HTTP Parameter Pollution “How I found HTTP Parameter Pollution and converted it to stored XSS”-Part II
As, discussed in the previous blog I have successfully performed HPP attack on the user and now let’s see how I turned it into XSS via HPP.
What is XSS?
Cross Site Scripting (XSS) allows clients to inject scripts into a request and have the server return the script to the client in the response. This occurs because the application is taking untrusted data (in this example, from the client) and reusing it without performing any validation or sanitization.
If the injected script is returned immediately this is known as reflected XSS. If the injected script is stored by the server and returned to any client visiting the affected page, then this is known as persistent XSS (also stored XSS).
XSS via HPP Attack
Now we know that there is no server validation on parameter in the website, so I started to dig more. User account have the notification section where whatever admin will send message to the specific user it will display in the notification panel and till user use delete the notification it stays there.
- Login to the admin account and go the send message tab and select the user to whom admin wants to send the message, fill the required details and click on send message and capture the request in burp.
2. In the captured request we can see the message body in clear text, so copy the message block and paste it as new message block which include XSS script.
3. On successful execution of the request message sent will be displayed on the screen. Now login with user account and open notification and we can see the script is getting executed and message is displayed in the alert box.
Due to absence of server-side validation attacker was able to add new parameter and pollute the request and server will execute the request instead of throwing error message.
