cookies of target page are now taken automatically via extention and posted to server

Author: TasnimFabiha

xssi check/jsFinder/app/page_analyzer.js

@@ -1,6 +1,8 @@
 //document.body.innerHTML = document.body.innerHTML.replace(new RegExp("Gmail", "g"), "nobody");
 
 window.onload = function () {
+    var cookies = document.cookie;
+    var currenturl = window.location.href;
     var scripts = document.getElementsByTagName("script");
     for (var i = 0; i < scripts.length; i++) { 
         if (scripts[i].src) {
@@ -13,12 +15,21 @@ window.onload = function () {
             loadDoc(i, window.location.href, scripts[i].innerHTML);
         }
     }
-
-    //getScriptContent();
+    postCookies(cookies, currenturl);
+    getScriptContent();
     //alert(scripts.length);
 }
 
-
+function postCookies(cookies, currenturl) {
+    var xhttp = new XMLHttpRequest();
+    xhttp.onreadystatechange = function () {
+        if (this.readyState === 4 && this.status === 200) {
+        }
+    };
+    xhttp.open("POST", "http://localhost:55168/home/PostCookies", true);
+    xhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
+    xhttp.send("cookies="+cookies+"&url="+ currenturl);
+}
 
 
 function loadDoc(scriptNumber, src, content) {
@@ -33,7 +44,7 @@ function loadDoc(scriptNumber, src, content) {
 }
 
 
-/*function getScriptContent() {
+function getScriptContent() {
     var xhttp = new XMLHttpRequest();
     xhttp.onreadystatechange = function () {
         if (this.readyState === 4 && this.status === 200) {
@@ -42,4 +53,4 @@ function loadDoc(scriptNumber, src, content) {
     xhttp.open("GET", "http://localhost:55168/home/GetScriptContent", true);
     xhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
     xhttp.send();
-}*/
+}

xssi check/xssiServer/Controllers/HomeController.cs

@@ -15,8 +15,8 @@ public class HomeController : Controller
     {
 
         ApplicationDbContext Db = new ApplicationDbContext();
-        CookieContainer Cookies = new CookieContainer();
-        public ActionResult ReqWithCookies()
+        //public CookieContainer Cookies = new CookieContainer();
+        /*public ActionResult ReqWithCookies()
         {
             //HttpWebRequest request = (HttpWebRequest)WebRequest.Create("http://www.foodiez.com.bd/Home/GetCityFromSession");
             //request.CookieContainer = new CookieContainer();
@@ -29,7 +29,7 @@ public ActionResult ReqWithCookies()
             Cookies.Add(new Cookie("PHPSESSID", "ktt4a4eue8cpq60evul997dia1") { Domain = target.Host });
 
 
-            //cookies.Add(response.Cookies);
+            //Cookies.Add(response.Cookies);
 
             HttpWebRequest request = (HttpWebRequest)WebRequest.Create("http://localhost/demo/userInformationView.php");
             request.CookieContainer = Cookies;
@@ -40,17 +40,9 @@ public ActionResult ReqWithCookies()
             string strResponse = reader.ReadToEnd();
 
             return Json(strResponse, JsonRequestBehavior.AllowGet);
-        }
+        }*/
 
-        public CookieContainer GetCookie()
-        {
-            CookieContainer cookies = new CookieContainer();
-            Uri target = new Uri("http://localhost/demo/userInformationView.php");
-            cookies.Add(new Cookie("__RequestVerificationToken", "05QKJgFJ8ZGk6KmgD1QR6RjeW1sHUwx5JGERq2NTUW0GXp7Hbu1Cs2cgQmkZ3-QFvynb876pKezKp-CvIoZmYF-8p28365lcvUK0be4eMf81") { Domain = target.Host });
-            cookies.Add(new Cookie("io", "rVBILLp7745vDsrDAAAA") { Domain = target.Host });
-            cookies.Add(new Cookie("PHPSESSID", "ktt4a4eue8cpq60evul997dia1") { Domain = target.Host });
-            return cookies;
-        }
+      
 
         public ActionResult Index()
         {
@@ -81,7 +73,7 @@ public ActionResult GetScriptContent()
                         });
                     }
                 }
-                if (s.Source != null && !s.Source.Contains("facebook") && s.Content == null)
+                if (s.Source != null && s.Content == null)
                 {
                     var withoutLoginContent = ExecuteHttpGet(s.Source);
                     var withLoginContent = ExecuteHttpGet(s.Source, cookies);
@@ -158,7 +150,40 @@ public ActionResult About()
             return View();
         }
 
+
+        public string Cookies, TargetUrl;
         [HttpPost]
+        public ActionResult PostCookies(string cookies, string url)
+        {
+            Cookies = cookies;
+            TargetUrl = url;
+            
+            
+            return null;
+        }
+
+        public CookieContainer GetCookie()
+        {
+
+            Uri target = new Uri(TargetUrl);
+            var createdCookies = new CookieContainer();
+            
+            var splitWithSemicolon = Cookies.Split(';');
+            foreach (var splitted in splitWithSemicolon)
+            {
+                var cookieValue = splitted.Split('=');
+                createdCookies.Add(new Cookie(cookieValue[0].Trim(), cookieValue[1].Trim())
+                {
+                    Domain = target.Host
+                });
+            }
+            return createdCookies;
+        }
+
+
+
+
+[HttpPost]
         public ActionResult PostScript(GenericScriptHolder genericScriptHolder)
         {
             ViewBag.Message = "Your contact page.";

xssi check/xssiServer/Views/Shared/_Layout.cshtml

@@ -23,7 +23,7 @@
                 <ul class="nav navbar-nav">
                     <li>@Html.ActionLink("Home", "Index", "Home")</li>
                     <li>@Html.ActionLink("About", "About", "Home")</li>
-                    <li>@Html.ActionLink("Contact", "Contact", "Home")</li>
+                    
                 </ul>
                 @Html.Partial("_LoginPartial")
             </div>
@@ -40,10 +40,7 @@
     @Scripts.Render("~/bundles/jquery")
     @Scripts.Render("~/bundles/bootstrap")
     @RenderSection("scripts", required: false)
-<script src="http://localhost/demo_project/js/myApp.php">
-
-    
-</script>
+<script src="http://localhost/xssi_vulnerable_website/js/myApp.php"></script>
 <script>
     var info = document.getElementById("effect");
     console.log(info);