# Cross-site Scripting

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mf_Ni3aiqZt6p1PF7LE%2F-Mf_O6OPTCTfeBJZNuSg%2Fimage.png?alt=media\&token=0d6868a5-6839-454d-bad7-31e976dc4fbd)

## Introduction

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mf_Ni3aiqZt6p1PF7LE%2F-Mf_Ty1OjESJEy2f1oUe%2Fimage.png?alt=media\&token=66536f76-a748-4190-9206-2c9fae1aef68)

## Stored XSS

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mf_Ni3aiqZt6p1PF7LE%2F-Mf_UDRzI0gfguTO350b%2Fimage.png?alt=media\&token=c8d1e9fb-e0df-4180-91da-1704734af836)

Lets go to the Stored XSS Webpage

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mf_Ni3aiqZt6p1PF7LE%2F-Mf_UdGnEVtIN9lVlxjK%2Fimage.png?alt=media\&token=4ce455aa-9679-47c3-8978-88290fa832f2)

Lets try to add a comment on the page, first we have to create a user and login.

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mf_Ni3aiqZt6p1PF7LE%2F-Mf_V6Ro9_x4RWnNL4SH%2Fimage.png?alt=media\&token=431d0f0b-d94f-4fbc-9f5b-4a03058ddf42)

Lets now try to add a comment.

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mf_Ni3aiqZt6p1PF7LE%2F-Mf_VGHvtltFmSV4WgTz%2Fimage.png?alt=media\&token=61ca2c23-b67c-4c4e-8dfd-1d674237732a)

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mf_Ni3aiqZt6p1PF7LE%2F-Mf_VJC7tcwosxoPbquD%2Fimage.png?alt=media\&token=3db2bd36-da30-4f5e-bada-bbeb82a37c1f)

Now lets create an alert popup box appear on the web page with the document cookie.

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mf_Ni3aiqZt6p1PF7LE%2F-Mf_VcWXwM0UdIan7SDr%2Fimage.png?alt=media\&token=22f42e18-c005-43a7-bb9c-732ea6411377)

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mf_Ni3aiqZt6p1PF7LE%2F-Mf_VfXRU8L8osoBsWFx%2Fimage.png?alt=media\&token=2ba261c6-93bd-49f6-84a7-3d80d46ac05e)

Lets click ok

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mf_Ni3aiqZt6p1PF7LE%2F-Mf_ViLMSGVS3_J2QrFR%2Fimage.png?alt=media\&token=51e92708-ed06-4f83-8f93-7bc0d08a2341)

Now lets change the XSS Playground heading to I am a hacker.

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mf_Ni3aiqZt6p1PF7LE%2F-Mf_W0sl1R810ixeQ9r-%2Fimage.png?alt=media\&token=135fd7c2-74d6-406f-bb52-550cdd339851)

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mf_Ni3aiqZt6p1PF7LE%2F-Mf_W7Zj1AJODHH-Wdkr%2Fimage.png?alt=media\&token=fbbf7891-780e-480d-b75f-162753331292)

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mf_Ni3aiqZt6p1PF7LE%2F-Mf_WDH0kzrS6Nyt0LJS%2Fimage.png?alt=media\&token=3381e490-cf9b-4223-8467-5662a898f041)

Lets now try to take over the user Jack's account by stealing his cookie.

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MfdMHwPvIOIV48qGpEx%2F-MfdNL84yzRW-eT7Td0q%2Fimage.png?alt=media\&token=d28f57ce-8bff-49ca-ad40-23f3eb9ee2a8)

Now lets go to the log page

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MfdMHwPvIOIV48qGpEx%2F-MfdNXWjoZS_buvdE1vY%2Fimage.png?alt=media\&token=ce5f71b0-233b-4e04-8da9-e2003cfad5ba)

We have the cookie

Lets change users to Jack and post a comment

First lets go to the developer tools and change the cookie to Jacks.

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MfdMHwPvIOIV48qGpEx%2F-MfdNzhYh2Ep2K-u8Z1Q%2Fimage.png?alt=media\&token=769b4937-282b-4020-af39-1140ccb7d137)

Now lets reload the page

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MfdMHwPvIOIV48qGpEx%2F-MfdO4dln7BRpLVAQtuG%2Fimage.png?alt=media\&token=140da22b-25f9-4ea9-8cff-10f64cbec572)

We are now the user Jack, lets post a comment

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MfdMHwPvIOIV48qGpEx%2F-MfdOA0IMcLQK0H_Ge6b%2Fimage.png?alt=media\&token=1843e73e-605b-441b-867a-60e62daef9f5)

## Reflected XSS

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MfdMHwPvIOIV48qGpEx%2F-MfdOjpz-fIhFBHSKxw6%2Fimage.png?alt=media\&token=58bcf0f3-39d5-49d2-9fed-ddea831ebc31)

Lets craft a reflected XSS payload that will cause a popup saying "hello"

```
<script>alert("hello")</script>
```

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MfdMHwPvIOIV48qGpEx%2F-MfdPHPt1BTxSdtnjv8J%2Fimage.png?alt=media\&token=e99fadd3-1799-43be-ad6c-29f58831948b)

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MfdMHwPvIOIV48qGpEx%2F-MfdPJEbzuN6-2GF7zom%2Fimage.png?alt=media\&token=bc0dfc01-06d2-4ca1-8cdd-2b4a05304471)

For getting the IP address of the machine we can use this payload

```
<script>alert(window.location.hostname)</script>
```

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MfdMHwPvIOIV48qGpEx%2F-MfdPcJGqmd-WAob-do8%2Fimage.png?alt=media\&token=4729156f-b52a-430a-ba37-63ec80bcb7ac)

