I bring to you another Hacking Challenge Prelab from Phynxlabs.

Mission Statement:

After bringing together some of the finest Web developers to ever live on the surface of earth, Oaf Bank can boast of having one of the most secured e-banking system.

But due to increased exploitation of web applications, the IT Manager of Oaf  Bank, Mr Tunde Muwonleru has decided to employ the services of Lead Penetration Tester of PhynxLabs, Slyr0x (you) to successfully exploit the system.

Spoiler(s)

1.) Oaf Bank's e-banking web application is vulnerable to Cross Site Scripting (XSS). Your objective is to make an alert box appear bearing the message "PhynxLabs" without the quotes.

2.) There's a cheatsheet here ---> http://ha.ckers.org/xss.html

3.) I'll drop more spoilers as soon as I see you're getting close to the answer.


Rules

1.) You can discuss here on this thread. Please no spoilers/how you did it.

2.) Just Snapshot of the "Congratulations" page.

3.) Please DO NOT use Automated tools. .Your IP will be blocked and blacklisted too

A little about XSS - XSS [/b]permits a malevolent user to inject his own code in vulnerable web pages. Check google for more info.



[b]Challenge Link Here ---> http://www.phynxlabs.com/Prelab/Prelab5/

Goodluck and happy spl0it1ng 


BTW, If you missed previous PreLabs, you can have a go at them here (check below)

1st Pre-Lab here : https://www.nairaland.com/nigeria/topic-686713.0.html
2nd Pre-Lab here: https://www.nairaland.com/nigeria/topic-686904.0.html
3rd Pre-Lab here: https://www.nairaland.com/nigeria/topic-687033.0.html
4th Pre-Lab here: https://www.nairaland.com/nigeria/topic-689322.0.html


NB: This is just a Pre-Lab from PhynxLabs. .We launching the full Labs soon.

What is Cross Site Scripting?

Cross site scripting (also known as XSS) occurs when a web application gathers malicious data from a user.
The data is usually gathered in the form of a hyperlink which contains malicious content within it.

Exploiting the App - Oaf Bank

In HTML, to distinguish displayable text from the interpreted markup language, some characters are treated specially. One of the most common special characters used to define elements within the markup language is the “<“ character, and is typically used to indicate the beginning of an HTML tag.

These tags can either affect the formatting of the page or induce a program that the client browser executes (e.g. the <SCRIPT> tag introduces a JavaScript program).

As most web browsers have the ability to interpret scripts embedded within HTML content enabled by default, should an attacker successfully inject script content, it will likely be executed within context of the delivery (e.g. website, HTML help, etc.) by the end user.

Such scripts may be written in any number of scripting languages, provided that the client host can interpret the code. Scripting tags that are most often used to embed malicious content include <SCRIPT>, <OBJECT>, <APPLET> and <EMBED>.

To successfully exploit Oaf Bank, you need to use one of the scripting tags mentioned above.

Another Spoiler

<SCRIPT> - Adds a script that is to be used in the document.
<OBJECT> - Places an object (such as an applet, media file, etc.) on a document.
<APPLET> - Used to place a Java applet on a document.
<EMBED> - Embeds an object into the document.

Remember, Your objective is to make an alert box appear bearing the message "PhynxLab" without the quotes.

Goodluck and remember to post how far you've gone on this thread.

25 views and no reply yet?

Whats happening?

You be the only hacker now

denzel2009:

You be the only hacker now 

Me ke? I get plenty egbons for here o0. .

I'll just do the challenge myself. . .

What is Cross Site Scripting?

Cross Site Scripting is a technique used to add script to a trusted site that will be executed on other users browsers.

Now to the mission, lets see if we can insert our code onto the site and have it executed by our web browser.

We'll start by creating a script tag, which will get executed while the page is loaded by the browser.

Attack 1
Using the attack string "<script>alert(‘Hacked’);</script>"

Result 1
Failure! No popup takes place.

The Oaf Bank web app is quite secure 'cos it escapes characters to make sure its not vuln to xss attacks. .Now the question is "Is that secure enough?"

From the attack string used above, we can conclude that a malicious user cannot insert those single quotes.

Now going into a little more advanced method, let's use the javascript function[b] String.fromCharCode.[/b]

The function String.fromCharCode allows us to get around quotes by turning each decimal value into its character.

Let's just convert our desired result "PhynxLabs" into decimal first. We will be using this site http://easycalculation.com/ascii-hex.php to do that.

The string PhynxLabs [/b]when converted to decimal is 80 104 121 110 120 76 97 98 115 .

Our new attack string becomes [b]<SCRIPT>alert(String.fromCharCode(80, 104, 121, 110, 120, 76, 97, 98, 115))</SCRIPT> .

Use the new attack string "<SCRIPT>alert(String.fromCharCode(80, 104, 121, 110, 120, 76, 97, 98, 115))</SCRIPT>" without the quotes on the Oaf bank web app and viola! We have our much desired result.

Try this on all parameters that takes user inputs on your site to test if its vulnerable to XSS or not.

This is just a very simple scenario of what XSS is as it gets worse than this.

A successful XSS attack can be used to

1.) Inject a Phishing script
2.) Iframe Phishing
3.) Redirict Phishing
4.) Cookie stealing
5.) Defacing

I already dropped links where you can read up on Cross Site Scripting (XSS).

Happy Secure Coding.


Slyr0x,
http://phynxlabs.com

ADVERT

Every minute of every day there are organized crimes and cyber attackers turning the doorknobs on your house looking for an unlocked entry. They are rattling the windows, circling your domicile, looking for a weakness, a vulnerability, or a way into your house. Are you going to let them in? Are you going to sit idly by and watch as they ransack your belongings, make use of your facilities, and desecrate your sanctuary? Or are you going to prevent them from winning?

Do not despair, all hope is not lost. We at Phynxlabs provide top notch security services ranging from Penetration Testing, Code Review, Vulnerability Assessment and IT Security Consultancy. With a team of formidable Veterans whose expertise in IT Security remains unquestioned, we help to address security loopholes, if left unattended to would result into attacks that will affect your business directly.

http://phynxlabs.com

Nice one! our own Ankit Fadia

Very crazy. . .

denzel2009:

Nice one! our own Ankit Fadia

I feel honored bro. .tnx for the whining tho

★dhtml:

Very crazy. . .

Egbon, I dey behind you jor.