Persistent XSS

Persistent XSS is javascript that is run when the server loads the page containing it. These can occur when the server does not sanitise the user data when it is uploaded to a page. These are commonly found on blog posts.

OWASP Juice Shop Example

First, login to the admin account.

We are going to navigate to the "Last Login IP" page for this attack. It should say the last IP Address is 0.0.0.0 or 10.x.x.x

As it logs the 'last' login IP we will now logout so that it logs the 'new' IP.

Make sure that Burp intercept is on, so it will catch the logout request.

We will then head over to the Headers tab where we will add a new header:

True-Client-IP

<iframe src="javascript:alert(`xss`)">

Then forward the request to the server! When signing back into the admin account and navigating to the Last Login IP page again, we will see the XSS alert!

Why do we have to send this Header?

The True-Client-IP header is similar to the X-Forwarded-For header, both tell the server or proxy what the IP of the client is. Due to there being no sanitation in the header we are able to perform an XSS attack.

Last updated