There are situations where an injection traverses profile areas, services and even network boundaries usually by means of a database storage of user controlled input (stored XSS). But when a tester or attacker is not able to see his/her injection working using regular ways and/or the inner workings of the affected software is not known, a different kind of probing is needed to spot the vulnerability. This is usually the case of vulnerable code in unreachable environments, like an intranet.
A simple code to grab remote info from a victim which triggers a blind XSS and emailed them to a tester/attacker is here. It needs to be renamed to index.php and have the email data “myName@myDomain” and “report@myDomain” correctly replaced by tester/attacker own settings. It also needs a SMTP server installed and configured in the system. This and this will help if you’re doing it from scratch.
That code is a PHP file that is used both as a source of the injected script and as a mailer. Placed in the web root of a domain, it’s just needed to include it in a payload with:
Which looks like:
The following info is present in the report.
- IP address: address of the victim’s browser (requester) and proxy (forwarded for).
- User agent: browser of the victim.
- Target URL: where the victim executed the payload.
- Referrer URL: the previous page from where the victim came.
- Readable cookies: all victim’s non http-only cookies.
- Session storage: data stored by browser for duration of the victim’s session in JSON format.
- Local storage: data stored by browser for beyond the duration of the victim’s session in JSON format.
- Full document: the DOM of the target URL.