https://ag2s.ca/spellbook/2.-web-pentesting/2.2-common-attacks/xss---cross-site-scripting/ Recent content on SpellBook Hugo en-us https://ag2s.ca/spellbook/2.-web-pentesting/2.2-common-attacks/xss---cross-site-scripting/content-security-policies/ Mon, 01 Jan 0001 00:00:00 +0000 https://ag2s.ca/spellbook/2.-web-pentesting/2.2-common-attacks/xss---cross-site-scripting/content-security-policies/ <h2 id="content-security-policies">Content Security Policies<a class="anchor" href="#content-security-policies">#</a></h2> <p>A CSP:</p> <ul> <li>Is configured in the <code>Content-Security-Policy</code> response header</li> <li>Consists of multiple directives. Each directive allows one or more values.</li> </ul> <p>For instance, the <code>script-src</code> directive defines where JavaScript can be loaded and executed from:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-http" data-lang="http"><span style="display:flex;"><span><span style="color:#960050;background-color:#1e0010">Content-Security-Policy: script-src &#39;self&#39; https://benignsite.htb</span></span></span></code></pre></div><p>This CSP instructs the browser to load JavaScript only from the same origin as the page itself and the external origin <code>https://benignsite.htb</code>. Therefore, if an attacker injects the following JavaScript code in an XSS payload, the victim&rsquo;s browser will not load the script and thus not execute it:</p> https://ag2s.ca/spellbook/2.-web-pentesting/2.2-common-attacks/xss---cross-site-scripting/dompurify/ Mon, 01 Jan 0001 00:00:00 +0000 https://ag2s.ca/spellbook/2.-web-pentesting/2.2-common-attacks/xss---cross-site-scripting/dompurify/ <!-- raw HTML omitted --> https://ag2s.ca/spellbook/2.-web-pentesting/2.2-common-attacks/xss---cross-site-scripting/httponly-cookie-attribute/ Mon, 01 Jan 0001 00:00:00 +0000 https://ag2s.ca/spellbook/2.-web-pentesting/2.2-common-attacks/xss---cross-site-scripting/httponly-cookie-attribute/ <h2 id="httponly-cookie-attribute">HttpOnly Cookie Attribute<a class="anchor" href="#httponly-cookie-attribute">#</a></h2> <p>When this attribute is set to <code>True</code>, will prevent <strong>client</strong> from access cookie (via JavaScript). Specifically, when calling <code>document.cookie</code>, it will just return nothing</p> <h2 id="bypass-httponly">Bypass HTTPOnly<a class="anchor" href="#bypass-httponly">#</a></h2> <h3 id="header-reflection">Header Reflection<a class="anchor" href="#header-reflection">#</a></h3> <p>If the page is <strong>sending the cookies as the response</strong> of a requests (for example in a <strong>PHPinfo</strong> page), it’s possible to abuse the XSS to send a request to this page and <strong>steal the cookies</strong> from the response</p> https://ag2s.ca/spellbook/2.-web-pentesting/2.2-common-attacks/xss---cross-site-scripting/same-origin-policy/ Mon, 01 Jan 0001 00:00:00 +0000 https://ag2s.ca/spellbook/2.-web-pentesting/2.2-common-attacks/xss---cross-site-scripting/same-origin-policy/ <h2 id="same-origin">Same-Origin<a class="anchor" href="#same-origin">#</a></h2> <p>Same-Origin policy is a security mechanism implemented in web browsers to prevent cross-origin access to websites. In particular, <code>JavaScript</code> code running on one website cannot access a different website.</p> <p>The origin is defined as the <code>scheme</code>, <code>host</code>, and <code>port</code> of a URL. eg:</p> <ul> <li><code>http://localhost:80</code> is the same as <code>http://localhost</code>, but not the same as <code>http://localhost:8080</code></li> <li>But <code>http://localhost</code> is not the same as <code>http://127.0.0.1</code></li> <li>And <code>http://localhost</code> is also not the same as <code>https://localhost</code>.</li> </ul> <p><strong>JavaScript</strong> in browser can only send requests to the same origin.</p> https://ag2s.ca/spellbook/2.-web-pentesting/2.2-common-attacks/xss---cross-site-scripting/waf/ Mon, 01 Jan 0001 00:00:00 +0000 https://ag2s.ca/spellbook/2.-web-pentesting/2.2-common-attacks/xss---cross-site-scripting/waf/ <h2 id="waf">WAF<a class="anchor" href="#waf">#</a></h2> <p>a WAF ( Web application firewall) blocks certain request based on a list of rules. For example, if request contains the string <code>' OR 1=1-- -</code> then block</p> <p>It blocks certain words in certain places like <code>&lt;script&gt;</code> in the URL, or <code>alert</code>, etc.</p> <p>Some are easy to bypass, some are hard</p> <h2 id="bypass-waf">Bypass WAF<a class="anchor" href="#bypass-waf">#</a></h2> <p>Use OWASP&rsquo;s <a href="https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html">XSS Filter Evasion Cheat Sheet</a>. Furthermore, there are collections of XSS payloads for different types of filters. For instance, if we are unable to use any parentheses, we may refer to the <a href="https://github.com/RenwaX23/XSS-Payloads/blob/master/Without-Parentheses.md">XSS without Parentheses</a> payload collection</p>