A simple place to learn XSS

ac1d

Last update: Jun 21, 2022

Related tags

Miscellaneous XSSPlayground

Overview

XSSPlayground

A simple place to learn XSS. Made for myself to learn and to help others (please do use!)

Disclaimer

This is a works in progress and will change over time. Learn what you can!

Updates

15/03/2021 - Added new layout, reworked xss 1,2,3.

Screenshots

Setup

Host php

Download the index.php file.
Add to your /var/www/html folder

Tip: Make a new folder called 'xss' eg: /var/www/html/xss

Run the php local server Have php installed so you can use php in terminal, then start a local server

php -S 127.0.0.1:8000

Visit the page at http://127.0.0.1:8000/xss/index.php and start testing!

Host xampp

Download the index.php file.
Add to your /var/www/html folder or /var/www/html/xss
Start xampp server, goto http://127.0.0.1/index.php or http://127.0.0.1/xss/index.php

What is XSS?

Cross-site scripting (XSS) is a web security vulnerability. It that allows an attacker to compromise the interactions that users have with a vulnerable application. Allowing for various attack types (steal cookies, make user accounts (auth permitting) etc)

Types of XSS

Reflected XSS

This is when the exploits come from the current http request being made (reflected in response)
More Info

Stored XSS

When the exploits are stored in the servers database, accessed on page load or content loading on the website.
More Info

Dom based XSS

When the expliot is done on the client side ranter then the server. (change the webpage, inject hidden elements etc)
More Info

Sources and Sinks (DOM XSS)

Source - where XSS payloads are injected to.

document.url
document.referrer
location
location.href
location.search
location.hash
location.pathname

Sink - where XSS payloads get executed.

element.innerHTML()
element.outerHTML()
eval()
setTimeout()
setInterval()
document.write()
document.writeLn()

DOM XSS - Example (Code review)

Webpage code

<!DOCTYPE html>
<html>
 <body>
  <script>
   var url_source = "Hi, " + decodeURIComponent(location.hash.split("#")[1]); // example source inject point
   var divElement = document.createElement("div");
   divElement.innerHTML = url_source; // Sink, execution point
   document.body.appendChild(divElement);
  </script>
 </body>
</html>

GET Request (exploit)

GET www.targeturl.com#<img src=x onerror"alert('DOM XSS')">

jQuery PoC's 3.x (CVE-2020-11022/CVE-2020-11023)

$('#div').html('<img alt="<x" title="/><img src=x onerror=alert(1)>">');

http://xss-game.appspot.com/level3/frame#$('#tabContent').html("\"><img src=x onerror="alert(1)"")

Great links (learn)

Google Gruyer xss

https://hackersonlineclub.com/cross-site-scripting-xss/

https://info.ninadmathpati.com/resources/web-app-pentest/cross-site-scripting-xss

https://portswigger.net/web-security/cross-site-scripting

https://www.veracode.com/security/xss

https://excess-xss.com/

https://hackertarget.com/xss-tutorial/

Great links (challanges)

https://xss.pwnfunction.com/

https://xss.challenge.training.hacq.me/

http://xss-game.appspot.com/

http://www.sudo.co.il/xss/

Great links (cheatsheets)

Portswigger Cheatsheet

https://book.hacktricks.xyz/pentesting-web/xss-cross-site-scripting

https://html5sec.org/

https://xss.by/

You might also like...

🏆 Learn You PHP! - An introduction to PHP's core features: i/o, http, arrays, exceptions and so on.

Learn You PHP! The very first PHP School workshop. A revolutionary new way to learn PHP Bring your imagination to life in an open learning eco-system

311 Dec 30, 2022

My intention with this app is that new developers can have a concrete application with Laravel + VueJS where they can use it as example to learn the right way

My intention with this app is that new developers can have a concrete application with Laravel + VueJS where they can use it as example to learn the right way, implementing the best practices possible and at the same time learn how TDD is done. So this will be an example application but completely usable for any similar case.

2 Sep 30, 2022

Simple library that abstracts different metrics collectors. I find this necessary to have a consistent and simple metrics (functional) API that doesn't cause vendor lock-in.

Metrics Simple library that abstracts different metrics collectors. I find this necessary to have a consistent and simple metrics API that doesn't cau

311 Nov 20, 2022

Configure Magento 2 to send email using Google App, Gmail, Amazon Simple Email Service (SES), Microsoft Office365 and many other SMTP (Simple Mail Transfer Protocol) servers

Magento 2 SMTP Extension - Gmail, G Suite, Amazon SES, Office 365, Mailgun, SendGrid, Mandrill and other SMTP servers. For Magento 2.0.x, 2.1.x, 2.2.x

303 Oct 7, 2022

Simple PHP Pages - A simple puristic PHP Website Boilerplate

Simple PHP Pages - A simple puristic PHP Website Boilerplate 🚀 Hey! This project provides simple and basic concepts for PHP pages. It includes ideas

8 Sep 22, 2022

Sslurp is a simple library which aims to make properly dealing with SSL in PHP suck less.

Sslurp v1.0 by Evan Coury Introduction Dealing with SSL properly in PHP is a pain in the ass and completely insecure by default. Sslurp aims to make i

65 Oct 14, 2022

Currency is a simple PHP library for current and historical currency exchange rates & crypto exchange rates. based on the free API exchangerate.host

Currency Currency is a simple PHP library for current and historical currency exchange rates & crypto exchange rates. based on the free API exchangera

19 Dec 12, 2022

Simple IT Documentation Solution for MSPs

SimpleMSPDoc RC 1.0 I wasn't happy with what other IT documention software had. I felt they over complicated things and required so much clicky clicky

4 Jun 5, 2022

Simple customizable captcha script for bot prevention in php language.

phpCaptcha Simple customizable captcha script for bot prevention in php language. Usage ?php session_start(); $status = ""; if ($_SESSION['captcha']

11 Oct 10, 2022