Persistent Cross-Site Scripting Demo for Sharepoint
I had been meaning to write a demo for this for well over a year and just got around to it. There is nothing too special here but it is a nice little template for a XSS or CSRF exploit for future testing. The target was a Microsoft Sharepoint site which is used for collaboration amongst other things. The Sharepoint site allows a user to upload files which can then be viewed by other users.
There are a few potential avenues for attack here but the simplest method for persistent XSS was to just upload an HTML file! From there you can do all the usual XSS type of attacks but I wanted to be able to demonstrate silently doing something on the Sharepoint site itself under the account of the user viewing the uploaded file. This is complicated slightly because Microsoft have implemented Cross Site Request Forgery protection in the form of a unique token generated when you view a page, and submitting a form without the token will fail. They also check the referrer, but because the page we upload will be on the Sharepoint site itself that check will pass.
When the demo page is viewed it will silently add a link to the user’s favourite links in their profile. It does this by first downloading the link submission page, extracting the CSRF token (and ViewState token) and then submitting the new link along with these tokens.
This was written specifically for IE6, it won’t work on FireFox (but it can be changed to work) and I haven’t tested it on newer versions of IE but it may work. It will need to be customised to the target site as this is just a basic template.