TLDR
(with thanks to CapnWarhol for the summary)- If you can execute XSS code on a site, you can set cookies
- If you can set cookies, there may be one which outputs in-page on every request
- If you save script in that cookie, you can send <script>window.location.href=“http://my-website.com/”</script> with every infected request, and functionally “take over” the domain.
Who doesn’t love XSS? Simple to find, simple to execute, and sometimes simple to bypass XSS auditors.
For bypassing Chrome auditor, if the XSS is printed directly in a <script> tag then it’ll bypass the XSS auditor. Example: index.php?value=123
Prints into HTML: <script>var value=‘123’;</script> - so if we use index.php?value=k’-alert(0)-'k, then our xss will execute bypassing all auditors.
Firefox is simple.. no XSS protection. Safari (for mobile users) is typically the same as Chrome and blocks most stuff, and IE? Well who uses IE.
C'mon, show me the XSS domain takeover
Ok so onward to how XSS can take over domains! First, we must find a vulnerable cookie that is printed into the DOM of the HTML, and for this example we’re going to use InstaShag.com.In the screenshot below, we can see if the cookie “site” is set to XSS, it’ll be printed into the DOM of the HTML. This is our vulnerable cookie.
Notice how it also sets the cookie value back to the XSS? So this is persisent. Brilliant. Now we need XSS to set this cookie.
5 mins later…
That was easy! Now let’s create a script to set the cookie. (With thanks to google because i’m lazy to code JS).
So this will remove the cookie, and re-set it to our XSS. Now let’s visit Instashag.com and see what happens…
So simple XSS just injected xss to the cookie, and now anytime someone visits my site, then visits instashag.com, will have the XSS executed.
Note: They only have to visit my site ONCE to have the XSS injected to the cookie. From then on anytime they visit Instashag, XSS will execute (if you set the cookie length to expire in like a year or w/e).