I recently got the opportunity to speak at B-Sides Charleston on cross-site scripting (XSS) payload development. For me, this was a really enjoyable opportunity because of my background. I was a software developer specializing in web apps for about 10 years. I did web development as a hobby for more than 10 years before that. I’ve had full stack responsibilities for most of my career. I switched between server-side platforms, and have had some exposure to most of them, but the javascript was a constant. I don’t like classifying developers by their language: a java developer, python developer, etc. I feel that it leads to a lot of incorrect assertions about how to judge the quality of a developer. That said, if I was going to label myself by a language, that language would be javascript. It’s the language that I find does the best job staying out of my way so that I can focus on the problem at hand. Its lack of constraints, compared to many other languages, serves me well.
The original VMs I used during my talk are available at https://github.com/mgillam/weaponizejs, and these demonstrate a lot of the same techniques shown here. There may be some rough edges, reach out if you have any issues making them work.
So from that perspective, a XSS opportunity is one of my favorite findings on a pen test. If you allow me to run my javascript in your web application, it’s really my web application. I determine what it looks like and I determine how it behaves, and any user input also belongs to me.
In this post, I would like to share some of the techniques I presented in my talk. These shouldn’t be thought of as standalone exploits, but rather a set of tricks you can use to achieve common goals. I’m going to skip over getting script execution in the first place. Getting script execution, and the challenges that go with it such as filter evasion, is specific to each individual site, if not the individual vulnerability. There’s no concrete set of answers, so that would just be a distraction. Let’s instead move on to what we can do once we have it.