Let’s start off by scanning our machine with Nmap.
nmap -p- -sV -T 10.10.134.149
All ports (-p-) and services on those ports (-sV) with the 2nd highest scan time (T4)
Looks like we have port 22 (ssh) and port 5000 open, which is a web server. Let’s visit the website at
http://10.10.134.149:5000
Looks like we can make some queries using the webpage so let’s try a query. Let’s use HackThePlanet to test this out.
When we make the query we can see that the query string will be a q in the URL. Which is the answer to the 3rd question.
We can run ZAP, which stands for Zed Attack Proxy, and then give it the target of the web site located over port 5000, then click on Attack. This tool is used to assess websites for vulnerabilities.
Our results tell us there are 2 cross site scripting vulnerabilities in the website, which answers one of the questions. After you run zap when you go back to the web app you can see a lot of the payloads that ZAP was running. A few of them were attempting directory traversal to view some sensitive files on both Linux and Windows.
Now we can try to exploit the XSS that ZAP found. Visit the website and in the search field enter the payload
<script>alert(1)</script>
We abused stored crosssite scripting, because every time we reload the page it pops an alert box. We have stored cross-site scripting here because anytime we reload the page, the code runs again, without having to have the query string.
Cross-Site Scripting can be very dangerous. Here we just used it to pop an alert box, but you can use it to steal user’s cookies. With the cookie, an attacker could login as a user and make requests on behalf of them. Imagine if someone stole your banking website cookie, they could withdraw all your money or transfer it to a different account. You can use the alert box to test for XSS prior to using a more advanced payload.
Hopefulyl you had fun with today’s task, XSS comes up a lot, so it’s useful to spend some time learning all the places you can exploit it. Query strings aren’t the only place you can fire XSS payloads, you can use them in any field that you, the attacker, can input date. It’s important that any fields where users can enter data are sanitized to remove certain characters to avoid someone exploiting cross site scripting.