.cookie)</script>
This file needs to be created in the root folder of XAMPP server where all your website content should be found.
“/Applications/XAMPP/xamppfiles/htdocs”
Embed the hyperlink hosted from your webserver in the CMS application.
Example: http://localhost:8000/testfiles/xss_payload.html
If any user clicks the website, you can possibly see the XSS getting executed that can steal the cookies.
There are few things to be observed while performing this attack.
- The embedded hyperlink opens in a new tab but not in the same browser tab (this may not be necessarily a bypass)
- Cookies are not set with HTTPOnly flag which cause external JS to access the cookies.
- Even though the hyperlink opened in the new tab, but still XSS script can fetch the cookie that belongs to original Drupal website.
- Hosting malicious HTML file through a webserver seems to be successful than simply using the XSS payload !!
What might have caused this attack to be successful even though the HTML escaping is implemented? why the previous XSS attempts got failed (payloads not hosted from a sever)?
comment your thoughts!
