The Common Vulnerability Scoring System (CVSS) is a method used to supply a qualitative measure of severity. CVSS is not a measure of risk. CVSS consists of three metric groups: Base, Temporal, and Environmental.
Source: nvd.nist.gov
Vector String
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Web application only! Would be different for a static website!
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L
https://www.first.org/cvss/specification-document#2-1-2-Attack-Complexity-AC
Default: Low (L)
https://www.first.org/cvss/specification-document#2-1-4-User-Interaction-UI
Victim need at least to click on a link :(
Default: Required (R)
https://www.first.org/cvss/specification-document#2-2-Scope-S
Default: Change (C)
XSS → vulnerability on the website, but execution in the browser
= scope change :)
Value | Conditions |
---|---|
None (N) | :( |
Low (L) | Victim user need to be authenticated as a normal user |
High (H) | Victim user need to have admin privileges |
If it impact normal and admin users → Low
Web application only! Would be different for a static website!
Cookie Bomb → Low (L)
const value = "a".repeat(4080);
document.cookie = "";
for (let i = 0; i < 100; i++) {
let name = "a" + i;
document.cookie = `${name}=${value}; path=/; domain=.example.com`;
}
scope → mizu.re
https://mizu.re
https://sub.mizu.re
https://sub.mizu.fr
https://sub.sub.mizu.re
Flag | Value |
---|---|
HttpOnly | False |
Secure | False |
SameSite | None → 2 minutes Lax * |
* Firefox → None, but will change soon!
Origin A | Origin B | SameSite? |
---|---|---|
https://mizu.re | http://mizu.re | Noo, scheme matter |
https://sub1.mizu.re | https://sub2.mizu.re | Yes, subdomains don't matter |
https://mizu.re | https://rhackgondins.com | Noo, different eTLD+1 |
Determining if an URL is considered as SameSite (OWASP)
Value | Description |
---|---|
None | Always send the cookie |
Lax | GET requests |
Strict | Never |
HttpOnly
SameSite
Contexte
Attacker's website
Can also be done using a POST form.
Victim's website
Not Auth
➀ Iframe
Attacker's website
Can also be done using a POST form.
Victim's website
Victim's website
Not Auth
Auth
➀ Iframe
② Open
Attacker's website
Can also be done using a POST form.
Victim's website
Victim's website
Not Auth
Auth
➀ Iframe
③ Exploit
② Open
Authority Server
➀ Ask for bob data token
This is a simplified version of the OAuth implicit flow, check spec for details explanation.
Victim's Server
Authority Server
➀ Ask for bob data token
This is a simplified version of the OAuth implicit flow, check spec for details explanation.
② Ask bob's creds
Bob
Victim's Server
Authority Server
➀ Ask for bob data token
This is a simplified version of the OAuth implicit flow, check spec for details explanation.
② Ask bob's creds
③ Send them back
Bob
Victim's Server
Authority Server
Victim's Server
➀ Ask for bob data token
This is a simplified version of the OAuth implicit flow, check spec for details explanation.
② Ask bob's creds
③ Send them back
④ Data access token
Bob
Authority Server
➀ Ask for bob data token
This is a simplified version of the OAuth implicit flow, check spec for details explanation.
② Ask bob's creds
③ Send them back
④ Data access token
⑤ Read bob's data
Bob
Victim's Server
Authority Server
➀ Ask for bob data token
This is a simplified version of the OAuth implicit flow, check spec for details explanation.
② Ask bob's creds
③ Send them back
④ Data access token
⑤ Read bob's data
⑥ "
Bob
Victim's Server
Authority Server
➀ Ask for bob data token
This is a simplified version of the OAuth implicit flow, check spec for details explanation.
② Ask bob's creds
③ Send them back
④ Data access token
Steal it here!
⑤ Read bob's data
⑥ "
Bob
Victim's Server
.
Victim's subdomain
Victim's main application
➀ Set cookie for self XSS page
.
Victim's subdomain
➀ Set cookie for self XSS page
② Trigger self XSS
Victim's main application
.
Victim's subdomain
Victim's main application
➀ Set cookie for self XSS page
② Trigger self XSS
③ Connected as user on other path
Bob 1
Hacker
Poison
Data :p
Data :p
Admin user
Victim's website
➀ Upload plugin
Admin user
Victim's website
➀ Upload plugin
Hacker
② Access plugin
Admin user
Victim's website
➀ Upload plugin
Hacker
② Access plugin
③ RCE
Rhackgondins team ❤