/r/xss

Photograph via snooOG

Everything about Cross-Site Scripting (XSS)

Cross-Site Scripting vulnerabilities and discussion

Keep your postings legal!

Please properly report your vulnerabilities to the appropriate owner.

Related Subs:

/r/xss

11,132 Subscribers

4

XSSy - learn & collaborate on XSS

I've built a site to help people learn & collaborate on xss: XSSy

There are a number of labs there already ranging from easy to very hard.

It has a headless browser to verify payloads and successful submitters go on the hall of fame.

It also has a feature I've not seen elsewhere: you can create and share your own labs. I though this would be particularly useful if you encounter an unusual XSS scenario and wanted to crowd source solutions.

Please, give it a go, and tell your friends. And feel free to feed back to me any issues, feature requests, etc. Happy XSSing!

0 Comments
2024/05/14
12:47 UTC

1

Xss need help please ?

Hey There everyone!
I am new here! I would like to ask did you guys manage to solve the xss assessment? because I’ve been trying for a full day now with no real progress!

Thanks in advance 

https://preview.redd.it/iwf3l17tc8zc1.png?width=1585&format=png&auto=webp&s=97750938048fe2a1a79a01910f0203401fb69cc9

i found xss vulnerability from scannner but the thing is that i am not able to exploit it can guys anyone help me to do that i really appreciate that.

https://www.spaceship.com/domains"sTYLe='zzz:Expre%2F**%2FSSion(RFVu(9253))'bad="/cctld/io/ 4

https://preview.redd.it/pz65pdfvc8zc1.png?width=802&format=png&auto=webp&s=ba5812858098795873efdc92b8aac5cb094101a1

18 Comments
2024/05/08
16:35 UTC

3

escalating <svg onload/>

Folks I wanna escalate that svg payload to include location.href and redirect the victim ultimately..

2 Comments
2024/05/07
09:20 UTC

5

xss vectors

Hey, imagine that we have these tags filtered. script|iframe|svg and also the word 'on' is filter (which means we cannot use <img/src/onerror=alert> or other vectors like this). Could you guys please tell me which HTML tag I can use to run the JS code? (All the filters are case-insensitive.)

6 Comments
2024/02/24
10:23 UTC

6

XSS Challenge

https://xss.challenge.training.hacq.me/challenges/easy04.php
I am trying to solve the above challenge
Not able to exploit the vulnerability with symbols blocked.
If you guys have solved it what is the solution??

10 Comments
2024/02/23
16:57 UTC

2

XSS contexts and problems

I've recently started looking at web hacking on burpsuite and have just began the XSS module. In the labs im currently doing : Lab: DOM XSS in document.write sink using source location.search. I've completed the lab but I don't understand how the XSS works in some places not others. On the test i search for 'abc' and notice it's reflected in two places. <h1>0 search results for 'abc'</h1> and <img src="/resources/images/tracker.gif?searchTerms=abc" e17walpp1="">. I figured out how to cause an XSS in the <img tag> with " onerror="alert(1)". I then wanted to try cause an xss in the <h1> tag and ended up with this <h1>0 search results for ''</h1><script>alert(1)</script>'<h1></h1> even though it's perfectly reflected in the source code, why does this not cause an alert? Sorry if this is a stupid question but I've just started and can't figure it out, thanks.

4 Comments
2024/02/20
19:44 UTC

5

How can someone get cookies with XSS

Hey, I’m testing my friends website. How would someone extract everyone’s cookies or session ID’s from an insecure website? Any templates or prompts?

Thanks

1 Comment
2024/02/17
00:10 UTC

3

Can I filter for parameter's on owasp zap?

Hi,

There's a feature on burp which allows us to filter by parameter's, is such a feature available on zap? I was able to spider a website with zap, now I want to view the request which have parameter's in them, any idea how I can achieve this?

Thank you!

0 Comments
2024/02/10
12:18 UTC

0

Am I allowed to test for XSS?

Am I allowed to test for reflected XSS on any website? Like, if the website dont have bug bounty program, can i still test on it?

6 Comments
2024/01/31
16:03 UTC

2

Doubt about black hats

I have a question, or rather two, first, in what environment do hackers work? Maybe Kali Linux?, and second, where do these hackers get their training, because really to what extent I have studied and my thoughts tell me that Black hats are always one step ahead of white hats or Ethical Hackers.

16 Comments
2024/01/10
03:53 UTC

2

Chatbot as XSS vector

A lot of websites now have chatbots that are just wrappers around an API call to GPT3 or a comparable LLM.

Sometimes these chatbot interfaces aren't properly sanitised. The user inputs won't work, but if you can talk the GPT into writing the XSS payload for you, it actually executes because the devs didn't anticipate their own chatbot attacking the site.

2 Comments
2024/01/04
01:36 UTC

2

Stealing cookies (help)

I was trying on my own website to steal my cookies of another website but I don't really know how to...

Any help? I mean, once you get into my website a script appears and steal my cookies from a specific domain, is that possible?

Thank you in advance

3 Comments
2023/11/18
10:29 UTC

8

Got some code flagged during a security test and I don't understand why.

A part of the page we add a bunch of hidden inputs into which we write string values, primarily for changing language strings. The values are loaded from a database table

<input id="lang\_welcome" type="hidden" value="<$ requestScope.lang\_welcome $>" /> <h1 id="head\_title"></h1>

In the javascript we might do something like

var welcome = $('#lang_welcome').val();
$('#head_title').innerHtml(welcome);

This is a bit of a contrived example but is a simplified version of what we are doing. As none of the values are user entered data or taken from queries or param I would have thought this is safe but the argument is that someone could change the value of the input to be something malicious which would then been written to the dom. I'd have thought that if someone has access to change the input value then they've got enough access to write to the dom anyway.

