2

As per my understanding, while exploiting an XSS (in GET request) the attacker will craft the malicious link with a JS payload and will send it to the victim. When the victim clicks on the link the script will send the cookie to the attackers server.

How can I exploit an XSS vulnerability if the parameter is going in the body. How exactly should I create a payload (link or file) and send it to the victim?

Anders
  • 64,406
  • 24
  • 178
  • 215
Raghav
  • 43
  • 1
  • 1
  • 7
  • 2
    Aren't you essentially asking on how to make the user submit a POST request with attacker controlled data and then show the resulting page to the user? Have you tried using a `
     – Steffen Ullrich Dec 18 '17 at 06:22

1 Answers1

7

You can not craft a link that contains a POST body. So you will have to go a somewhat different route.

You will need to create your own page that contains the payload:

<form action="http://target.com" method="post" onload="this.submit()">
  <input type="hidden" value="payload" name="fieldname">
</form>

Or you can achieve the same effect just using the JavaScript fetch API. Then you need to trick the victim into visiting this page.

This will be a little bit harder since the URL will be different and perhaps look a bit fishy. If you want to avoid that, you can go looking for open redirect vulnerabilities and leverage them to take the victim to your page.

Of course, if the payload is stored on the server, and displayed on a page that can be visited later, this is much simpler - just make the victim visit that page. This is what is called stored XSS.

Anders
  • 64,406
  • 24
  • 178
  • 215
  • 1
    As per my understanding this would also require the page vulnerable to CSRF. Since posting cross-domain form with CSRF protection is not possible. – Rahul Nov 22 '19 at 16:44
  • @Rahul The vulnerable page may even be stateless and without authentication, so CSRF is sort of a separate issue. – Anders Nov 22 '19 at 18:06
  • 1
    Can you point towards such example ? – Rahul Nov 22 '19 at 18:17