# XSS ## Cross-Site Scripting | XSS

| Content | | ------------------- | | 📚 What Is XSS ? | | 🤔 Why XSS Happen ? | | 🧬 XSS Types | | ⚔ Impact | | 🔎 How To Find | | 🛺 Automate | | 🛠 Tools | | 📕 Referance | | 🔬 Labs | ## 📚 What Is XSS? Cross-site scripting (also known as **XSS** NOT **CSS**) is a **Client-side website** web security vulnerability that allows an attacker to compromise users' interactions with a vulnerable application. Cross-site scripting works by manipulating a vulnerable website so that it returns malicious JavaScript to users. ![](https://i.imgur.com/HI5gt1d.png) Learn **JavaScript** From [here](https://www.w3schools.com/js/) *** ## 🤔 Why XSS Happen? XSS happens because the developer trusts more users and doesn’t put any validation or sanitization for every input that reflects in HTML code or stored in the database and back again to display in HTML code or DOM code like source and sinks

*** ## 🧬 XSS Types ### 1. Reflected XSS | RXSS | Non-persistent. The first type, RXSS, happens when the malicious script comes from the current **HTTP Request.** **Example-1:**

\ Parameter **Search** Reflected in this HTML page:

source code found that it doesn’t encode any special characters like <,>,’,”. \ Ensure that any HTML tag will work like a bold tag.

\ Try to execute XSS using script tag bingo it works well This is Reflected XSS

### 2. Stored XSS | SXSS | Persistent. The second type is **SXSS** happens when the malicious script comes from the website’s **database**. **Example-2:** \ So as we said Stored XSS should be saved in the database first to achieve this type of XSS.

enter values in a comment, name, email, and website press “Post Comment”

On this page there are two input data saved name and comment

### 3. Blind XSS | BXSS. The third type is a **Blind XSS** is a type of **Stored XSS** in which the attacker’s input is saved by the server and is reflected in the developer’s application. Basically, the attacker’s payload is executed on the application used by team members or admins. Normally all use **XSSHunter** for finding Blind **XSS**. There are more tools available on the Internet that are: Burp Collaborator, KnoXSS, bXSS Hunter, and many more. You can know more about [XssHunter](https://xsshunter.com/#/). #### ### 4. DOM-based XSS. The fourth type is where the vulnerability exists in client-side code rather than server-side code. ### 5. Self XSS Self Cross-site scripting **(XSS)** is a vulnerability in web applications that gives the ability to execute JS as the same user and not to other users. **Severity:** \ \ 1.Self-XSS only=>Low, \ 2.Self-XSS + escalation=>Low-medium it may be **Reflected**, **Stored,** and **DOM** in the end, there are many Q\&A from Portswigger #### What is the difference between reflected XSS and stored XSS? Reflected XSS arises when an application takes some input from an HTTP request and embeds that input into the immediate response in an unsafe way. With stored XSS, the application instead stores the input and embeds it into a later response in an unsafe way. #### What is the difference between reflected XSS and self-XSS? Self-XSS involves similar application behavior to regular reflected XSS, however, it cannot be triggered in normal ways via a crafted URL or a cross-domain request. Instead, the vulnerability is only triggered if the victim themselves submits the XSS payload from their browser. Delivering a self-XSS attack normally involves socially engineering the victim to paste some attacker-supplied input into their browser. As such, it is normally considered to be a lame, low-impact issue. *** ### ⚔ Impact There is a reason why it has been in **OWASP for 2013** and **2017**. XSS can have huge implications for a web application and its users. **User accounts can be hijacked**, **credentials** could be **stolen**, **sensitive data** could be **exfiltrated**, and lastly, access to your client computers can be obtained. *** ### 🔎 How To Find 1. the easiest way to find XSS is through your recon * [ ] Collect subdomains from \[**subfinder**, **assetfinder**, **findomain** and etc ..] * [ ] Collect URLs for each subdomain \[ **hakrawler**, **gauplus**, **waybackurls,** and **gospider**] * [ ] Filter all URLs using [**uro**](https://github.com/s0md3v/uro) * [ ] Use [**gf**](https://github.com/tomnomnom/gf) to classifiy your paramters * [ ] Now use [**kxss**](https://github.com/Emoe/kxss) to find any URL parameter that is vulnerable * [ ] Now you can use [**dalfox**](https://github.com/hahwul/dalfox) to create your POC for any XSS found 2. By using this **bash script** ```bash #!/bin/bash hakrawler -url "${1}" -plain -usewayback -wayback | grep "${1}" | grep "=" | egrep -iv ".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|woff2|ico|pdf|svg|txt|js)" | qsreplace -a | kxss | grep -Eo "(http|https)://[a-zA-Z0-9./?=_-]*" | dalfox pipe -b https://your.xss.ht ``` *** 3. Useing **Burp Scanner** & **Acunetix** **All these three ways to find XSS ****90% will be duplicated**** because there are a lot of people who do that before you I prefer to do this ****manually**** with each parameter and enumerate for ****hidden parameters**** using tools like** [**Arjun**](https://github.com/s0md3v/Arjun)**,**[**x8**](https://github.com/Sh1Yo/x8)**, and** [**Burp paraminer extension**](https://portswigger.net/bappstore/17d2949a985c4b7ca092728dba871943)**.** ## 🛠 Tools Most tools are also suitable for blind XSS attacks: [**XSSStrike**](https://github.com/s0md3v/XSStrike): Very popular but unfortunately not very well maintained [**xsser**](https://github.com/epsylon/xsser): Utilizes a headless browser to detect XSS vulnerabilities [**kxss**](https://github.com/Emoe/kxss) to find any URL parameter that is vulnerable [**Dalfox**](https://github.com/hahwul/dalfox): Extensive functionality and extremely fast thanks to the implementation in Go [**XSpear**](https://github.com/hahwul/XSpear): Similar to Dalfox but based on Ruby [**domdig**](https://github.com/fcavallarin/domdig): Headless Chrome XSS Tester ## 📕 Reference [**portswigger**](https://portswigger.net/web-security/cross-site-scripting) [**OWASP**](https://owasp.org/www-community/attacks/xss/) [**PayloadsAllTheThings**](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20Injection) [**hacktricks**](https://book.hacktricks.xyz/pentesting-web/xss-cross-site-scripting) [**hackingarticles**](https://www.hackingarticles.in/comprehensive-guide-on-cross-site-scripting-xss/) [**Ebrahem Hegazy**](https://www.youtube.com/watch?v=xiw_O5shcK4\&list=PLv7cogHXoVhXvHPzIl1dWtBiYUAL8baHj\&index=29) From **29Ep** : **35Ep** ## 🔬 Labs [**portswigger**](https://portswigger.net/web-security/cross-site-scripting) [**OWASP Broken Web Applications Project**](https://sourceforge.net/projects/owaspbwa/)**:**\ Install this Machine and will have a lot of Labs like **DVWA**, **BWAPP** and **Webgoat** etc
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xkourama.gitbook.io/blog/vulnerabilities-and-techniques/web-vulnerabilities/xss.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.