Cross-site scripting (XSS) is a security vulnerability that can allow attackers to inject malicious code into web pages. There are two main types of XSS vulnerabilities: reflected XSS and stored XSS. Blind XSS is a type of reflected XSS vulnerability that can make it difficult for attackers to determine if a vulnerability is exploitable. Blind XSS vulnerabilities can be exploited by using a technique called time-based attacks. In this blog, we will discuss how to find and exploit blind XSS vulnerabilities using Burp Suite.
Step-by-step Simulation of Blind XSS Attack Vector:
Step 1: Set Up Burp Suite
To start, download and install Burp Suite from its official website. Launch Burp Suite and set up your proxy in the settings. In order to intercept all HTTP requests and responses, enable the Intercept feature by clicking on the ‘Intercept is On’ button in the top right corner of the screen.
Step 2: Identify the Vulnerable Page
Visit the website you want to test and identify the page that you suspect contains a blind XSS vulnerability.
Step 3: Send a Custom Request Header
In Burp Suite, click on the ‘Proxy’ tab and then the ‘Intercept’ sub-tab. Now, go to the vulnerable web page and interact with it in a way that will trigger a request to the server. The request should now appear in Burp Suite’s ‘Proxy’ tab. Right-click on the request and select ‘Send to Repeater’. In the Repeater tab, click on the ‘Headers’ tab and add a custom request header with your malicious code.
Step 4: Send the Request to the Server
Once you have added the custom request header, click on the ‘Send’ button to send the request to the server.
Step 5: Monitor the Response
In Burp Suite, go to the ‘Proxy’ tab and then the ‘Intercept’ sub-tab. You should see the response from the server. Monitor the response for a specific string of characters. If the string of characters is present in the response, then the vulnerability is exploitable.
Step 6: Exploit the Blind XSS Vulnerability
Once you have found a blind XSS vulnerability, the next step is to create a malicious script that can exploit the vulnerability. The script can be used to steal the victim’s cookies or session token, allowing the attacker to impersonate the victim and gain access to their account.
Here is an example script that can be used to steal the victim’s cookies:
This script creates a new XMLHttpRequest object and sends a GET request to a URL that contains the victim’s cookie. The cookie is then sent to the attacker’s server, where it can be stored and used to impersonate the victim.
However, this script is not very effective on its own, as it can be easily detected by the web server’s security measures. Therefore, the script needs to be encoded in a way that will not be detected by the server.
One way to encode the script is to use base64 encoding. Here is an example of how the script would look after base64 encoding:
In this version of the script, the victim’s cookie is encoded using the btoa() function before being sent to the attacker’s server. This makes it more difficult for the server to detect the malicious code.
Once the script has been encoded, it can be added to a custom request header using Burp Suite. Here is an example of how the custom header would look:
XSS-Payload:
This custom header can then be sent to the server using Burp Suite. When the victim visits the vulnerable page, they will be redirected to the attacker’s server, where the malicious script will be executed and the victim’s cookies will be stolen.
Blind XSS vulnerabilities can be a serious security threat. It is important to find and report them to the website owner so that they can be fixed. Burp Suite is a powerful tool that can be used to find and exploit blind XSS vulnerabilities. By following the steps outlined in this blog, you can simulate a blind XSS attack vector and test the security of your own websites.
