logo
Published on

Session Hijacking - Stored XSS

Authors
  • avatar
    Name
    Mario Ritter
    Twitter

What is Cross-Site Scripting (XSS)?

Cross-Site Scripting (XSS) is a web application vulnerability that allows attackers to inject malicious code, usually in the form of JavaScript, into a webpage. This code is then executed in the victim's browser, leading to the theft of sensitive information such as session cookies, user data, or authentication tokens.

Difference between Reflected and Stored XSS

Reflected XSS occurs when the malicious code is injected via a URL parameter and immediately reflected back by the server in the HTTP response. The attacker sends the victim a crafted link, and if the victim clicks on it, the dangerous script gets executed in their browser.

Stored XSS is more dangerous because the malicious code is permanently stored on the server, such as in forum posts, comments, or user profiles. The script is executed every time someone visits the page with the injected content, without the victim needing to click on a special link.

What is a Session Cookie?

A session cookie is a small data file that the server sends to the user's browser when they log in. It allows the server to keep track of the user’s session, such as login status, without requiring the user to re-authenticate on each request. If an attacker can steal this cookie, they can use it to hijack the user's session (session hijacking), impersonating the user, for example, an administrator.

The Attack

In a stored XSS attack, an attacker can inject malicious JavaScript directly into a vulnerable part of a web application (e.g., a comment section or forum). This script can be designed to steal session cookies from any user who visits the page.

When an administrator visits the page containing the malicious JavaScript, the script runs in their browser and sends their session cookie to the attacker's server. The attacker can then use this session cookie in their own browser, gaining administrative access to the web application.

Video

Video Description

In this video, I demonstrate an attack using stored XSS to steal an admin's session cookie. The attacker (a regular user) logs into a vulnerable web application and posts a comment containing malicious JavaScript. Simultaneously, they set up a listener on their server to capture the sent cookies.

When the administrator visits the page with the malicious comment, their session cookie is automatically sent to the attacker's server. The attacker then copies this cookie and injects it into their browser, effectively gaining administrator access to the application.

Mitigation

There are several ways to defend against XSS attacks:

  1. Security Headers: Use headers like Content Security Policy (CSP) to restrict the execution of malicious scripts.

  2. Input Sanitization: Always carefully validate and sanitize user input to ensure it does not contain dangerous code.

  3. Updating Libraries and Patching: Regularly update your web applications and libraries to eliminate known vulnerabilities.

  4. Secure Cookies: Set the HttpOnly and Secure attributes for session cookies, ensuring they are not accessible via JavaScript and are transmitted over a secure channel (HTTPS).

kawaii
       /\_/\
      ( o.o )
       > ^ <

Due to lack of time translated via DeeplAI. sooooory :((

SHARE