XXS Attack

LogoPayloadsAllTheThings/XSS Injection/README.md at master · swisskyrepo/PayloadsAllTheThingsGitHub

Description

Stored (Persistent) XSS

Occurs when a malicious script is saved on the server (e.g., in a database or file). The application later displays that script to any user who views the affected page, meaning a single Stored XSS can attack all visitors.

Reflected XSS

This happens when a malicious script is included as part of a specially crafted link or request. The application takes this value and immediately sends it back to the user’s browser (e.g., in search results or error messages). Only the person who visits that crafted link or submits that request is affected.

DOM-based XSS

Takes place entirely in the browser, modifying the page’s Document Object Model (DOM) after it has loaded. The user’s browser processes malicious data (e.g., from the URL or a script), causing client-side code to inject the payload into the page.

Impact

Regardless of the delivery method, the malicious script runs in the user’s browser, potentially allowing attackers to hijack sessions, redirect users to harmful sites, execute local applications in the user’s context, or inject malicious content into the web application.

Attack:

Step 1:

  • Identify the input field that accepts unsanitised input.

  • After identifying Enter the below special character to look for unfiltered results.

If the application does not remove or encode these characters, it may be vulnerable to XSS because the app interprets the characters as code, which in turn, enables additional code.

Step 2:

Look at the code if you can see anything which is under user control and is being displayed without santizing.

If so use payload and exploit it.

Step 3:

Using XSS to get privilege escalation.

We can use XSS to steal Cookies and session information.

Two that are particularly interesting to us as penetration testers: Secure and HttpOnly.

The Secure flag instructs the browser to only send the cookie over encrypted connections, such as HTTPS. This protects the cookie from being sent in clear text and captured over the network.

The HttpOnly flag instructs the browser to deny JavaScript access to the cookie. If this flag is not set, we can use an XSS payload to steal the cookie.

In the case of WordPress, we can create a new admin user and get all access.

LogoHow to craft an XSS payload to create an admin user in Wordpress - Toronto Web Design and Development | Shift8 WebToronto Web Design and Development | Shift8 Web
Logowp_nonce_field() – Function | Developer.WordPress.orgWordPress Developer Resources
LogoJSCompress - The JavaScript Compression Tooljscompress.com

The above code creates a new user named attacker. Compress it using JSCompress.

Encoding Function:

Below before running the function. Goto about:blank in Firefox and then press Ctrl + Shift+K to open the console in the browser. Run the below function:

Add compressed java code in the function and run it.

We are going to decode and execute the encoded string by first decoding the string with the fromCharCode method, and then running it via the eval() method. Once we have copied the encoded string, we can insert it with the following curl command and launch the attack:

start burpsuite with intercept on for a good overview of the process.

Forward the request. Now, when the user visits that page, the code will be executed.

PreviousClickjackingNextXXS Via GET parameter [Reflected XXS]

Last updated