OWASP Class Lab 2 ‐ Gruyere - devinziegler/Devin-Tech-Journal GitHub Wiki

Reflected XSS

One instance of reflected XSS I found on the website was under my profile. There is an option to add a "homepage" for your website. This link will then be accessible to other users on the website. In this example I uploaded a link to my website, however I also added a script that runs an alert when clicked on.

This was the syntax used:

https://google-gruyere.appspot.com/450212964025114637993063060963728093676/<script>alert("beluga")</script>

This was published on the site as my homepage.

Screen Snip

deliverable1

This is what the user would encounter when the link was clicked.

Stored XSS

The example I used in this lab was to upload a script onto a snippet that will run an alert when the mouse hovers over it.

Syntax used

<b onmouseover=alert('beluga')>not a script</b>

Screen Snip

deliverable2

When the mouse hovers over the text (red), the script is run, and the alert is served (green).

Stored XSS via HTML Attribute

This exploit works by entering a script in the "Profile Color" section of gruyere. Here is the syntax used in this attack:

green' onmouseover='alert("beluga")

Here, the color "green" is seen however the character following single quote is terminating the style attribute. I then use "onmouseover" attribute to display the alert shown in the following screen snip.

Screen Snip

deliverable3

When a user mouses over my name (red) and alert is shown (green).

XSRF

This attack works by putting a URL into a form on the webpage. In my example, I put the URL into the profile icon. This means that any time someone opens my webpage, the URL will load. In this case I used the URL of the snip delete. Here is the URL.

https://google-gruyere.appspot.com/537264530157065856077614865432327391701/deletesnippet?index=0

Snip of execution

I didn't really know how to show this in a screenshot so here is a snip from the profile icon screen: deliverable4

Because this field accepts URLs we are able to put the snip delete URL and post it for other users.

Information disclosure via path traversal

URL used in this exploit:

https://google-gruyere.appspot.com/537264530157065856077614865432327391701/..%2Fsecret.txt

Screen Snip

deliverable5

Data Tampering by Path Traversal

Screen Snip of new Secret.txt file

deliverable6

I can confirm that the file was replaced because it is being accessed through the same path in the browser but my message is being displayed

Description of misuse

There are many things an attacker could do with this vulnerability. For example, an attacker could upload script to the webserver that connects back to the attackers machine opening a back door in the webserver.

⚠️ **GitHub.com Fallback** ⚠️