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MfdMHwPvIOIV48qGpEx%2F-MfdPhBSbA67MM75SoPK%2Fimage.png?alt=media\&token=a67eee5d-f8f2-4a80-bcae-1943cc6ab7eb)

## DOM-Based XSS

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MfdPn0iga_ZnizzjW8o%2F-MfdPzUMzowluFbGcGPO%2Fimage.png?alt=media\&token=73e6ffd7-f75c-4a7e-88e8-56f6c504e58a)

Lets go to the DOM-Based XSS page and look at the source code

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MfdPn0iga_ZnizzjW8o%2F-MfdQFs2PHy2VsAk0E_G%2Fimage.png?alt=media\&token=39ccb91b-08e9-46c0-ac0d-4c709576f34f)

This is interesting, looks like there are no checks on the input we give

Now lets exploit it and get the cookie.

```
test" onmouseover="aletest" onmouseover="alert('document.cookies')"rt(document.cookie)"
```

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MfdPn0iga_ZnizzjW8o%2F-MfdRABpmOdNxI9Cq3as%2Fimage.png?alt=media\&token=691d6fe8-fc62-4db4-bd16-8c42bd0764c9)

Now hover over the Image not found text

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MfdPn0iga_ZnizzjW8o%2F-MfdRHB6gauNCi2Y46NZ%2Fimage.png?alt=media\&token=3ae15fa4-07a3-4605-ba27-829dbf536fe1)

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MfdPn0iga_ZnizzjW8o%2F-MfdRJqRQsDoXS93S_NM%2Fimage.png?alt=media\&token=bcbb8bc9-cdf2-455a-a3a8-270f52ac4255)

Next lets create an `onhover` event on an image tag, that change the background color of the website to red.

```
test" onmouseover="document.body.style.backgroundColor='red'"
```

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MfdPn0iga_ZnizzjW8o%2F-MfdRdhV5bFwa7hhPv6j%2Fimage.png?alt=media\&token=8d881fa4-e5f2-4924-b1a8-e3d59a475629)

Make sure to hover over the Image not found text

## Using XSS for IP and Port Scanning

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MfdPn0iga_ZnizzjW8o%2F-MfdS1-LsR-AV7cb3Qm5%2Fimage.png?alt=media\&token=18fb2081-86a4-46ae-80a9-b9b09d0979aa)

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MfdPn0iga_ZnizzjW8o%2F-MfdS3J5J6uoZdk2hvbX%2Fimage.png?alt=media\&token=72999de2-b7d9-49fc-8a8b-14348c5d7cba)

## XSS Keylogger

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MfdPn0iga_ZnizzjW8o%2F-MfdSA7jwBkhcdLDw4xZ%2Fimage.png?alt=media\&token=a81b2b67-dd94-4d77-8ec8-4ad33db01673)

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MfdPn0iga_ZnizzjW8o%2F-MfdSCT5HcvpcIhg4njv%2Fimage.png?alt=media\&token=2a7b1dc3-723a-4a2d-bb5f-b9fb2ca7760a)

## Filter Evasion

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MfdPn0iga_ZnizzjW8o%2F-MfdSKV4NnbSBYumlKLx%2Fimage.png?alt=media\&token=9152c67a-156a-4c78-b831-e0617b9d3cb6)

Lets do the first challenge

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MfdPn0iga_ZnizzjW8o%2F-MfdSlZw6QNRe8VNTgHZ%2Fimage.png?alt=media\&token=0efc5d53-b0ef-4086-a3a8-04c76e253f77)

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MfdPn0iga_ZnizzjW8o%2F-MfdSnLTD53JAb1Kp3_I%2Fimage.png?alt=media\&token=7d703ee7-3459-450e-9c65-35ea69cf87ab)

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MfdPn0iga_ZnizzjW8o%2F-MfdSpY_p81hy36D61BQ%2Fimage.png?alt=media\&token=403ea1a5-8206-4c6a-a2ff-24650ca95456)

Lets do challenge 2

```
0\"autofocus/onfocus=alert(1)--><video/poster/onerror=prompt(2)>"-confirm(3)-"
```

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MfdPn0iga_ZnizzjW8o%2F-MfdTHgfd53VfKEGPkHN%2Fimage.png?alt=media\&token=ba6b5494-7284-4e90-b641-eb5fafd7c236)

Lets do challenge 3

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MfdPn0iga_ZnizzjW8o%2F-MfdTVSW1UVigVybmQCo%2Fimage.png?alt=media\&token=b4c4a6ae-63be-4617-99d9-30342356e2a1)

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MfdPn0iga_ZnizzjW8o%2F-MfdTZaM_Ujne3D2tOwl%2Fimage.png?alt=media\&token=430265c0-54bb-4290-abe6-e1783006daed)

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MfdPn0iga_ZnizzjW8o%2F-MfdTb0hYz9dF-KAJQcD%2Fimage.png?alt=media\&token=08703059-6d41-469c-93aa-34ad07fc1f0a)

Challenge 4

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MfdPn0iga_ZnizzjW8o%2F-MfdThA_CHNHUPEtmx_7%2Fimage.png?alt=media\&token=3bd854e8-64b8-445c-a401-2ee750e5daf7)

```
<style>@keyframes slidein {}</style><xss style="animation-duration:1s;animation-name:slidein;animation-iteration-count:2" onanimationiteration="alert('Hello')"></xss>
```

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MfdPn0iga_ZnizzjW8o%2F-MfdTy9nRw2eupmKjpmu%2Fimage.png?alt=media\&token=525c222b-074c-40d8-a254-912ae3baaad6)

## Protection Methods and Other Exploits

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MfdPn0iga_ZnizzjW8o%2F-MfdU8q42ZTWDiFczS8T%2Fimage.png?alt=media\&token=b2f721ef-44ed-41a5-886c-41544cd16192)