XSSPlayground
A simple place to learn XSS. Made for myself to learn and to help others (please do use!)
Disclaimer
This is a works in progress and will change over time. Learn what you can!
Updates
15/03/2021 - Added new layout, reworked xss 1,2,3.
Screenshots
Setup
Host php
- Download the index.php file.
- Add to your /var/www/html folder
Tip: Make a new folder called 'xss' eg: /var/www/html/xss
- Run the php local server Have php installed so you can use php in terminal, then start a local server
php -S 127.0.0.1:8000
- Visit the page at http://127.0.0.1:8000/xss/index.php and start testing!
Host xampp
- Download the index.php file.
- Add to your /var/www/html folder or /var/www/html/xss
- Start xampp server, goto http://127.0.0.1/index.php or http://127.0.0.1/xss/index.php
What is XSS?
Cross-site scripting (XSS) is a web security vulnerability. It that allows an attacker to compromise the interactions that users have with a vulnerable application. Allowing for various attack types (steal cookies, make user accounts (auth permitting) etc)
Types of XSS
Reflected XSS
- This is when the exploits come from the current http request being made (reflected in response)
- More Info
Stored XSS
- When the exploits are stored in the servers database, accessed on page load or content loading on the website.
- More Info
Dom based XSS
- When the expliot is done on the client side ranter then the server. (change the webpage, inject hidden elements etc)
- More Info
Sources and Sinks (DOM XSS)
Source - where XSS payloads are injected to.
- document.url
- document.referrer
- location
- location.href
- location.search
- location.hash
- location.pathname
Sink - where XSS payloads get executed.
- element.innerHTML()
- element.outerHTML()
- eval()
- setTimeout()
- setInterval()
- document.write()
- document.writeLn()
DOM XSS - Example (Code review)
Webpage code
<!DOCTYPE html>
<html>
<body>
<script>
var url_source = "Hi, " + decodeURIComponent(location.hash.split("#")[1]); // example source inject point
var divElement = document.createElement("div");
divElement.innerHTML = url_source; // Sink, execution point
document.body.appendChild(divElement);
</script>
</body>
</html>
GET Request (exploit)
GET www.targeturl.com#<img src=x onerror"alert('DOM XSS')">
jQuery PoC's 3.x (CVE-2020-11022/CVE-2020-11023)
$('#div').html('<img alt="<x" title="/><img src=x onerror=alert(1)>">');
http://xss-game.appspot.com/level3/frame#$('#tabContent').html("\"><img src=x onerror="alert(1)"")
Great links (learn)
https://hackersonlineclub.com/cross-site-scripting-xss/
https://info.ninadmathpati.com/resources/web-app-pentest/cross-site-scripting-xss
https://portswigger.net/web-security/cross-site-scripting
https://www.veracode.com/security/xss
https://hackertarget.com/xss-tutorial/
Great links (challanges)
https://xss.challenge.training.hacq.me/
Great links (cheatsheets)
https://book.hacktricks.xyz/pentesting-web/xss-cross-site-scripting