Can someone explain what the security issue is here as my understanding was you always escape untrusted data but it appears that I have to sanitise every change to the dom regardless of the source.

7 Comments
2023/11/18
02:09 UTC

1

xss payload for a ctf that only allows these characters: ~._-

first char: ~ second char: . third char: _ fourth char: - and of course all alphabets are allowed

2 Comments
2023/11/15
15:04 UTC

2

Can this simple web page be exploited?

<body> <a href="">LINK</a> <script> document.querySelector("a").href = location.search; </script> </body>

Although it seems very vulnerable, I can't seem to find an XSS that works on chrome ( haven't tried other browsers )

Here is a link to play around with:
https://xsstests.tiiny.site/

3 Comments
2023/11/11
17:17 UTC

0

Hello senior hunters a totally noob here!

Tried googling but didn't find any way! I found a directory of domain where images are broken and page is messed up any ways i can inject xss ? I tried it on inspection it goes self attack

0 Comments
2023/08/30
12:45 UTC

2

Is this a valid XSS or auto XSS?

Hello hackers, I would like to know if my find is a valid XSS or just an auto XSS. Well, I was browsing through the platform of an online course that I'm taking, so I decided to intercept some requests in a questionnaire that I was answering. When sending one of the requests to Burp's repeater, the site returned me with an error page, saying that something was wrong, and with a "try again" button, when I clicked on the button I intercepted a somewhat interesting response. Soon I decided to add a payload as shown in the following figure:

https://preview.redd.it/qxkeok3m4zjb1.png?width=796&format=png&auto=webp&s=1b11e7ae38c61f6a72e42a7059c9d4827f8bee47

When sending the edited response to the server, nothing happened, but when I clicked the "submit all and finish" button, I received an alert in my browser, as shown in the following figures:

https://preview.redd.it/czamq3jq4zjb1.png?width=1086&format=png&auto=webp&s=2a79feda6766217354637d09db3929f18af48b05

https://preview.redd.it/kjya6e9r4zjb1.png?width=567&format=png&auto=webp&s=916d7c6079a7ab4c9a594bbe8a85dae79e9cfe17

https://preview.redd.it/lgo998wr4zjb1.png?width=782&format=png&auto=webp&s=cd8974e6629a33d14165f7ebdceadbee479d65e8

In short: I already logged out of the account, I closed and reopened the browser and the payload continues on the button. That is, it is a stored XSS. In addition, the payload is found in buttons on other forms that have the name "submit all and finish".

So I would like to know if this is just a self XSS, and if so is there any way to escalate this to something reportable?

1 Comment
2023/08/24
03:03 UTC

2

Xss with input length limit

I'm trying to solve an XSS CTF challenge on a website and have found the XSS entry point via <img src=x onerror=alert(1)>. However, the url parameter I'm injecting this payload in is limited to 40 characters, which is checked by a global JavaScript function via m.length. But I need the actual executed code (instead of alert(1)) to be a fetch command with an url etc... Which obviously exceeds 40 characters. Now I'm stuck at this point. Any clues on this?

2 Comments
2023/08/19
18:37 UTC

0

TESTING FOR XSS

I'm testing for xss on a certain website inside search field.

As far as I have understood the website has some special characters blacklisted such as " and <> except for =

When I enter any of the blacklisted characters as plain text or url encoded it reflects in the source as HTML encoded. For example I entered " or %22, it reflects as " but on the webpage it reflects in plain text that is " .

If I enter html encoded character it seems like the website has completely ignored it and the value parameter of the search field appears empty in source code.

The code seems something like this when I put " or %22: <input placeholder="search" value=""" ....>

It seems like this when I put = or %3D:

<input placeholder="search" value="=" ....>

Any idea about how can I escape the quotes of the value parameter.

Thanks in advance.

1 Comment
2023/08/09
18:40 UTC

3

Help with postMessage DOM XSS Portswigger Lab

I'm doing this lab on portswigger - https://portswigger.net/web-security/dom-based/controlling-the-web-message-source/lab-dom-xss-using-web-messages

I have looked at the solution, but I can't figure out why my solution won't work. Here is my solution:

<script> 
window.pwned=window.open('https://[LAB_ID].web-security-academy.net/');           window.pwned.postMessage('<img src=x onerror=print()>', '*'); 
</script> 

Why is this not working? It is sending postMessage to vulnerable website and executing print().

1 Comment
2023/07/31
09:54 UTC

3

has anyone purchased XSS-rat udemy course?

It is called XSS Survival Guide, by Wesley Thijs, is it worth it?

4 Comments
2023/07/17
01:00 UTC

9

I can't execute XSS

My XSS doesn't execute for some reason, i bypassed sanitization, CSP and SRI, but browser just ignores the script like it doesn't even exist, also there aren't any errors mentioning this in the console, when i tried this payload on other sites it works without a problem.

https://preview.redd.it/im9a7blkobbb1.png?width=340&format=png&auto=webp&s=deb63b5bbd825c789a17a537c0dd532475c37ab4

5 Comments
2023/07/11
11:38 UTC

5

Anyone using ESAPI?

Been working on a WASM interopt layer for accessing DOM, and considering scenarios where data is being interpolated with user content and how to sanitize. Some of the edge cases like attribute execution I did not reallize until now were possible with things like jQuery.parseHtml. Reading through https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html I'm seeing that it's very context sensitive as to where the potentially unsafe content appears in the structure and what sanitization is necesary.

They use ESAPI for the different types of sanitization.

I'm wondering if anyone has familiarity with this library? Is it still a good tool for the job?

0 Comments
2023/07/06
00:28 UTC

Back To Top