You found an XSS? Alright! But, what's next?
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10618134/pasted-from-clipboard.png)
Kévin (Mizu)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/9939844/Mizu.jpg)
CVSS
The Common Vulnerability Scoring System (CVSS) is a method used to supply a qualitative measure of severity. CVSS is not a measure of risk. CVSS consists of three metric groups: Base, Temporal, and Environmental.
Source: nvd.nist.gov
Vector String
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10618263/pasted-from-clipboard.png)
How to score an XSS?
Average score
Web application only! Would be different for a static website!
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10647647/pasted-from-clipboard.png)
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L
Attack Complexity (AC)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643512/AC.png)
https://www.first.org/cvss/specification-document#2-1-2-Attack-Complexity-AC
Default: Low (L)
User Interaction (UI)
https://www.first.org/cvss/specification-document#2-1-4-User-Interaction-UI
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643546/pasted-from-clipboard.png)
Victim need at least to click on a link :(
Default: Required (R)
Scope (S)
https://www.first.org/cvss/specification-document#2-2-Scope-S
Default: Change (C)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643564/pasted-from-clipboard.png)
XSS → vulnerability on the website, but execution in the browser
= scope change :)
Privilege Required (PR)
Value | Conditions |
---|---|
None (N) | :( |
Low (L) | Victim user need to be authenticated as a normal user |
High (H) | Victim user need to have admin privileges |
If it impact normal and admin users → Low
Web application only! Would be different for a static website!
Availability
Cookie Bomb → Low (L)
const value = "a".repeat(4080);
document.cookie = "";
for (let i = 0; i < 100; i++) {
let name = "a" + i;
document.cookie = `${name}=${value}; path=/; domain=.example.com`;
}
Cookies!!!!
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643982/pasted-from-clipboard.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643982/pasted-from-clipboard.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643982/pasted-from-clipboard.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643982/pasted-from-clipboard.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643982/pasted-from-clipboard.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643982/pasted-from-clipboard.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643982/pasted-from-clipboard.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643982/pasted-from-clipboard.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643982/pasted-from-clipboard.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643982/pasted-from-clipboard.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643982/pasted-from-clipboard.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643982/pasted-from-clipboard.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643982/pasted-from-clipboard.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643982/pasted-from-clipboard.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643982/pasted-from-clipboard.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643982/pasted-from-clipboard.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643982/pasted-from-clipboard.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643982/pasted-from-clipboard.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643982/pasted-from-clipboard.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643982/pasted-from-clipboard.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643982/pasted-from-clipboard.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643982/pasted-from-clipboard.png)
Cookie scope
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643982/pasted-from-clipboard.png)
scope → mizu.re
https://mizu.re
https://sub.mizu.re
https://sub.mizu.fr
https://sub.sub.mizu.re
Default Cookie flags
Flag | Value |
---|---|
HttpOnly | False |
Secure | False |
SameSite | None → 2 minutes Lax * |
* Firefox → None, but will change soon!
Cookie flags | SameSite
Origin A | Origin B | SameSite? |
---|---|---|
https://mizu.re | http://mizu.re | Noo, scheme matter |
https://sub1.mizu.re | https://sub2.mizu.re | Yes, subdomains don't matter |
https://mizu.re | https://rhackgondins.com | Noo, different eTLD+1 |
Determining if an URL is considered as SameSite (OWASP)
Cookie flags | SameSite
Value | Description |
---|---|
None | Always send the cookie |
Lax | GET requests |
Strict | Never |
Exploit time!
HO=?; SS=? | ?
HttpOnly
SameSite
Contexte
HO=F; SS=* | *
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643650/pasted-from-clipboard.png)
HO=T; SS=* | Basic Gadgets
- Password update
- Mail update → forgot password
- Phone update
- Increase user's privilege
- API Tokens
- Credentials auto-fill abuse
- Log page → PHP info, TRACE...
- ...
HO=*; SS=Lax | PreAuth XSS
Attacker's website
Can also be done using a POST form.
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10618349/pasted-from-clipboard.png)
Victim's website
Not Auth
➀ Iframe
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643755/pasted-from-clipboard.png)
HO=*; SS=Lax | PreAuth XSS
Attacker's website
Can also be done using a POST form.
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10618349/pasted-from-clipboard.png)
Victim's website
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10618349/pasted-from-clipboard.png)
Victim's website
Not Auth
Auth
➀ Iframe
② Open
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643755/pasted-from-clipboard.png)
HO=*; SS=Lax | PreAuth XSS
Attacker's website
Can also be done using a POST form.
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10618349/pasted-from-clipboard.png)
Victim's website
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10618349/pasted-from-clipboard.png)
Victim's website
Not Auth
Auth
➀ Iframe
③ Exploit
② Open
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643755/pasted-from-clipboard.png)
HO=T; SS=* | OAuth Gadgets
- Frans Rosén : https://labs.detectify.com/2022/07/06/account-hijacking-using-dirty-dancing-in-sign-in-oauth-flows/#gadget-2-xss-on-sandbox-third-party-domain-that-gets-the-url
- @_lauritz_ : https://security.lauritz-holtmann.de/post/xss-ato-gadgets/
HO=T; SS=* | OAuth Gadgets
Authority Server
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643679/pasted-from-clipboard.png)
➀ Ask for bob data token
This is a simplified version of the OAuth implicit flow, check spec for details explanation.
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10618349/pasted-from-clipboard.png)
Victim's Server
HO=T; SS=* | OAuth Gadgets
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643671/Bob-PNG-File.png)
Authority Server
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643679/pasted-from-clipboard.png)
➀ Ask for bob data token
This is a simplified version of the OAuth implicit flow, check spec for details explanation.
