12/12/2022 - THM Severside Request Forgery and XSS

Question 1

What does SSRF stand for?

Answer 1

Server-side Request Forgery

Question 2

What is a SSRF?

Answer 2

A vulnerability that allows a user to cause the webserver to make an additional/edited HTTP request.

Question 3

What are the impacts to SSRF?

Answer 3

Unauthorized access
Access to customer/organizational data
Ability to scale to internal networks
Reveal authentication tokens/credentials

Question 4

What is a common attack technique used within SSRF?

What pattern is used to stop a webservers mitigation filter after malicious code is injected?

Answer 4

“&x” - stops remaining path from being appended to attackers URL

Directory Traversal: Accessing another directory not intended to be searched

Question 5

What are common SSRF vulnerability locations?

Answer 5

Form input values

Partial URL showing just a hostname

URL showing the whole path

*If working with blind SSRF you will need to use external HTTP logging tool

Question 6

What are two high-attack strategies for SSRF
*Hint think higher than cookies and attacks

Answer 6

Blind; vulnerability occurs but with no information returned to the attacker’s screen

Regular; vulnerability is returned to the attacker screen

Question 7

Ways to defeat SSRF mitigations

Answer 7

If the defense uses…

• Deny Lists: leverage other names to get the same result (ie deny localhost.. 0.0.0.0,127....,0,0000,etc.. (check notes for more)
• Allow List: Locate pattern allowed and comment it out
• Use Open Redirect: redirect the url to attackers server

Question 8

What are four high level attack schemes for XSS attacks?

Answer 8

Session Steal

Proof of Concept

Key Logger

Business Logic

Question 9

Which JS document property contains the users session token?

Answer 9

document.cookie

Question 10

Which JS document property captures keystrokes?

Answer 10

document.onkeypress

Question 11

What JS functions convert and decode base64 encoding

Answer 11

BTOA()

ATOB()

Question 12

Types of XSS attacks?

Answer 12

Stored
Reflected
DOM
Blind

Question 13

What is a stored XSS attack and common attack areas?

Answer 13

Malicious information stored on the web app

• Look for comments in a blog
• User profile information
• Website listing
• changing form data (the form is drop-down selecting only integers but you send string)

Question 14

What is a DOM based attack?

Answer 14

Programming interface flaw for HTML or XML

Question 15

Impact of Stored XSS attack

Answer 15

Redirect user

Steal session cookie

Perform other website action while acting as the visting user

Question 16

DOM based attack impact?

Answer 16

Links sent to victims redirecting them to another website from the page or the users session

Question 17

What is a blind XSS

Answer 17

Same as a stored XSS attack but you cannot verify payload worked

Question 18

How do you test for blind xss?

Answer 18

Ensure payload has a call back (http request) to verify payload works

Question 19

What is a tool to test for blind xss?

Answer 19

xsshunter