In prior blog posts I’ve shown the types of weaponized XSS attacks one can perform against authenticated users, using their session to access and exfiltrate data, or perform actions in the application as that user. But what if you only have unauthenticated XSS? Perhaps your client hasn’t provided you with credentials to the application and you’re looking to demonstrate XSS impact, or you’re on a Red Team engagement.
In this blog post, I’ll expand upon my previous blog post covering IFrame Traps. We’ll use a reflected XSS vulnerability to frame the application login page in the IFrame trap, scrape the credentials from the login form as the victim types their credentials, and then exfiltrate those credentials to a third-party server.
Once again, I’ll be beating up on my favorite target, InfoSec Fashionistas.
First we’ll need an XSS vulnerability to test against. Here is a simple PHP page with a reflected XSS vulnerability:
For demonstration, we’ll start our IFrame trap in debug mode, with the IFrame not drawn in full window. This will allow us to see the actual page the user is on with the XSS vulnerability. We’ll color this page with a pink background to make it easier to see in the screenshots.
The IFrame trap update code will retrieve the current URL of the page in the IFrame that the user is interacting with and copy this path to the browsers URL bar making the ruse more compelling.
Now we’ll configure our IFrame to take the full window and hide the actual XSS page that the user is really on.
Now we can see the result of our scraping code. As we begin to enter our username and password, we see the values we’re typing received on our server as image names.
If you have issues or ideas how this can be improved, my DMs are always open @hoodoer.
This example exploits XSS vulnerabilities and the ability to IFrame the site. To prevent such vulnerabilities, see the OWASP links in the references.
- https://gist.github.com/hoodoer/f58ac94755ba2faf5d971d4350a580ed (POC Source Code)
- https://www.trustedsec.com/blog/persisting-xss-with-iframe-traps (IFrame Trap Blog)
- https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html (XSS Prevention Cheat Sheet)
- https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html (Clickjacking Prevention Cheat Sheet)