From 8771c5cd1c5f2eab627e370872a630cfc29f2361 Mon Sep 17 00:00:00 2001 From: gurkenhabicht Date: Tue, 14 May 2024 22:35:54 +0200 Subject: [PATCH] clean up --- Exploits/Web/XSS.md | 147 ++++++++++++++++++++++++++++++++++---------- 1 file changed, 114 insertions(+), 33 deletions(-) diff --git a/Exploits/Web/XSS.md b/Exploits/Web/XSS.md index 2e78749..ea5132f 100644 --- a/Exploits/Web/XSS.md +++ b/Exploits/Web/XSS.md @@ -1,8 +1,13 @@ # Cross-Site Scripting -A web application is vulnerable to XSS if it uses unsanitized user input. XSS is possible in Javascript, VBScript, Flash and CSS. + +A web application is vulnerable to XSS if it uses unsanitized user input. XSS +is possible in Javascript, VBScript, Flash and CSS. ## Stored XSS -This is where a malicious string originates from the websites database. Such as (stored in a db) + +This is where a malicious string originates from the websites database. Such as +(stored in a db) + * User profiles * Chats and comments * Part of link @@ -10,19 +15,23 @@ This is where a malicious string originates from the websites database. Such as * Blind xss is stored inside the app but effects are only visible by proxy, [xsshunter](https://xsshunter.com/). ### Examples -* Sanity test by changing DOM content -``` + +Sanity test by changing DOM content + +```html ``` -* Cookie stealing +Cookie stealing ```javascript ``` - * Navigte to `/logs` and take sid -* Open nc port and collect cookies +Navigte to `/logs` and take sid + +Open nc port and collect cookies + ```javascript @@ -30,65 +39,124 @@ This is where a malicious string originates from the websites database. Such as ``` ## Reflected XSS -In a reflected cross-site scripting attack, the malicious payload is part of the victims request to the website. The website includes this payload in response back to the user. To summarise, an attacker needs to trick a victim into clicking a URL to execute their malicious payload. + +In a reflected cross-site scripting attack, the malicious payload is part of +the victims request to the website. The website includes this payload in +response back to the user. To summarise, an attacker needs to trick a victim +into clicking a URL to execute their malicious payload. + * URL parameters inside GET queries * File paths ### Usage + As script inside parameter -```sh + +```html http://example.com/search?keyword= ``` -* Show server IP -``` + +Show server IP + +```html http://example.com/reflected?keyword= ``` -* Session stealing, base64 encoded + +Session stealing, base64 encoded + ```javascript ``` - * open netcat binder to catch the http queries + +Open netcat binder to catch the http queries ## DOM based XSS -With DOM-Based xss, an attackers payload will only be executed when the vulnerable Javascript code is either loaded or interacted with. It goes through a Javascript function like so: + +With [DOM-Based +XSS](https://portswigger.net/web-security/cross-site-scripting/dom-based), an +attackers payload will only be executed through the DOM when the +vulnerable Javascript code is either loaded or interacted with. It goes through +a Javascript function like so: + ```javascript var keyword = document.querySelector('#search') keyword.innerHTML = ``` +DOM based XSS also works out directly through the URL if parts of the URL (URL +fragments) are put into a javascript function. These fragments inside the URL +are marked by a `#` char and are executed inside the DOM not the server. An +example of a URL is as follows. + +```html +https://example.com# +``` + +Measurements against DOM based XSS are URL encoding and httponly cookies. + +### DOM based XSS via JQuery + +Put the payload inside an iframe to use it through JQuery through triggering +`hashchange`. This is described on +[the +portswigger](https://portswigger.net/web-security/cross-site-scripting/dom-based) +page. + +```html +