② Ask bob's creds
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10618349/pasted-from-clipboard.png)
Bob
Victim's Server
HO=T; SS=* | OAuth Gadgets
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643671/Bob-PNG-File.png)
Authority Server
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643679/pasted-from-clipboard.png)
➀ Ask for bob data token
This is a simplified version of the OAuth implicit flow, check spec for details explanation.
② Ask bob's creds
③ Send them back
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10618349/pasted-from-clipboard.png)
Bob
Victim's Server
HO=T; SS=* | OAuth Gadgets
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643671/Bob-PNG-File.png)
Authority Server
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643679/pasted-from-clipboard.png)
Victim's Server
➀ Ask for bob data token
This is a simplified version of the OAuth implicit flow, check spec for details explanation.
② Ask bob's creds
③ Send them back
④ Data access token
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10618349/pasted-from-clipboard.png)
Bob
HO=T; SS=* | OAuth Gadgets
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643671/Bob-PNG-File.png)
Authority Server
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643679/pasted-from-clipboard.png)
➀ Ask for bob data token
This is a simplified version of the OAuth implicit flow, check spec for details explanation.
② Ask bob's creds
③ Send them back
④ Data access token
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10618349/pasted-from-clipboard.png)
⑤ Read bob's data
Bob
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643723/pasted-from-clipboard.png)
Victim's Server
HO=T; SS=* | OAuth Gadgets
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643671/Bob-PNG-File.png)
Authority Server
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643679/pasted-from-clipboard.png)
➀ Ask for bob data token
This is a simplified version of the OAuth implicit flow, check spec for details explanation.
② Ask bob's creds
③ Send them back
④ Data access token
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10618349/pasted-from-clipboard.png)
⑤ Read bob's data
⑥ "
Bob
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643723/pasted-from-clipboard.png)
Victim's Server
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643671/Bob-PNG-File.png)
Authority Server
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643679/pasted-from-clipboard.png)
➀ Ask for bob data token
This is a simplified version of the OAuth implicit flow, check spec for details explanation.
② Ask bob's creds
③ Send them back
④ Data access token
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10618349/pasted-from-clipboard.png)
Steal it here!
⑤ Read bob's data
⑥ "
HO=T; SS=* | OAuth Gadgets
Bob
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643723/pasted-from-clipboard.png)
Victim's Server
HO=*; SS=* | Self XSS + Subdomain XSS
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10618349/pasted-from-clipboard.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10618349/pasted-from-clipboard.png)
.
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10618349/pasted-from-clipboard.png)
Victim's subdomain
Victim's main application
➀ Set cookie for self XSS page
HO=*; SS=* | Self XSS + Subdomain XSS
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10618349/pasted-from-clipboard.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10618349/pasted-from-clipboard.png)
.
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10618349/pasted-from-clipboard.png)
Victim's subdomain
➀ Set cookie for self XSS page
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643755/pasted-from-clipboard.png)
② Trigger self XSS
Victim's main application
HO=*; SS=* | Self XSS + Subdomain XSS
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10618349/pasted-from-clipboard.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10618349/pasted-from-clipboard.png)
.
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10618349/pasted-from-clipboard.png)
Victim's subdomain
Victim's main application
➀ Set cookie for self XSS page
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643755/pasted-from-clipboard.png)
② Trigger self XSS
③ Connected as user on other path
HO=*; SS=Lax | XSS Worm
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643671/Bob-PNG-File.png)
Bob 1
Hacker
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643671/Bob-PNG-File.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643671/Bob-PNG-File.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643671/Bob-PNG-File.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643671/Bob-PNG-File.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643671/Bob-PNG-File.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643671/Bob-PNG-File.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643671/Bob-PNG-File.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643671/Bob-PNG-File.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643671/Bob-PNG-File.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643671/Bob-PNG-File.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643671/Bob-PNG-File.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643671/Bob-PNG-File.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643671/Bob-PNG-File.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643671/Bob-PNG-File.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643671/Bob-PNG-File.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643755/pasted-from-clipboard.png)
Poison
Data :p
Data :p
HO=*; SS=* | XSS to RCE
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10618349/pasted-from-clipboard.png)
Admin user
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643671/Bob-PNG-File.png)
Victim's website
➀ Upload plugin
HO=*; SS=* | XSS to RCE
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10618349/pasted-from-clipboard.png)
Admin user
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643671/Bob-PNG-File.png)
Victim's website
➀ Upload plugin
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643755/pasted-from-clipboard.png)
Hacker
② Access plugin
HO=*; SS=* | XSS to RCE
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10618349/pasted-from-clipboard.png)
Admin user
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643671/Bob-PNG-File.png)
Victim's website
➀ Upload plugin
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10643755/pasted-from-clipboard.png)
Hacker
② Access plugin
③ RCE
More techniques?
- Relative Path Overwrite (50 pts)
- Self XSS - DOM Secrets (55 pts)
- Self XSS - Race Condition (60 pts)
- Browser - bfcache / disk cache (65 pts)
- Same Origin Method Execution (90 pts)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1918211/images/10618349/pasted-from-clipboard.png)
The end
![](https://s3.amazonaws.com/media-p.slid.es/uploads/1917718/images/8738400/Plan_de_travail_1.png)
Rhackgondins team ❤
![](https://media4.giphy.com/media/l0HlT86IOp6nE9he0/giphy.gif)
Leverage XSS criticity - RootMe 2023
By Kévin (Mizu)
Leverage XSS criticity - RootMe 2023
- 377